While I am at it anyway; #Phishing meets #SMB: Exploiting network trust to capture #NTLM hashes (#pentesting fun)
One effective phishing method leverages SMB connections to capture #NetNTLM hashes for offline #cracking, providing attackers with credentials for the next phase (for example social engineering or other tech attacks). Oh; BIT B.V. (bit.nl) did send my a set of abuse mails, … sorry 😆 … but very nice and thx 🙏🏼, anyway;
Exploit Path: Initial Phishing Vector: The attack starts with a phishing email or download website or something something, containing a payload (e.g., a malicious document or shortcut file, whatever, choose your poison).
The payload initiates an SMB request to the attacker-controlled server (`\\<C2IP>\share`), tricking the victim’s system into authenticating with it. Modern browsers like edge won’t fly; you need to get a bit more creative to execute this and no it’s not a hyperlink. Think Java. Or macro (although; meh).
Then we have SMB Request Redirection: Tools like Responder on the attacker’s C2 server capture NetNTLMv2 hashes during these authentication attempts. This works over IPv4 and IPv6, with IPv6 often prioritized in networks and less monitored. Hence #mitm6. But that’s another story.
Captured hashes are cracked offline using tools like #Hashcat, potentially giving credentials for further attacks. It’s also an excuse for my new RTX 5090 card. 😉
Observations from recent penetration tests where I executed this attack;
-Firewall Rules: not excisting … at all. 🥹
Many environments have outbound 'any-any' rules on firewalls, even on critical nets like Citrix farms. This unrestricted outbound traffic allows SMB authentication requests to reach attacker-controlled servers on the internet. And there is something with remote workers and open internet access lately…
-#Azure and #2FA Gaps, here we go again (see https://lnkd.in/g2ctMEDG); 2FA exclusions are another common issue:
- Trusted locations (e.g., `192.168.x.x` or specific IP ranges) configured to bypass 2FA/MFA.. intended to improve usability, such exclusions can be exploited once an attacker gains access to these "trusted" locations; simply put a VM inside a 192.168 range and chances are…. Good.
These misconfigurations reduce the effectiveness of otherwise robust security measures like MFA and firewall segmentation, giving attackers unnecessary opportunities.
The Takeaway: Attackers thrive on overlooked gaps in configuration. Whether it's outbound "any-any" firewall rules or MFA bypasses for trusted locations, these lapses provide unnecessary pathways for compromise. By combining phishing, SMB exploitation, and tools like Responder, we can target foundational weaknesses in even hybrid environments. I’ve seen soc’s only respond after mission target; because most are monitoring just on the endpoint (EDR/XDR), poorly.
#CyberSecurity #Phishing #SMB #NTLM #MFA #FirewallSecurity #infosec
The meme is absolutely intended as shitposting. Sorry 🤣
