While I am at it anyway; #Phishing meets #SMB: Exploiting network trust to capture #NTLM hashes (#pentesting fun)
One effective phishing method leverages SMB connections to capture #NetNTLM hashes for offline #cracking, providing attackers with credentials for the next phase (for example social engineering or other tech attacks). Oh; BIT B.V. (bit.nl) did send my a set of abuse mails, ā¦ sorry š ā¦ but very nice and thx šš¼, anyway;
Exploit Path: Initial Phishing Vector: The attack starts with a phishing email or download website or something something, containing a payload (e.g., a malicious document or shortcut file, whatever, choose your poison).
The payload initiates an SMB request to the attacker-controlled server (`\\<C2IP>\share`), tricking the victimās system into authenticating with it. Modern browsers like edge wonāt fly; you need to get a bit more creative to execute this and no itās not a hyperlink. Think Java. Or macro (although; meh).
Then we have SMB Request Redirection: Tools like Responder on the attackerās C2 server capture NetNTLMv2 hashes during these authentication attempts. This works over IPv4 and IPv6, with IPv6 often prioritized in networks and less monitored. Hence #mitm6. But thatās another story.
Captured hashes are cracked offline using tools like #Hashcat, potentially giving credentials for further attacks. Itās also an excuse for my new RTX 5090 card. š
Observations from recent penetration tests where I executed this attack;
-Firewall Rules: not excisting ā¦ at all. š„¹
Many environments have outbound 'any-any' rules on firewalls, even on critical nets like Citrix farms. This unrestricted outbound traffic allows SMB authentication requests to reach attacker-controlled servers on the internet. And there is something with remote workers and open internet access latelyā¦
-#Azure and #2FA Gaps, here we go again (see https://lnkd.in/g2ctMEDG); 2FA exclusions are another common issue:
- Trusted locations (e.g., `192.168.x.x` or specific IP ranges) configured to bypass 2FA/MFA.. intended to improve usability, such exclusions can be exploited once an attacker gains access to these "trusted" locations; simply put a VM inside a 192.168 range and chances areā¦. Good.
These misconfigurations reduce the effectiveness of otherwise robust security measures like MFA and firewall segmentation, giving attackers unnecessary opportunities.
The Takeaway: Attackers thrive on overlooked gaps in configuration. Whether it's outbound "any-any" firewall rules or MFA bypasses for trusted locations, these lapses provide unnecessary pathways for compromise. By combining phishing, SMB exploitation, and tools like Responder, we can target foundational weaknesses in even hybrid environments. Iāve seen socās only respond after mission target; because most are monitoring just on the endpoint (EDR/XDR), poorly.
#CyberSecurity #Phishing #SMB #NTLM #MFA #FirewallSecurity #infosec
The meme is absolutely intended as shitposting. Sorry š¤£
garimamittal
TechNadu
Negative PID SL
The DefendOps Diaries
SecPoint
tekginger
Angerman š¦
Guardians Of Cyber