Question - In a controlled corporate environment with DLP solutions monitoring the HTTP and Email traffic, how would you perform data exfiltration during a Red Team Pentest ? ‘One’ of the answers would be to use social networking sites, let’s look at Facebook in this post. Data exfiltration using Facebook (FB) and the like is nothing new. There has been various instances where these networks have been used as C&C, data receivers etc.. ↪
This issue has been fixed on Windows 8+ as part of MS16-112 issued in September 2016. I haven’t checked this on a Windows 7 machine which isn’t listed on the Microsoft page.
The basic theory behind the attack is same as @mubix’s discovery - if you connect a network interface to a Windows system and have Responder tool poisoning the network, you can obtain the hashes (NTML responses) from the machine without any user intervention. This works even with the computer in locked state.
In my scenario, I’m using a rogue Open WiFi network to grab the hashes. The result is the same and at times, I had better results than plugging in a Pi Zero. The Responder tool captures the hashes which can then be cracked using tools like hashcat.↪
In the previous post, a Raspberry Pi Zero was modified to capture hashes (or rather NTLMv2 responses from the client).
Let’s see how hashcat can be used to crack these responses to obtain the user password. I will be using dictionary based cracking for this exercise on a Windows system.↪
Update: CVE-2016-3302 / MS16-112 patch was released by Microsoft to fix the issue.
This post is an extension to Rob Fuller’s (@mubix) work - https://room362.com/post/2016/snagging-creds-from-locked-machines/ to see how a Raspberry Pi Zero can be used for credential snagging. All credits go to @mubix for the original research. It is recommended to read mubix’s post (if you haven’t already !) before proceeding.↪
This is a Python code snippet to retrieve the latest tweet from a user by making use of the Twitter developer API.↪