NHASTIE

NTLM HTTP Authentication Session Tier Exploit

NHASTIE is a lightweight Proof of Concept tool that exploits NTLM HTTP authentication in web applications. Once a victim issues an HTTP request to this tool, the attacker can connect to NHASTIE and surf the vulnerable NTLM HTTP web application using the victim's identity!

Developed by Oren Ofer of Hacktics ASC

---

Requirements:

• NHASTIE requires Java 1.7.x

How Does it Work?

NTLM HTTP authentication is based on a TCP connection, i.e. the connection is the session (I call it "ConSessions"). In order to exploit this fact here is what NHASTIE does:

1. The tool creates a single TCP socket which will be used to transfer all communication to and from the target web application, and stands by (listening) for a victim.
2. A victim issues an HTTP request to the tool and the tool forwards the HTTP request to the designated web application.
3. The Web application replies with a demand to authenticate using NTLM, the tool forwards the response to the victim.
4. The victim automatically responds with a valid NTLM authentication, which is forwarded by the tool the web application by the same TCP socket.
5. The web application treats all future incoming HTTP requests from this TCP socket as authenticated by the victim.
6. The attacker connects to the tool using a browser, and surfs the vulnerable web application using the victim's identity!

Can Attackers Make Victims Connect to this Tool?

Yes, and in numerous ways, for example:

1. Asking - Be nice :)
2. Phishing - Luring users to use a link HTTP/UNC/SMB
3. Open of template based word, a .lnk file or access a share with desktop.ini file
4. Using web application attacks - XSS, CSRF, etc.
5. Forcing with MITM

Several instances that will trigger NTLM automatic submission in a Windows environment:

1. Browsers automatically send NTLM when needed to cached web application with Intranet URL and some (e.g. default Internet Explorer) will send it even to non-cached intranet sites.
2. Use template based word this will trigger SMB communication with NTLM.
3. Use XXE on servers
4. Use SQL Injection techniques

Quick PoC Instructions:

1. Locate a web application which requires NTLM authentication
2. Launch NHASTIE with the following command on the attacker's machine:
   java -jar -t {Target IP or Hostname} -p {Target Port} -l {listen port} {-ssl optional}
3. Lure/Phish/Spoof/Trick/MITM/XSS/CSRF the victims browser to connect to NHASTIE server using regular HTTP* (NHASTIE does SSL Stripping)
4. Open a browser, connect to NHASTIE, and surf in the web application with the victim's session.

* It is possible to execute to combine this attack with cross protocols

Developers

NHASTIE is developed and maintained by Oren Ofer (@oren1ofer).

Latest Version Changes

Version 1.2

1. Built in support for SSL: use flag -ssl when needed
2. Some bug fixes

Copyright

NHASTIE - NTLM HTTP Authentication Session Tier Exploit.

Copyright (C) 2014, Hacktics ASC, Ernst & Young.

Licensed under the Apache License, Version 2.0 (the "License");

you may not use this file except in compliance with the License.

You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software

distributed under the License is distributed on an "AS IS" BASIS,

WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

See the License for the specific language governing permissions and

limitations under the License.