NTLM-Dementor

Get all NetNTLM Hashes via Different zero-click Methodologies from LLMNR Poisoning

Attack Scenario

After find the shared folders with "write" permissions on the network, the zero-click LLMNR Poisoning file/files are copied to the relevant share folders. In this way, NTLM hashes of all users who open the relevant shared folders can be captured.

There is a TR blog post for this Zero-Click LLMNR Poisoning methodology.

Windows Shortcut (.LNK) Files Zero-Click LLMNR Poisoning Scenario

Search Connector (.searchConnector-ms) Files Zero-Click LLMNR Poisoning Scenario

Weaponization

Windows Shortcut (.LNK) Files

Download NTLM-Dementor-LNK.ps1 file and change the AttackerIP. Then execute the powershell script.

.\NTLM-Dementor-LNK.ps1

Search Connector (.searchConnector-ms) Files

Download NTLM-Dementor-searchConnector-ms.txt file and change file extension to .NTLM-Dementor.searchConnector-ms

rename NTLM-Dementor-searchConnector-ms.txt .NTLM-Dementor.searchConnector-ms

Windows Library (.library-ms) Files

Download NTLM-Dementor-library-ms.txt file and change file extension to .NTLM-Dementor.library-ms

rename NTLM-Dementor-library-ms.txt .NTLM-Dementor.library-ms

URL (.URL) Files

Download NTLM-Dementor-URL.txt file and change file extension to .NTLM-Dementor.url

rename NTLM-Dementor-URL.txt .NTLM-Dementor.url

Shell Command Files (.SCF) Files

Download NTLM-Dementor-SCF.txt file and change file extension to .NTLM-Dementor.scf

rename NTLM-Dementor-SCF.txt .NTLM-Dementor.scf

Mitigation

• Disable LLMNR & NBT-NS
• Enforce SMB Signing
• Restrict File Share Permissions
• Set DisableThumbnailsOnNetworkFolders and DisableThumbnails via GPO
  • https://www.windowscentral.com/how-disable-thumbnails-windows-10#manage_thumbnail_previews_grouppolicy