17Nis
Watering Hole Website NTLM Steal Attack
I'm trying to recreate a Watering hole SMB theft attack where you send a victim a link to your website containing code like file://ip/file.gif.
Causing forced authentication which passes the NTLM hash.
I have the code which executes the process (check reference links).
But how can I retrieve/steal the NTLM hash back over the internet remotely without being on the local network?
This process can be done locally very easily but I'm struggling with finding an NTLM listener to use over the internet remotely on a website.
References:
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/leafminer-espionage-middle-east
- https://blog.lumen.com/newly-discovered-watering-hole-attack-targets-ukrainian-canadian-organizations/
- https://unit42.paloaltonetworks.com/xhunt-campaign-new-watering-hole-identified-for-credential-harvesting/
