Authentication Coercion | Core Security

This module exploits a high-severity vulnerability in Windows File Explorer. The exploit works by creating a specially crafted .lnk (shortcut) file that, when placed in a folder viewed by a victim, forces the system to automatically connect to an attacker-controlled SMB server. This connection happens without any user interaction and results in the victim's NTLM hash being sent to the attacker. It is possible to use tools like "John the Ripper" to attempt decrypting the original password associated with the hash.

This exploit leverages an information disclosure vulnerability in Microsoft Windows. By crafting a malicious .library-ms file, an attacker can coerce authentication to an untrusted server and steal NTLMv2 hashes. This exploit does not install an agent, it manages to obtain the NTLMv2 hash of a legitimate user. It is possible to use tools like "John the Ripper" to attempt decrypting the original password associated with the hash.

This exploit leverages an Information Disclosure vulnerability in Microsoft Office. By sending an email with a specially crafted link, an attacker can coerce authentication to an untrusted server and steal NTLM hashes. The link points to an HTTP server. When the client opens it in a browser, if the user is on the trusted list, it connects to the HTTP server and obtains the NTLM user hashes. This exploit does not install an agent, it manages to obtain the NTLM hash of a legitimate user. It is possible to use tools like "John the Ripper" to attempt decrypting the original password associated with the hash.

This exploit leverages an Information Disclosure vulnerability in Microsoft Outlook. By sending a mail crafting a malicious path and using the "img src" tag, an attacker can coerce authentication to an untrusted server and steal NTLM hashes. The link points to an SMB server. When the client opens Outlook, if the user is on the trusted list, without clicking, it connects to the SMB server and obtains the NTLM user hashes. In case the user is not on the trusted user list, in order to exploit the vulnerability, the client must click on the attached link. This exploit does not install an agent, it manages to obtain the NTML hash of a legitimate user. It is possible to use tools like "John the Ripper" to attempt decrypting the original password associated with the hash.

This exploit leverages an Information Disclosure vulnerability in Microsoft Outlook. By sending a mail crafting a malicious path, an attacker can coerce authentication to an untrusted server and steal NTLM hashes. This exploit does not install an agent, it manages to obtain the NTML hash of a legitimate user.

This exploit leverages an Information Disclosure vulnerability in Microsoft WordPad. The vulnerability is associated with legacy functionality to convert an OLE 1 storage object (OLESTREAM) to the new IStorage format. By crafting a file with a malicious OLE 1 LinkedObject, an attacker can coerce authentication to an untrusted server and steal NTLM hashes. This exploit does not install an agent, it manages to obtain the NTML hash of a legitimate user.

Subscribe to Authentication Coercion

Privacy Policy

Cookie Policy

Terms of Service

Accessibility

Impressum