blackMORE Ops Learn one trick a day ….
In this article Masschelein Steven shows how to hack Windows PC by backdooring it to get NTLMv2 hash and thus getting Windows password. Masschelein written the following description regarding this vulnerability and exploit:
I’ve made this article because some of my coworkers don’t realize how much damage you can do if you crack the wireless network.
I’ve made this article a long time ago but since the recent update to Kali 2.0 I’ve had to make some changes. You now can execute it in 2 ways. I prefer the second part from number 4.
The basic is, I’ve made a vbs script that calls netcat and makes a backdoor on a victim PC. I’ve masked the netcat exe and the vbs script by making executable file. I’m doing a man in the middle attack with mitmf and using beef to hook the victims browser. If we get a hooked browser then we send the executable through a fake notification bar. If the victim then executes the executable we now have a netcat backdoor. 
The second attack is based on the same principle, do a man in the middle attack with mitmf and send an executable with beef. this time it’s a little different. I’ve had to tweak the python script from mitmf so that the samba server doesn’t start. I’ve made a share on my attacker machine that grands everyone access to that share, then we start wireshark to get the NTLMv2 hash. Then again the victim browses the internet we send a fake notification bar. The victim runs our exe and we have again a netcat backdoor. Then we make a network share to our shared folder via the command prompt we got. Then we stop the wireshark capture. We make a new folder in the %APPDATA% folder to copy our second executable file that we have placed in our shared folder. Then if the file is copied we make it auto-start on startup so that we have a persistence backdoor. As final attack we connect to our network share, we execute the program procdump so that we have a memory dump of the LSASS and disconnect the network drive.
The we load the mini-dump in mimikatz and we have the plaintext password.
We also can get the NTLMv2 hash from wireshark witch is also explained in the document.
I’ve tried to make is as short as possible. If you have any questions about it or if something is’t clear feel free to contact me.
It’s possible that there are some spelling errors my native language is Dutch :).
Netcat backdoor and NTLMv2 hash> This is a user submitted post that explains in great length on backdooring a PC and getting Windows password & NTLMv2 hash. If you are interested, download a copy of the PDF file for references from the link below. Submission details added in the next section.
Submitter Name: Masschelein Steven
Email Address: removed@somedomain
Headline: Backdooring a PC and getting Windows password & NTLMv2 hash
URL: https://dl.dropboxusercontent.
VirusScan results:
Feel free to double-check before downloading this file. You can submit your own articles via Submit Articles section.
Nice post sir. it has really helped me. Thanks alot
could you give more information about how you made the first script that ‘writes a text file to network share’? I don’t really understand what you mean by this..
Link is off, please fix it :)