美国哥伦比亚安全研究员胡安·迭戈在五月份向微软报告了NTLM身份验证的漏洞。允许攻击者窃取Windows NTLM哈希而不需要与用户交互。攻击者需要特殊的Shell命令文件放在Windows无密码保护的默认共享文件夹中，结合渗透方法就可以利用。目前，微软已在10月10日修补该漏洞。 [出自:jiwo.org]

Microsoft fixed a serious vulnerability that could allow attackers to steal Windows NTLM password hashes without any user interaction.

The tech giant patched the issues only for recent versions Windows (Windows 10 and Server 2016), to trigger the flaw the attacker just needs to do is to place a specially crafted Shell Command File (SCF file) inside publicly accessible Windows folders.

Once the attacker has placed the file in the folder, it executes due to the security issue, gathers the machine NTLM password hash, and sends it back to the attacker’s server.

Then the attacker can easily crack the NTLM password hash to access the victim’s computer. The hack was reported to Microsoft in May by the Columbian security researcher Juan Diego.

“It is a known issue that Microsoft NTLM architecture has some failures, hash stealing is not something new, it is one of the first things a pentester tries when attacking a Microsoft environment. But, most of these techniques require user intervention or traffic interception to fulfill the attack.” wrote Juan Diego.

“These new attacks require no user interaction, everything is done from the attacker’s side, but of course, there are some conditions that need to be met to be successful with this attack.”

Older Windows versions remain vulnerable because the registry modifications are not compatible with older versions of the Windows Firewall.

“Accordingly to Microsoft, all Windows versions since 3.11 till Windows 10, Desktop and server are vulnerable to this kind of attack.” explained Diego.

“Honestly, I have only tested on Windows 7 and Windows 10, then I passed the ball to Microsoft 暂无