Discover how PDF files can be weaponized to automatically leak Windows user NTLM hashes without user interaction or exploitation. Explore the basic structure of PDF files, focusing on the Dictionary object where the vulnerability lies. Learn about a proof of concept that injects malicious code into benign PDF files, causing NTLM hash leaks upon opening. Understand the impact of this attack by examining captured NTLM hashes on remote SMB servers and the process of cracking them to retrieve original passwords. Gain insights into the Microsoft NTLM authentication protocol, its continued use in supporting older systems, and how it can be exploited beyond Microsoft Office and Windows OS internal functions.
Overview
Syllabus
GPN19 - BADPDF – Stealing Windows Credentials via PDF Files
Taught by
media.ccc.de