Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/d1se0/cve-2024-21413-vulnerabilidad-outlook-lab

cibersecurity cve cve-2024-21413 exploit hacking hacking-etico lab outlook

Last synced: 2 days ago
JSON representation

Host: GitHub
URL: https://github.com/d1se0/cve-2024-21413-vulnerabilidad-outlook-lab
Owner: D1se0
Created: 2024-12-04T10:26:37.000Z (2 months ago)
Default Branch: main
Last Pushed: 2024-12-04T11:18:13.000Z (2 months ago)
Last Synced: 2024-12-04T11:33:41.252Z (2 months ago)
Topics: cibersecurity, cve, cve-2024-21413, exploit, hacking, hacking-etico, lab, outlook
Language: Python
Homepage:
Size: 29.3 KB
Stars: 1
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

#CVE-2024-21413 – Outlook LAB Vulnerability

Vulnerability Description
`CVE-2024-21413` is a critical vulnerability discovered in `Microsoft Outlook` that allows a remote attacker to execute malicious links via a carefully crafted email. This exploit uses the `file://` protocol to redirect victims to attacker-controlled `SMB` shares, which may result in exposure of `NTLM` credentials or unauthorized access to local files.

# Windows 10 Services Startup Script + Credentials

The password for user `victim` is `victim` in `Windows 10` lab and the password for server `hMailServer` is `victim`

The password for the `[email protected]` email is `victim` and the password for the `[email protected]` email is `hacker`

Install `python3` in the `Windows 10` lab:

[Download Python3](https://www.microsoft.com/store/productId/9PNRBTZXMB4Z?ocid=pdpshare)

We will open a `cmd` as administrator:

```cmd
pip install pyautogui
pip install Pillow
pip install opencv-python
```

We will have to download the following script in the `Windows 10` laboratory:

```
startServicesWindows.py
```

```cmd
python3 startServicesWindows.py
```

To start the mail server and `Outlook`, in order to have the environment prepared.

# Technical Details

`Attack Vector`: The attack is initiated by sending an email with a `file://` link to the victim. When clicked, the system attempts to connect to the specified remote share, potentially exposing `NTLMv2` credentials or accessing a compromised local resource.
Impact: Theft of `NTLM` credentials, remote command execution or exploitation of local files.

## Requirements:

A functional `SMTP` server.
Access to the victim computer through `Outlook`.
Valid credentials of the email sender.

## Tools Included

This repository contains two tools designed for testing in a controlled environment:

## 1. Email Exploit Tool

A utility in `Python` that automates sending emails with malicious `file://` links to test the vulnerability in secure environments.

## Characteristics

Allows you to configure sender, recipient and sender password.
Link embedded in the body of the email that exploits the `file://` protocol.
Designed to run with an `SMTP` server.

## Use

Install the necessary dependencies:

```bash
pip install rich
```

### Run the tool:

```bash
python3 exploitSendEmailOutlook.py
```

### Provide the requested data:

Email address of the sender `(attacker)`.
Email address of the recipient `(victim)`.
`Password` of the sender.
IP of the `SMTP` server.
The email will be sent automatically if authentication and connection are successful.

### Output Example

```plaintext
Intentando conectar al servidor SMTP...
Conexión establecida con el servidor SMTP.
Intentando iniciar sesión en el servidor SMTP...
Autenticación exitosa.
Enviando correo...
Correo enviado exitosamente.
```

## 2. Responder Tool
Responder is an advanced penetration testing tool that acts as a `fake SMB` server to capture `NTLMv2` credentials when a system attempts to authenticate.

### Characteristics

Captures `NTLMv2` hashes from authentication attempts.
Support for multiple protocols `(SMB, HTTP, FTP, among others)`.
Ideal for testing this `vulnerability`.

### Use

Install `responder` on your attacking machine.

### On Debian/Ubuntu systems:

```bash
sudo apt update && sudo apt install responder
```

### Run Reply on your network interface:

```bash
sudo responder -I -v
```
Or also using my script:

```bash
python3 captureHashResponder.py
```

Keep the server running and wait for victims to access the malicious `file://` link sent.

### Output Example

```plaintext
[SMB] NTLMv2-SSP Client : 192.168.1.100
[SMB] NTLMv2-SSP Username : VICTIM-PC\user
[SMB] NTLMv2-SSP Hash : e5d5c82d3e44bf4...etc
```

## Mitigation Recommendations

Blocking the `file://` Protocol:

Configure your email client to avoid links that use the `file://` protocol.
Disable Automatic Submission of `NTLM` Credentials:

## On Windows systems:

Open the `Group Policy Editor`.
Navigate to `Security Settings` > `Local Policies` > `Security Options`.
Configure Network Security: Restrict use of `NTLM`: Deny outgoing `NTLM` traffic to remote servers.
Security Update:

Apply the latest security patches provided by `Microsoft`.
Use of Strong Passwords and Multi-Factor Authentication (MFA):

This minimizes the impact if credentials are compromised.

## Explanation video about the vulnerability in YT:

[Video CVE-2024-21413](LINK)

## Warning

This tool and included scripts are for educational purposes only and for testing in controlled environments with explicit permission. Misuse of these tools for malicious activities is `illegal` and subject to severe legal penalties.

## License

This project is distributed under the `MIT` License. See the `LICENSE` file for details.

## Contact

If you have questions or would like to collaborate, do not hesitate to contact me:

Author: `d1se0`

Mail: `[email protected]`