Does the QuickCreds.sh work in 2024? #4
Description
I have a Windows 10 Pro 10.0.19045 Build 19045 running in a Virtualbox VM (no guest tools installed).
I passed through the USB device and it gets a network (DHCP lease and so on) from the PI0w, everything fine so far.
The attack works fine if i interact with the VM, unlock it and type some random \\teststring into the explorer search bar (pretty similar to the attack in QuickDraw.sh), because now there is a network request to my P4wnP1 poisoning device.
But when i lock the screen and start the attack, i can wait for hours an do not receive a hash.
I researched a bit on the attack and found out it is from around 2016 and only works when network requests are made in the background. So i set up another VM with a DNS server and a Samba share. The Windows VM is able to request the server address from the DNS server and is able to access the Samba share via \\fakeshare.local. I mapped the network drive to a drive in Windows and locked the screen. So after this setup, i connected the PI0w again to the Windows VM and launch the attackscript QuickCreds.sh. -> i don't get no Hash.
in Win VM:
- automatic proxy detection is enabled
- firewall is on on all networks
- the SMB share is mounted with the credentials of the local windows user
like already said: the attack works fine if the screen is unlocked and i request something in the explorer search bar, there is just no NTLM hash sent when the screen is locked.
can you help me out or do you think Microsoft did mitigate this behaviour so the attack can't be exploited anymore?