There are sophisticated campaigns in which users are sent .dotm, .jpg, .png files. These are hosted on compromised servers. When the user accesses the files (including viewing of graphic files) it is stated that their NTLM hash are requested and captured. This methodology is attributed to a group called Berserk Bear / Energetic Bear (https://www.ft.com/content/8c51cdae-9298-11e7-bdfa-eda243196c2c and http://fortune.com/2017/09/06/hack-energy-grid-symantec/).
I wanted to understand how exactly dose NTLM and WebDAV fit into this. I understand SMB authentication. As most organizations deny outbound SMB traffic. It is stated that WebDAV is used to dodge the firewall deny for set for SMB. As WebDAV functions on port 80/443.
I wanted to further understand if the malicious webpage sent NTLM challenge - would the target machine reply with NTLM hash as stored on the machine of the user? or a hash which is a cryptographic output of the users actual hash? Will the users password (in hash form) actually be sent out in any scenario?
Can anyone please shed some light on these types of attacks?