URL File Attacks

by Vince
in Blog
Hits: 722

This comes from PayloadAllTheThings on github and it's somewhat obsolete in that it does not seem to work on Windows 10.  That being said, older systems are still vulnerable to this attack and it's pretty amazing.  The situation is this -- you find an open and writable file share.  Our preference is that it's a server share but it can be any share or any folder even.  If it's a server share, it's going to rain hashes. 

We're going to open Notepad and we'll insert the following:




What's really import in the above is that the IP address points to our attacking machine which has Responder running. 

Next, we're going to save the file with:  "@SOMETHING.url"

The SOMETHING can be anything but use your imagination to create something that will blend into the share.  Ideally, we want this to go unnoticed because the victim does NOT need to click on it, the act of just opening the folder is enough.



Once we have it saved in the share (or folder even), we just want for our victim(s).

With Responder setup:



The victim opens the share (or in our case, the folder):



We capture the hash:



Find an open share, drop this in place, setup Responder, and move about to other tasks.  If Windows 10 systems connect to it, Responder will toss and error but it doesn't break Responder so we don't need to do anything.