This File Steals Passwords
jh.live/censys || Get started with the leading Internet Intelligence Platform for threat hunting and attack surface management -- find what is exposed out on the open Internet with Censys! jh.live/censys
Learn Cybersecurity - Name Your Price Training with John Hammond: nameyourpricetraining.com
Read The Hacker Mindset by Garret Gee: jh.live/hackermindset
📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥KZread ALGORITHM ➡ Like, Comment, & Subscribe!
Пікірлер: 98
one thing that i appreciate about your videos is that you zoom the screen big enough to make it easier to read and watch. and i think people don't point that out enough. thanks.
@codycortello
Ай бұрын
Further, I also love that he vocalizes the hotkeys he's using, a la 5:10. Really thoughtful, and uncommon for a video unrelated to computer shortcuts
@BillAnt
Ай бұрын
It's great, most other videos are barely readable at 1080p/4k. Thanks John! :)
@wcoltters
Ай бұрын
Yes! Absolutely! Not everyone has 32 or 43 inch monitors. And not everyone has 20/20 vision right? Keep the big fonts.
@BillAnt
Ай бұрын
@@wcoltters - I think the problem is that creators usually have larger displays forgetting about their less than 17" screen users.
@bmc2266
Ай бұрын
You can zoom any video on phone and laptop/desktop. Either pause it or not : On phone use 2 fingers on the screen and move then the opposite direction. On laptop/desktop, use the magnifier. (Windows key+CTRL+M) Google it, there is other ways too.
SMB seems like it's primarily a vulnerability generating protocol that just happens to also let you share files
really seems like Microsoft should implement some security measures for these scf files
@user-qr4jf4tv2x
Ай бұрын
like showing extension always
@DeNikow
Ай бұрын
Not only that. You can do the same thing with hidden desktop.Ini files that are automatically triggered when opening a folder. It's how canary most folder canary tokens work.
@ffggvfg4323
Ай бұрын
Lmao imagine
@josecintron85
Ай бұрын
@@user-qr4jf4tv2x actually remove the functionality all together, I really don't see the point of having them.
@ecu4321
Ай бұрын
i find it odd that microsoft keeps opting to HIDE extension names by default even going as far as force-hiding it even if you set it to always show, like in this case of SCF files. it's like microsoft is allowing threat actors in making windows vulnerable. it's their MacOS/Linux obsession that's influenced this compromised design decision
Very old trick, i remember using this to infect my teachers computer so i could steal the tests early
@neilpatil7786
Ай бұрын
I used this too bro 😊 7 times
@menreikichan8291
29 күн бұрын
@@neilpatil7786Does it still work?
The point is clear - you have just to make somehow a request from victim PC via SMB, fool it that you're going to authenticate it and it gives you it's NTLM hash. But, I couldn't replicate this attack (at least this way). I've done exactly how did you in video and simply nothing happened. Responder was listening correctly and all VMs were in the same network. Windows 10 nor Windows 7 responds to this. Guest OS: Windows 10, Kali Hypervisor: Virtualbox Networking: Bridged (both of them)
Yooo, I swear you always have the most absurd things in windows to perform malicious actions with, absolutely love it!
I'm too dumb to understand everything You present, but how I have been told "I love when You speak technical to me"
Running and gunnin! Hotel YT production. Good to see you John! Great video
A small correction: You meant "relay" the hash not "pass" because pass the hash attacks are different than NTLM relay attacks. It's quite confusing because of the misused terminology (I did it in the previous sentence as well for traditional reasons :D). But the pass-the-hash attack uses the password hash stored on the machine to generate NetNTLMv2 hashes that will be sent through the network. Relay attacks catch a NetNTLMv2 hash (just like responder does) and sends it through to another service that accepts NTLM authentication. Key differences: NetNTLMv2 hashes cannot be used for long, they expire. SMB signing (in case of SMB servers) can defend against relay attacks (but it will have like a 30% performance cut) while pass-the-hash attacks will work even if it's enabled.
@ak2o614
Ай бұрын
Was gonna post a comment about it too, thanks for the precision ;)
@machina123
Ай бұрын
So clearly explained !
Windows is the Devil
@BillAnt
Ай бұрын
Maybe not the entire Windows, but "The devil is in the details". ;D
Thank you for the awesome content, Scary that this works on network file shares and USB drives.
Love, John Hammond. :)
It's really cool to get this working :P Love your content!
Thanks for sharing! Good to see this is possible, something to be alert for. When I think of protection, blocking SCF files in Ivanti Workspace for example, could prevent this. As for monitoring, detection and response I'm thinking anti virus and SIEM tooling and a SOC to respond to alerts. This covers anti malware and monitoring and logging in ISO27001.
Thanks John, you the boss!
ok that is really cool. Thank you for doing these types of videos.
Classic John Hammond, always traveling so we can't pinpoint his location with OSINT
I am, have always been and plan on always being...a shift+delete kind of person.
Great content as always!! TY!
Alright, so you can set a custom icon for a richtext file or word document... 🤷♂ Seems cool, but noone really uses it afaik. But then allowing a network location for an icon, on a local document file is really odd🤦♂, I don't think anyone asked for that feature whatsoever.
@ExtremeContent-hq
Ай бұрын
Who cares about you 😔
Hi John, Thank you for all the information you share with all of us! I need some help some Russians hacked my email account so I have changed all passwords as required. I have the ip address it was accessed from. How can I revert their action towards them back?
Wonder if all these vulnerabilities are recognized by Huntress?
So powerfull! If a read teamer put this file in a smb share for example, whould the .ico be fetched by any viewers of the share? Or the ico will be cached by the DC?
yow John, unrelated topic here, just want to ask if you know how to install linux mint or ubuntu dual boot with windows 10 if i don't have flash drive and dvd to create bootable installer. thanks
I just did something like this not that long ago and pwnd the SOC for the folks that I was working for. I downloaded an SCF to my computer which pointed to my host on the Internet, well the SOC saw the file saved it their desktop and all of the sudden I had a connection to my host from one of the SOC users (which BTW had admin rights on an S* load of systems) after that I used his credentials, with pass the hash, to own the place.
@unstyled3509
Ай бұрын
sounds like you're admitting to a crime (umless you had consent) which isn't a great idea since people might be able to get your email or other potential info
@josecintron85
Ай бұрын
@@unstyled3509 Not sure how I said I did anything illegal, but in any case it was authorized as part of my job and the report has already been delivered to the company that hired us.
"... will *never show* its file extension ..." That's only true as long as the "NeverShowExt" Registry Value is present under SHCmdFile [HKCR\.scf points to HKCR\SHCmdFile].
Literally amazing 😲😲😲😎
Hey John big fan here, one thing though I noticed that this only works on windows 10 and does not give me the hash when I tried it on windows 11 is there any reason for that?
@_JohnHammond
Ай бұрын
I've gotten this to work on Windows 11. How are you setting the icon path? I have had the most success when I wrap it in double quotes and use forward-slashes rather than backlashes, i.e. "//10.0.0.155/share/fake.ico"
thats mad, and i alrway riht click recycle bin to empty it i never open it luckily but i see the point any icon can be used lol
You wouldn't be able to "pass the hash" this isn't ntlm, this is a different format known as net-NTLM, you can relay this though, so long as there is no signing in place.
@craigblackie2034
Ай бұрын
And yes, you can get ntlm from net-ntlmv1, but that involves a cracking process still.
we cannot make pass the hash with ntlmv2
My recycle bin is named Garbage
Mind blown
Does it still dump the hashes and info via flash disk usage Without placing it in the system storage
@DI0NY5US
Ай бұрын
Yes. If you open a folder with a .scf file in it Windows will try to display the icon.
@psalmskhris3925
Ай бұрын
@@DI0NY5US thanks 👍🏾
remind me of the old school NETBUS
I will never use an SCF file again (maybe)
Love ur vids
I need that for iPhone and for any laptop in S mode windows
you should make a anti-viris, malware...etc
You find the strangest things :)
The same with .lnk except the arrow.
Neat info
I have known this for *quite* a while. And there's a bug related to this that might be exploitable too. 😄 It was fun to toy around with, but since nobody was interested i just ignored it for a while. 🤷♂
Doesn't seem to work on Windows 11
You are the one 💪
Interesting
Ima try this exploit on a big corporation xd
Hell yeah new video
the odd thing on your desktop is that you use google chrome
WHAT 1 MINUTE AGO?
@Ryder7223
Ай бұрын
22 minutes ago Geometry Dash reference :O
COOL!
Don't give me ideas.
can you makea udemy cours please?thanks
👍🏽
HA
🇦🇿🇦🇿🇦🇿🇦🇿🇦🇿🇦🇿🇦🇿
First
hate to be that guy but first
@mk-ps6xv
Ай бұрын
you aren't that guy
@eitancollett
Ай бұрын
@@mk-ps6xv i would never nahhhhhh
"I'm trying to drag this file to the bin but it just WILL NOT GO IN THERE" 😅🤣 Another fun option would be to change the right-click context options for this file to look like it is a recycle bin - the context menus for the bin vs. files look pretty different and someone who is apprehensive might be able to figure out something is up just by right clicking the file and seeing no recycle-related-options. But maybe not if it looks exactly like the bin menus. OR ... could you somehow link the trap file to the REAL recycle bin, and simply pass the user in a way that looks normal? (IE: logs info, then just opens the real recycling bin so fast the user would never notice)
Probably just me but you sound like Seth Rogen if he wasn't a weed smoker 🫡👌
Windoze is and always has been a train wreck
First