Skip to content

Add Multiple Windows Shell Link (LNK) NTLM Leak #20223

New issue
New issue
Open
Open
Add Multiple Windows Shell Link (LNK) NTLM Leak#20223
Labels
suggestion-moduleNew module suggestions
@nafiez

Description

@nafiez
nafiez
opened on May 21, 2025

Summary

Extra Data structure of Windows Shell Link (LNK) NTLM Leak Proof of Concept written in Metasploit (auxiliary module).

Basic example

Recently I blogged about (https://zeifan.my/Right-Click-LNK/) Windows LNK that can trigger in multiple way. I write two auxiliary module for this and you can find it here, https://github.com/nafiez/DataBlockNTLMLeak

Motivation

What use cases does it support?

  • If a red teamer / pentester wanted to send a file to the victim and capture NTLM hash (version 2) they can leverage the LNK. I tested a scenario with latest update 7-zip and WinRAR on Windows 10 and Windows 11 and no MOTW apply to the inheritence object in the archive.

What is the expected outcome?

  • There are 2 scenario can tested here, EnvironmentVariableDataBlock require a right-click only on the LNK file upon extracting it from zip on the victim side while the IconEnvironmentDataBlock with zero click interaction. Both will send NTLM hash to attacker server.

  • I write details about the usage of the modules in my Github project

Not sure if you’re interested but I just give a try :)

Metadata

Metadata

Assignees

No one assigned

    Labels

    suggestion-moduleNew module suggestions

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions