This PoC demonstrates the exploitation of the NTLM hash leak via .library-ms
files on unpatched Windows systems (March 2025 Patch Tuesday).
β οΈ This is for educational and research purposes only. Do not use this on production or unauthorized systems.
When a .library-ms
file with a UNC path is opened (or previewed) in Windows Explorer, it triggers an SMB authentication request to the specified server, leaking the NTLMv2 hash.
generate_library_ms.py
: generates the malicious.library-ms
filexd.library-ms
: sample malicious file (points to a configurable SMB server)Instructions_Responder.md
: how to set up a fake SMB server with Responder
-
Start
Responder
on your attacker machine:sudo responder -I eth0
-
On the victim Windows VM:
- Download or generate the
.library-ms
file - Preview it in File Explorer
- Download or generate the
-
On the attacker side:
- Observe the captured NTLM hash in Responder's output
- Apply Microsoft's March 2025 patches
- Disable NTLM where possible
- Educate users to avoid interacting with
.library-ms
files from untrusted sources
PoC created by Helidem