Windows Explorer automatically initiates an SMB authentication request when a .library-ms file is extracted from a .rar archive, leading to NTLM hash disclosure. The user does not need to open or execute the file—simply extracting it is enough to trigger the leak.
blog post:
You are not allowed to view links. Register or Login to view.
POC: You are not allowed to view links. Register or Login to view.
>>python poc.py
>>enter file name: your file name
>>enter IP: attacker IP
blog post:
You are not allowed to view links. Register or Login to view.
POC: You are not allowed to view links. Register or Login to view.
>>python poc.py
>>enter file name: your file name
>>enter IP: attacker IP
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
