03-21-2025, 10:19 PM
Windows Explorer automatically initiates an SMB authentication request when a .library-ms file is extracted from a .rar archive, leading to NTLM hash disclosure. The user does not need to open or execute the file—simply extracting it is enough to trigger the leak.
blog post:
You are not allowed to view links. Register or Login to view.
POC: You are not allowed to view links. Register or Login to view.
>>python poc.py
>>enter file name: your file name
>>enter IP: attacker IP
blog post:
You are not allowed to view links. Register or Login to view.
POC: You are not allowed to view links. Register or Login to view.
>>python poc.py
>>enter file name: your file name
>>enter IP: attacker IP