Server-side ZIP extraction leads to NTLM hash leakage.
This specific vulnerability exploits NTLM Hash Leak via RAR/ZIP extraction and .library-ms file. This Windows File Explorer vulnerability allows an attacker to steal NTLM hashes when a
user extracts a crafted .zip file. The vulnerability works because Windows Explorer automatically attempts SMB authentication when processing a crafted .library-ms file pointing to a remote
UNC path. If the server extracts the archive, the target machine authenticates to an attacker-controlled SMB server, leaking its NTLMv2 hash.
The proof-of-concept:
Steps
- Start Responder (responder -I tun0 -v)
- python3 poc.py (Enter your tun0 IP when prompted)
- A .zip file is created which when uploaded to target trigger a callback to your responder
- Save the hash and crack it
