When attacking Windows, one of the initial goals of an attacker is simple:
Stealing NTLM hashes.
Why? Because NTLM hashes can be used to authenticate to other systems on the network without needing the actual password.
There are many ways to grab NTLM hashes.
But here’s one that I came across recently.
Attack Flow: How It Worked
Attacker sends a phishing email with a ZIP archive attached > Inside the ZIP, attacker places a crafted file with extension ".library-ms”.
(If you open a ".library-ms" file, it shows a "Windows library". Windows library is sort of like a customized “My Documents” folder view that pulls in content from various sources such folders or remote network drives).The victim extracts the ZIP archive > As soon as the file is extracted and previewed in Windows Explorer, it triggers a system action.
Here's the trick: The ".library-ms" file has XML code to load an icon from a remote SMB share hosted by attacker.
This causes the system to authenticate automatically to that SMB path using the current user’s NTLM hash > System auto sends NTLM hash > Attacker now captures the NTLM hash.
Attacker cracks it offline to get the user’s password > Can also relay to another internal system for lateral movement.
Key Insights: What This Attack Teaches Us
The flaw here is this: When you extract a ZIP with a .library-ms file, Windows Explorer "auto-processes" it. Attacker is simply exploiting this auto-processing behavior to trigger outbound SMB request. This is "CVE-2025-24054". Its Patched on March 11, 2025. Exploitation began within a week. That’s how short the window is between disclosure and in-the-wild abuse. If you’re not patching fast, attackers will move faster.
The interesting aspect of this attack to me is this: there was no execution at all. It was just a preview. Remember that just because a file didn’t execute doesn’t mean it’s 100% safe.
Attackers do not respect CVSS scores. This vulnerability was marked “Exploitation Less Likely.” And yet, exploitation started almost immediately.
Most of us have seen 'Libraries' in Windows but probably never paid attention. To turn on, do this in your explorer: 'Options > View > Show Libraries'). It is similar to My Documents, My Pictures that we are familiar with.
NTLM is an old authentication protocol that is still used today. However, it was replaced long ago by Kerberos, which uses secret-key cryptography to provide strong authentication for client-server applications. NTLM auth comes into play in many places in an enterprise (when you sign in to a domain, authenticate to a network share etc.). Although NTLM v2 is better than v1, it is still vulnerable to pass-the-hash, NTLM relay, and offline cracking.
If you’re looking to identify NTML usage across your enterprise, NTML Audit is one option. Its a PowerShell tool that:
Sends NTLM authentication requests across systems
Helps determine where NTLM authentication is allowed/responded to
Identifies servers that will respond to NTLM or allow relays.
Block outbound SMB. Always. This is the easiest and most effective fix. If SMB traffic can’t reach the attacker’s server, NTLM hashes can’t leak. This control is especially important because many NTLM leak attacks (like the .library-ms one) rely on the operating system automatically attempting to authenticate over SMB. Blocking outbound SMB cuts off this path entirely.
Additionally, enforce SMB signing internally to reduce the risk of relay attacks, where an attacker intercepts and forwards authentication attempts to other systems. SMB signing ensures the integrity of the communication, making it harder for attackers to tamper with or misuse the NTLM credentials.
Even if NTLM cannot be fully eliminated in your environment yet, network-level controls like outbound blocking and SMB signing significantly reduce its exploitation risk.
A very interesting post. A few months ago I read about NTLM. I understood that it has quite a few vulnerabilities and is no longer used. But I didn't imagine that it could be so “easy” to exploit.