A new CVE‑2026‑33829 vulnerability in Windows' Snipping Tool lets attackers steal Net‑NTLM hash credentials via a malicious deep‑link URI, and a low‑skill PoC demonstrates the exploit while Microsoft’s April 14 2026 patch and mitigation steps are detailed.
Researchers discovered that certain versions of the Windows screenshot tool ms‑screensketch register a deep‑link URI whose filePath parameter can force an authenticated SMB connection, allowing a remote attacker to capture the user’s Net‑NTLM hash after the victim clicks a malicious link.
Security researchers reveal that by embedding malicious UNC paths in specially crafted Outlook 365 emails or meeting invites, attackers can trigger automatic SMB authentication, steal the victim’s Net‑NTLMv2 hash, and subsequently perform offline cracking or NTLM relay attacks, posing a high‑stealth threat to enterprises.
This tutorial explains why companies use a secondary HTTP proxy, introduces Cntlm as a secure NTLM‑capable proxy, and provides detailed installation, minimal configuration, authentication retrieval, and service reload instructions for both Debian‑based Linux distributions and Windows.
Learn how to install Cntlm on Debian‑based Linux or Windows, configure its authentication and proxy settings, obtain NTLM hashes, and apply changes by reloading or restarting the systemd service, enabling secure multi‑user HTTP proxy access within restricted networks.
