Security release!
Description
Summary
It is possible to obtain a user's NTLM hash by tricking them into cloning from a malicious server. Since NTLM hashing is weak, it is possible for the attacker to brute-force the user's account name and password.
Proof of Concept
An attacker who can control a server from which the attack's target clones a repository can extract the NTLM hash, which in turn allows brute-forcing the password. Steps to reproduce:
1- Run responder on host [attacker]
2- Run git clone [victim]
3- attacker receives user's NTLM hash
Screencast.From.2025-10-09.23-02-48.mp4
Impact
By brute-forcing the NTLMv2 hash (which is expensive, but possible), credentials can be extracted.
References
- https://support.microsoft.com/en-us/topic/upcoming-changes-to-ntlmv1-in-windows-11-version-24h2-and-windows-server-2025-c0554217-cdbc-420f-b47c-e02b2db49b2e
- https://techcommunity.microsoft.com/blog/windows-itpro-blog/the-evolution-of-windows-authentication/3926848
- https://learn.microsoft.com/en-au/windows/whats-new/deprecated-features#:~:text=NTLM
This is a security fix release, addressing CVE-2025-66413.
CVE-2025-66413, Git for Windows: When a user clones a repository from an attacker-controlled server, Git may attempt NTLM authentication and disclose the user's NTLMv2 hash to the remote server. Since NTLM hashing is weak, the captured hash can potentially be brute-forced to recover the user's credentials. This is addressed by disabling NTLM authentication by default.
