NTLMRecon is built with flexibilty in mind. A fast and flexible NTLM reconnaissance tool without external dependencies. Useful to find out information about NTLM endpoints when working with a large set of potential IP addresses and domains.

Need to run recon on a single URL, an IP address, an entire CIDR range or combination of all of it all put in a single input file? No problem! It got you covered.

Demo

Overview

It looks for NTLM enabled web endpoints, sends a fake authentication request and enumerates the following information from the NTLMSSP response:

• AD Domain Name
• Server name
• DNS Domain Name
• FQDN
• Parent DNS Domain

Since it leverages a python implementation of NTLMSSP, it eliminates the overhead of running Nmap NSE http-ntlm-info for every successful discovery. On every successful discovery of a NTLM enabled web endpoint, the tool enumerates and saves information about the domain as follows to a CSV file :

URL	Domain Name	Server Name	DNS Domain Name	FQDN	DNS Domain
https://contoso.com/EWS/	XCORP	EXCHANGE01	xcorp.contoso.net	EXCHANGE01.xcorp.contoso.net	contoso.net

Installation

Arch

If you’re on Arch Linux or any Arch linux based distribution, you can grab the latest build from AUR

Generic Installation

• Clone the repository – git clone https://github.com/sachinkamath/ntlmrecon/
• RECOMMENDED – Install virtualenv pip install virtualenv
• Start a new virtual environment – virtualenv venv and activate it with source venv/bin/activate
• Run the setup file – python setup.py install
• Run ntlmrecon – ntlmrecon --help

Also Read – PrivescCheck : Privilege Escalation Enumeration Script for Windows

Usage

usage: ntlmrecon [-h] [–input INPUT | –infile INFILE] [–wordlist WORDLIST]
[–threads THREADS] [–output-type] –outfile OUTFILE
[–random-user-agent] [–force-all] [–shuffle] [-f]
optional arguments:
-h, –help show this help message and exit
–input INPUT Pass input as an IP address, URL or CIDR to enumerate
NTLM endpoints
–infile INFILE Pass input from a local file
–wordlist WORDLIST Override the internal wordlist with a custom wordlist
–threads THREADS Set number of threads (Default: 10)
–output-type, -o Set output type. JSON (TODO) and CSV supported
(Default: CSV)
–outfile OUTFILE Set output file name (Default: ntlmrecon.csv)
–random-user-agent TODO: Randomize user agents when sending requests
(Default: False)
–force-all Force enumerate all endpoints even if a valid endpoint
is found for a URL (Default : False)
–shuffle Break order of the input files
-f, –force Force replace files

Example Usage

• Recon on a single URL

$ ntlmrecon –input https://mail.contoso.com –outfile ntlmrecon.csv

• Recon on a CIDR range or IP address

$ ntlmrecon –input 192.168.1.1/24 –outfile ntlmrecon-ranges.csv

• Recon on an input file

NTLM recon automatically detects the type of input per line and gives you results automatically. CIDR ranges are expanded automatically even when read from a text file.

Input file can be something as mixed up as :

mail.contoso.com
CONTOSOHOSTNAME
10.0.13.2/28
192.168.222.1/24
https://mail.contoso.com

To run recon with an input file, just run :

$ ntlmrecon –infile /path/to/input/file –outfile ntlmrecon-fromfile.csv