Kali Linux

NTLMRecon : Enumerate Information From NTLM Authentication Enabled Web Endpoints

NTLMRecon is a fast and flexible NTLM reconnaissance tool without external dependencies. Useful to find out information about NTLM endpoints when working with a large set of potential IP addresses and domains.

NTLMRecon is built with flexibilty in mind. Need to run recon on a single URL, an IP address, an entire CIDR range or combination of all of it all put in a single input file? No problem! NTLMRecon got you covered. Read on.

NTLMRecon looks for NTLM enabled web endpoints, sends a fake authentication request and enumerates the following information from the NTLMSSP response:

  • AD Domain Name
  • Server name
  • DNS Domain Name
  • FQDN
  • Parent DNS Domain

Since NTLMRecon leverages a python implementation of NTLMSSP, it eliminates the overhead of running Nmap NSE http-ntlm-info for every successful discovery.

On every successful discovery of a NTLM enabled web endpoint, the tool enumerates and saves information about the domain as follows to a CSV file :

URLDomain NameServer NameDNS Domain NameFQDNDNS Domain
https://contoso.com/EWS/XCORPEXCHANGE01xcorp.contoso.netEXCHANGE01.xcorp.contoso.netcontoso.net

Installation

BlackArch

NTLMRecon is already packaged for BlackArch and can be installed by running pacman -S ntlmrecon

Arch

If you’re on Arch Linux or any Arch linux based distribution, you can grab the latest build from the Arch User Repository.

Build from source

  • Clone the repository : git clone https://github.com/pwnfoo/ntlmrecon/
  • RECOMMENDED – Install virtualenv : pip install virtualenv
  • Start a new virtual environment : virtualenv venv and activate it with source venv/bin/activate
  • Run the setup file : python setup.py install
  • Run ntlmrecon : ntlmrecon --help

Usage

$ ntlmrecon –help
_ _ _
| \ | |
| | | \/ || \
| | | | | | | | . . || |/ / _
| . ` | | | | | | |\/| || // _ \/ / _ | ‘_ \ | |\ | | | | || | | || |\ \ / (| () | | | | _| _/ _/ _/_| |/_| ___|______/|| || – @pwnfoo
v.0.4 beta – Y’all still exposing NTLM endpoints?
Bug Reports, Feature Requests : https://git.io/JIR5z
usage: ntlmrecon [-h] [–input INPUT | –infile INFILE] [–wordlist WORDLIST]
[–threads THREADS] [–output-type] [–outfile OUTFILE]
[–random-user-agent] [–force-all] [–shuffle] [-f]
optional arguments:
-h, –help show this help message and exit
–input INPUT, -i INPUT
Pass input as an IP address, URL or CIDR to enumerate
NTLM endpoints
–infile INFILE, -I INFILE
Pass input from a local file
–wordlist WORDLIST Override the internal wordlist with a custom wordlist
–threads THREADS Set number of threads (Default: 10)
–output-type, -o Set output type. JSON (TODO) and CSV supported
(Default: CSV)
–outfile OUTFILE, -O OUTFILE
Set output file name (Default: ntlmrecon.csv)
–random-user-agent TODO: Randomize user agents when sending requests
(Default: False)
–force-all Force enumerate all endpoints even if a valid endpoint
is found for a URL (Default : False)
–shuffle Break order of the input files
-f, –force
Force replace output file if it already exists

Example Usage

Recon on a single URL

$ ntlmrecon --input https://mail.contoso.com --outfile ntlmrecon.csv

Recon on a CIDR range or IP address

$ ntlmrecon --input 192.168.1.1/24 --outfile ntlmrecon-ranges.csv

Recon on an input file

The tool automatically detects the type of input per line and takes actions accordingly. CIDR ranges are expanded by default (please note that there is no de-duplication baked in just yet!)

Input file can be something as mixed up as :

mail.contoso.com
CONTOSOHOSTNAME
10.0.13.2/28
192.168.222.1/24
https://mail.contoso.com

To run recon with an input file, just run :

$ ntlmrecon –infile /path/to/input/file –outfile ntlmrecon-fromfile.csv

R K

Recent Posts

Playwright-MCP : A Powerful Tool For Browser Automation

Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…

2 weeks ago

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

2 weeks ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

2 weeks ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

2 weeks ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

2 weeks ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

2 weeks ago