NTLMRecon : Tool To Enumerate Information From NTLM Authentication Enabled Web Endpoints

NTLMRecon is built with flexibilty in mind. A fast and flexible NTLM reconnaissance tool without external dependencies. Useful to find out information about NTLM endpoints when working with a large set of potential IP addresses and domains.

Need to run recon on a single URL, an IP address, an entire CIDR range or combination of all of it all put in a single input file? No problem! It got you covered.



It looks for NTLM enabled web endpoints, sends a fake authentication request and enumerates the following information from the NTLMSSP response:

  • AD Domain Name
  • Server name
  • DNS Domain Name
  • FQDN
  • Parent DNS Domain

Since it leverages a python implementation of NTLMSSP, it eliminates the overhead of running Nmap NSE http-ntlm-info for every successful discovery. On every successful discovery of a NTLM enabled web endpoint, the tool enumerates and saves information about the domain as follows to a CSV file :

URLDomain NameServer NameDNS Domain NameFQDNDNS Domain



If you’re on Arch Linux or any Arch linux based distribution, you can grab the latest build from AUR

Generic Installation

  • Clone the repository – git clone https://github.com/sachinkamath/ntlmrecon/
  • RECOMMENDED – Install virtualenv pip install virtualenv
  • Start a new virtual environment – virtualenv venv and activate it with source venv/bin/activate
  • Run the setup file – python setup.py install
  • Run ntlmrecon – ntlmrecon --help

Also Read – PrivescCheck : Privilege Escalation Enumeration Script for Windows


usage: ntlmrecon [-h] [–input INPUT | –infile INFILE] [–wordlist WORDLIST]
[–threads THREADS] [–output-type] –outfile OUTFILE
[–random-user-agent] [–force-all] [–shuffle] [-f]
optional arguments:
-h, –help show this help message and exit
–input INPUT Pass input as an IP address, URL or CIDR to enumerate
NTLM endpoints
–infile INFILE Pass input from a local file
–wordlist WORDLIST Override the internal wordlist with a custom wordlist
–threads THREADS Set number of threads (Default: 10)
–output-type, -o Set output type. JSON (TODO) and CSV supported
(Default: CSV)
–outfile OUTFILE Set output file name (Default: ntlmrecon.csv)
–random-user-agent TODO: Randomize user agents when sending requests
(Default: False)
–force-all Force enumerate all endpoints even if a valid endpoint
is found for a URL (Default : False)
–shuffle Break order of the input files
-f, –force Force replace files

Example Usage

  • Recon on a single URL

$ ntlmrecon –input https://mail.contoso.com –outfile ntlmrecon.csv

  • Recon on a CIDR range or IP address

$ ntlmrecon –input –outfile ntlmrecon-ranges.csv

  • Recon on an input file

NTLM recon automatically detects the type of input per line and gives you results automatically. CIDR ranges are expanded automatically even when read from a text file.

Input file can be something as mixed up as :


To run recon with an input file, just run :

$ ntlmrecon –infile /path/to/input/file –outfile ntlmrecon-fromfile.csv