NTLMRecon is built with flexibilty in mind. A fast and flexible NTLM reconnaissance tool without external dependencies. Useful to find out information about NTLM endpoints when working with a large set of potential IP addresses and domains.
Need to run recon on a single URL, an IP address, an entire CIDR range or combination of all of it all put in a single input file? No problem! It got you covered.
Demo
Overview
It looks for NTLM enabled web endpoints, sends a fake authentication request and enumerates the following information from the NTLMSSP response:
Since it leverages a python implementation of NTLMSSP, it eliminates the overhead of running Nmap NSE http-ntlm-info
for every successful discovery. On every successful discovery of a NTLM enabled web endpoint, the tool enumerates and saves information about the domain as follows to a CSV file :
URL | Domain Name | Server Name | DNS Domain Name | FQDN | DNS Domain |
---|---|---|---|---|---|
https://contoso.com/EWS/ | XCORP | EXCHANGE01 | xcorp.contoso.net | EXCHANGE01.xcorp.contoso.net | contoso.net |
Installation
Arch
If you’re on Arch Linux or any Arch linux based distribution, you can grab the latest build from AUR
Generic Installation
git clone https://github.com/sachinkamath/ntlmrecon/
pip install virtualenv
virtualenv venv
and activate it with source venv/bin/activate
python setup.py install
ntlmrecon --help
Also Read – PrivescCheck : Privilege Escalation Enumeration Script for Windows
Usage
usage: ntlmrecon [-h] [–input INPUT | –infile INFILE] [–wordlist WORDLIST]
[–threads THREADS] [–output-type] –outfile OUTFILE
[–random-user-agent] [–force-all] [–shuffle] [-f]
optional arguments:
-h, –help show this help message and exit
–input INPUT Pass input as an IP address, URL or CIDR to enumerate
NTLM endpoints
–infile INFILE Pass input from a local file
–wordlist WORDLIST Override the internal wordlist with a custom wordlist
–threads THREADS Set number of threads (Default: 10)
–output-type, -o Set output type. JSON (TODO) and CSV supported
(Default: CSV)
–outfile OUTFILE Set output file name (Default: ntlmrecon.csv)
–random-user-agent TODO: Randomize user agents when sending requests
(Default: False)
–force-all Force enumerate all endpoints even if a valid endpoint
is found for a URL (Default : False)
–shuffle Break order of the input files
-f, –force Force replace files
Example Usage
$ ntlmrecon –input https://mail.contoso.com –outfile ntlmrecon.csv
$ ntlmrecon –input 192.168.1.1/24 –outfile ntlmrecon-ranges.csv
NTLM recon automatically detects the type of input per line and gives you results automatically. CIDR ranges are expanded automatically even when read from a text file.
Input file can be something as mixed up as :
mail.contoso.com
CONTOSOHOSTNAME
10.0.13.2/28
192.168.222.1/24
https://mail.contoso.com
To run recon with an input file, just run :
$ ntlmrecon –infile /path/to/input/file –outfile ntlmrecon-fromfile.csv
If you’re learning Bash scripting, one of the most useful features you’ll come across is…
If you are new to Bash scripting or Linux shell scripting, one of the most…
How Does a Firewall Work Step by Step? What Is a Firewall and How Does…
ROADTools is a powerful framework designed for exploring and interacting with Microsoft Azure Active Directory…
Microsoft 365 Groups (also known as M365 Groups or Unified Groups) are at the heart…
SeamlessPass is a specialized tool designed to leverage on-premises Active Directory Kerberos tickets to obtain…