NTLMRecon : Tool To Enumerate Information From NTLM Authentication Enabled Web Endpoints

NTLMRecon is built with flexibilty in mind. A fast and flexible NTLM reconnaissance tool without external dependencies. Useful to find out information about NTLM endpoints when working with a large set of potential IP addresses and domains.

Need to run recon on a single URL, an IP address, an entire CIDR range or combination of all of it all put in a single input file? No problem! It got you covered.

Demo

Overview

It looks for NTLM enabled web endpoints, sends a fake authentication request and enumerates the following information from the NTLMSSP response:

AD Domain Name
Server name
DNS Domain Name
FQDN
Parent DNS Domain

Since it leverages a python implementation of NTLMSSP, it eliminates the overhead of running Nmap NSE http-ntlm-info for every successful discovery. On every successful discovery of a NTLM enabled web endpoint, the tool enumerates and saves information about the domain as follows to a CSV file :

URL	Domain Name	Server Name	DNS Domain Name	FQDN	DNS Domain
https://contoso.com/EWS/	XCORP	EXCHANGE01	xcorp.contoso.net	EXCHANGE01.xcorp.contoso.net	contoso.net

Installation

Arch

If you’re on Arch Linux or any Arch linux based distribution, you can grab the latest build from AUR

Generic Installation

Clone the repository – git clone https://github.com/sachinkamath/ntlmrecon/
RECOMMENDED – Install virtualenv pip install virtualenv
Start a new virtual environment – virtualenv venv and activate it with source venv/bin/activate
Run the setup file – python setup.py install
Run ntlmrecon – ntlmrecon --help

Also Read – PrivescCheck : Privilege Escalation Enumeration Script for Windows

Usage

usage: ntlmrecon [-h] [–input INPUT | –infile INFILE] [–wordlist WORDLIST]
[–threads THREADS] [–output-type] –outfile OUTFILE
[–random-user-agent] [–force-all] [–shuffle] [-f]
optional arguments:
-h, –help show this help message and exit
–input INPUT Pass input as an IP address, URL or CIDR to enumerate
NTLM endpoints
–infile INFILE Pass input from a local file
–wordlist WORDLIST Override the internal wordlist with a custom wordlist
–threads THREADS Set number of threads (Default: 10)
–output-type, -o Set output type. JSON (TODO) and CSV supported
(Default: CSV)
–outfile OUTFILE Set output file name (Default: ntlmrecon.csv)
–random-user-agent TODO: Randomize user agents when sending requests
(Default: False)
–force-all Force enumerate all endpoints even if a valid endpoint
is found for a URL (Default : False)
–shuffle Break order of the input files
-f, –force Force replace files

Example Usage

Recon on a single URL

$ ntlmrecon –input https://mail.contoso.com –outfile ntlmrecon.csv

Recon on a CIDR range or IP address

$ ntlmrecon –input 192.168.1.1/24 –outfile ntlmrecon-ranges.csv

Recon on an input file

NTLM recon automatically detects the type of input per line and gives you results automatically. CIDR ranges are expanded automatically even when read from a text file.

Input file can be something as mixed up as :

mail.contoso.com
CONTOSOHOSTNAME
10.0.13.2/28
192.168.222.1/24
https://mail.contoso.com

To run recon with an input file, just run :

$ ntlmrecon –infile /path/to/input/file –outfile ntlmrecon-fromfile.csv

Download

R K