NTLMRecon is built with flexibilty in mind. A fast and flexible NTLM reconnaissance tool without external dependencies. Useful to find out information about NTLM endpoints when working with a large set of potential IP addresses and domains.
Need to run recon on a single URL, an IP address, an entire CIDR range or combination of all of it all put in a single input file? No problem! It got you covered.
Demo
Overview
It looks for NTLM enabled web endpoints, sends a fake authentication request and enumerates the following information from the NTLMSSP response:
Since it leverages a python implementation of NTLMSSP, it eliminates the overhead of running Nmap NSE http-ntlm-info for every successful discovery. On every successful discovery of a NTLM enabled web endpoint, the tool enumerates and saves information about the domain as follows to a CSV file :
| URL | Domain Name | Server Name | DNS Domain Name | FQDN | DNS Domain |
|---|---|---|---|---|---|
| https://contoso.com/EWS/ | XCORP | EXCHANGE01 | xcorp.contoso.net | EXCHANGE01.xcorp.contoso.net | contoso.net |
Installation
Arch
If you’re on Arch Linux or any Arch linux based distribution, you can grab the latest build from AUR
Generic Installation
git clone https://github.com/sachinkamath/ntlmrecon/pip install virtualenvvirtualenv venv and activate it with source venv/bin/activatepython setup.py installntlmrecon --helpAlso Read – PrivescCheck : Privilege Escalation Enumeration Script for Windows
Usage
usage: ntlmrecon [-h] [–input INPUT | –infile INFILE] [–wordlist WORDLIST]
[–threads THREADS] [–output-type] –outfile OUTFILE
[–random-user-agent] [–force-all] [–shuffle] [-f]
optional arguments:
-h, –help show this help message and exit
–input INPUT Pass input as an IP address, URL or CIDR to enumerate
NTLM endpoints
–infile INFILE Pass input from a local file
–wordlist WORDLIST Override the internal wordlist with a custom wordlist
–threads THREADS Set number of threads (Default: 10)
–output-type, -o Set output type. JSON (TODO) and CSV supported
(Default: CSV)
–outfile OUTFILE Set output file name (Default: ntlmrecon.csv)
–random-user-agent TODO: Randomize user agents when sending requests
(Default: False)
–force-all Force enumerate all endpoints even if a valid endpoint
is found for a URL (Default : False)
–shuffle Break order of the input files
-f, –force Force replace files
Example Usage
$ ntlmrecon –input https://mail.contoso.com –outfile ntlmrecon.csv
$ ntlmrecon –input 192.168.1.1/24 –outfile ntlmrecon-ranges.csv
NTLM recon automatically detects the type of input per line and gives you results automatically. CIDR ranges are expanded automatically even when read from a text file.
Input file can be something as mixed up as :
mail.contoso.com
CONTOSOHOSTNAME
10.0.13.2/28
192.168.222.1/24
https://mail.contoso.com
To run recon with an input file, just run :
$ ntlmrecon –infile /path/to/input/file –outfile ntlmrecon-fromfile.csv
Introduction Bash scripting is a powerful way to automate Linux tasks, but writing a script…
Introduction A self-signed SSL certificate is a certificate that is created and signed by the…
Introduction Debugging is an important part of Bash scripting. When a script does not work…
Introduction Cron jobs are used in Linux to run commands or Bash scripts automatically at…
Introduction Pipes are an important feature in Linux and Bash scripting. A pipe allows you…
Introduction The grep, awk, and sed commands are powerful text-processing tools in Linux. They are…