sachinkamath/NTLMRecon
A tool to enumerate information from NTLM authentication enabled web endpoints
| repo name | sachinkamath/NTLMRecon |
| repo link | https://github.com/sachinkamath/NTLMRecon |
| homepage | |
| language | Python |
| size (curr.) | 68 kB |
| stars (curr.) | 148 |
| created | 2019-12-01 |
| license | MIT License |
NTLMRecon
A fast and flexible NTLM reconnaissance tool without external dependencies. Useful to find out information about NTLM endpoints when working with a large set of potential IP addresses and domains.
NTLMRecon is built with flexibilty in mind. Need to run recon on a single URL, an IP address, an entire CIDR range or combination of all of it all put in a single input file? No problem! NTLMRecon got you covered. Read on.
Demo
Overview
NTLMRecon looks for NTLM enabled web endpoints, sends a fake authentication request and enumerates the following information from the NTLMSSP response:
- AD Domain Name
- Server name
- DNS Domain Name
- FQDN
- Parent DNS Domain
Since NTLMRecon leverages a python implementation of NTLMSSP, it eliminates the overhead of running Nmap NSE http-ntlm-info for every successful discovery.
On every successful discovery of a NTLM enabled web endpoint, the tool enumerates and saves information about the domain as follows to a CSV file :
| URL | Domain Name | Server Name | DNS Domain Name | FQDN | DNS Domain |
|---|---|---|---|---|---|
| https://contoso.com/EWS/ | XCORP | EXCHANGE01 | xcorp.contoso.net | EXCHANGE01.xcorp.contoso.net | contoso.net |
Installation
BlackArch
NTLMRecon is already packaged for BlackArch and can be installed by running pacman -S ntlmrecon
Arch
If you’re on Arch Linux or any Arch linux based distribution, you can grab the latest build from the Arch User Repository.
PyPI
You can simply run pip install ntlmrecon to fetch the latest build from PyPI
Build from source
- Clone the repository :
git clone https://github.com/sachinkamath/ntlmrecon/ - RECOMMENDED - Install virtualenv :
pip install virtualenv - Start a new virtual environment :
virtualenv venvand activate it withsource venv/bin/activate - Run the setup file :
python setup.py install - Run ntlmrecon :
ntlmrecon --help
Usage
Example Usage
Recon on a single URL
$ ntlmrecon --input https://mail.contoso.com --outfile ntlmrecon.csv
Recon on a CIDR range or IP address
$ ntlmrecon --input 192.168.1.1/24 --outfile ntlmrecon-ranges.csv
Recon on an input file
The tool automatically detects the type of input per line and gives you results automatically. CIDR ranges are expanded automatically even when read from a text file.
Input file can be something as mixed up as :
To run recon with an input file, just run :
$ ntlmrecon --infile /path/to/input/file --outfile ntlmrecon-fromfile.csv
Acknowledgements
Feedback
If you’d like to see a feature added into the tool or something doesn’t work for you, please open a new issue.
