Skip to main content

A tool to enumerate information from NTLM authentication enabled web endpoints

Project description

PRs Welcome License: MIT Maintenance

NTLMRecon

A fast and flexible NTLM reconnaissance tool without external dependencies. Useful to find out information about NTLM endpoints when working with a large set of potential IP addresses and domains.

NTLMRecon is built with flexibilty in mind. Need to run recon on a single URL, an IP address, an entire CIDR range or combination of all of it all put in a single input file? No problem! NTLMRecon got you covered. Read on.

Demo

asciicast

Overview

NTLMRecon looks for NTLM enabled web endpoints, sends a fake authentication request and enumerates the following information from the NTLMSSP response:

  1. AD Domain Name
  2. Server name
  3. DNS Domain Name
  4. FQDN
  5. Parent DNS Domain

Since NTLMRecon leverages a python implementation of NTLMSSP, it eliminates the overhead of running Nmap NSE http-ntlm-info for every successful discovery.

On every successful discovery of a NTLM enabled web endpoint, the tool enumerates and saves information about the domain as follows to a CSV file :

URL Domain Name Server Name DNS Domain Name FQDN DNS Domain
https://contoso.com/EWS/ XCORP EXCHANGE01 xcorp.contoso.net EXCHANGE01.xcorp.contoso.net contoso.net

Installation

BlackArch

NTLMRecon is already packaged for BlackArch and can be installed by running pacman -S ntlmrecon

Arch

If you're on Arch Linux or any Arch linux based distribution, you can grab the latest build from the Arch User Repository.

Generic Installation

  1. Clone the repository : git clone https://github.com/sachinkamath/ntlmrecon/
  2. RECOMMENDED - Install virtualenv : pip install virtualenv
  3. Start a new virtual environment : virtualenv venv and activate it with source venv/bin/activate
  4. Run the setup file : python setup.py install
  5. Run ntlmrecon : ntlmrecon --help

Usage

         _   _ _____ _     ___  _________                     
        | \ | |_   _| |    |  \/  || ___ \                    
        |  \| | | | | |    | .  . || |_/ /___  ___ ___  _ __  
        | . ` | | | | |    | |\/| ||    // _ \/ __/ _ \| '_ \ 
        | |\  | | | | |____| |  | || |\ \  __/ (_| (_) | | | |
        \_| \_/ \_/ \_____/\_|  |_/\_| \_\___|\___\___/|_| |_|

             v.0.2 beta - Y'all still exposing NTLM endpoints?

usage: ntlmrecon [-h] [--input INPUT | --infile INFILE] [--wordlist WORDLIST]
                 [--threads THREADS] [--output-type] --outfile OUTFILE
                 [--random-user-agent] [--force-all] [--shuffle] [-f]

optional arguments:
  -h, --help           show this help message and exit
  --input INPUT        Pass input as an IP address, URL or CIDR to enumerate
                       NTLM endpoints
  --infile INFILE      Pass input from a local file
  --wordlist WORDLIST  Override the internal wordlist with a custom wordlist
  --threads THREADS    Set number of threads (Default: 10)
  --output-type, -o    Set output type. JSON (TODO) and CSV supported
                       (Default: CSV)
  --outfile OUTFILE    Set output file name (Default: ntlmrecon.csv)
  --random-user-agent  TODO: Randomize user agents when sending requests
                       (Default: False)
  --force-all          Force enumerate all endpoints even if a valid endpoint
                       is found for a URL (Default : False)
  --shuffle            Break order of the input files
  -f, --force          Force replace files


Example Usage

Recon on a single URL

$ ntlmrecon --input https://mail.contoso.com --outfile ntlmrecon.csv

Recon on a CIDR range or IP address

$ ntlmrecon --input 192.168.1.1/24 --outfile ntlmrecon-ranges.csv

Recon on an input file

The tool automatically detects the type of input per line and gives you results automatically. CIDR ranges are expanded automatically even when read from a text file.

Input file can be something as mixed up as :

mail.contoso.com
CONTOSOHOSTNAME
10.0.13.2/28
192.168.222.1/24
https://mail.contoso.com

To run recon with an input file, just run :

$ ntlmrecon --infile /path/to/input/file --outfile ntlmrecon-fromfile.csv

Acknowledgements

Feedback

If you'd like to see a feature added into the tool or something doesn't work for you, please open a new issue.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ntlmrecon-0.2.1b0.tar.gz (11.7 kB view details)

Uploaded Source

Built Distribution

ntlmrecon-0.2.1b0-py3-none-any.whl (11.3 kB view details)

Uploaded Python 3

File details

Details for the file ntlmrecon-0.2.1b0.tar.gz.

File metadata

  • Download URL: ntlmrecon-0.2.1b0.tar.gz
  • Upload date:
  • Size: 11.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.23.0 setuptools/45.3.0 requests-toolbelt/0.9.1 tqdm/4.43.0 CPython/3.8.2

File hashes

Hashes for ntlmrecon-0.2.1b0.tar.gz
Algorithm Hash digest
SHA256 2f20bbb6a37c4996885a0ccdede779bdb8ce5a30727c59edebdcdd0d19037832
MD5 cab42b79348ed234411b9b77415101a8
BLAKE2b-256 0d2733240545ae1636982b2383330645031614a9349aa44ff4e9076758a3d35d

See more details on using hashes here.

File details

Details for the file ntlmrecon-0.2.1b0-py3-none-any.whl.

File metadata

  • Download URL: ntlmrecon-0.2.1b0-py3-none-any.whl
  • Upload date:
  • Size: 11.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.23.0 setuptools/45.3.0 requests-toolbelt/0.9.1 tqdm/4.43.0 CPython/3.8.2

File hashes

Hashes for ntlmrecon-0.2.1b0-py3-none-any.whl
Algorithm Hash digest
SHA256 707d51c700bfc6c49456e70befb2fb60ecce685f12ac03042905e4a770f0330f
MD5 a62de1d7ad5d8cfcfcd8316954201e3a
BLAKE2b-256 1018246808e038b831462a8fa712c9b9dba0c35379e5855716df55af16861cf1

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page