An NTLM reconnaissance tool without external dependencies. Useful to find out information about NTLM endpoints when working with a large set of potential IP addresses and domains.
NTLMRecon is built with flexibilty in mind. Need to run recon on a single URL, an IP address, an entire CIDR range or combination of all of it all put in a single input file? No problem! NTLMRecon got you covered. Read on.
NTLMRecon looks for NTLM enabled web endpoints, sends a fake authentication request and enumerates the following information from the NTLMSSP response:
- AD Domain Name
- Server name
- DNS Domain Name
- FQDN
- Parent DNS Domain
Since NTLMRecon leverages a python implementation of NTLMSSP, it eliminates the overhead of running Nmap NSE http-ntlm-info
for every successful discovery.
On every successful discovery of a NTLM enabled web endpoint, the tool enumerates and saves information about the domain as follows to a CSV file :
URL | Domain Name | Server Name | DNS Domain Name | FQDN | DNS Domain |
---|---|---|---|---|---|
https://contoso.com/EWS/ | XCORP | EXCHANGE01 | xcorp.contoso.net | EXCHANGE01.xcorp.contoso.net | contoso.net |
NTLMRecon is already packaged for BlackArch and can be installed by running pacman -S ntlmrecon
- Clone the repository :
git clone https://github.com/pwnfoo/ntlmrecon/
- RECOMMENDED - Install virtualenv :
pip install virtualenv
- Start a new virtual environment :
virtualenv venv
and activate it withsource venv/bin/activate
- Run the setup file :
python setup.py install
- Run ntlmrecon :
ntlmrecon --help
$ ntlmrecon --input https://mail.contoso.com --outfile ntlmrecon.csv
$ ntlmrecon --input 192.168.1.1/24 --outfile ntlmrecon-ranges.csv
The tool automatically detects the type of input per line and takes actions accordingly. CIDR ranges are expanded by default (please note that there is no de-duplication baked in just yet!)
P.S Handles a good mix like this well :
mail.contoso.com CONTOSOHOSTNAME 10.0.13.2/28 192.168.222.1/24 https://mail.contoso.com
- Implement aiohttp based solution for sending requests
- Integrate a spraying library
- Add other authentication schemes found to the output
- Automatic detection of autodiscover domains if domain