pwnfoo / ntlmrecon Goto Github PK

Enumerate information from NTLM authentication enabled web endpoints 🔎

License: MIT License

Python 100.00%

redteam ntlm security cybersecurity reconnaissance recon tools osint enumeration hacking

ntlmrecon's Introduction

NTLMRecon

An NTLM reconnaissance tool without external dependencies. Useful to find out information about NTLM endpoints when working with a large set of potential IP addresses and domains.

NTLMRecon is built with flexibilty in mind. Need to run recon on a single URL, an IP address, an entire CIDR range or combination of all of it all put in a single input file? No problem! NTLMRecon got you covered. Read on.

Overview

NTLMRecon looks for NTLM enabled web endpoints, sends a fake authentication request and enumerates the following information from the NTLMSSP response:

AD Domain Name
Server name
DNS Domain Name
FQDN
Parent DNS Domain

Since NTLMRecon leverages a python implementation of NTLMSSP, it eliminates the overhead of running Nmap NSE http-ntlm-info for every successful discovery.

On every successful discovery of a NTLM enabled web endpoint, the tool enumerates and saves information about the domain as follows to a CSV file :

URL	Domain Name	Server Name	DNS Domain Name	FQDN	DNS Domain
https://contoso.com/EWS/	XCORP	EXCHANGE01	xcorp.contoso.net	EXCHANGE01.xcorp.contoso.net	contoso.net

Installation

BlackArch

NTLMRecon is already packaged for BlackArch and can be installed by running pacman -S ntlmrecon

Build from source

Clone the repository : git clone https://github.com/pwnfoo/ntlmrecon/
RECOMMENDED - Install virtualenv : pip install virtualenv
Start a new virtual environment : virtualenv venv and activate it with source venv/bin/activate
Run the setup file : python setup.py install
Run ntlmrecon : ntlmrecon --help

Example Usage

Recon on a single URL

$ ntlmrecon --input https://mail.contoso.com --outfile ntlmrecon.csv

Recon on a CIDR range or IP address

$ ntlmrecon --input 192.168.1.1/24 --outfile ntlmrecon-ranges.csv

Recon on an input file

The tool automatically detects the type of input per line and takes actions accordingly. CIDR ranges are expanded by default (please note that there is no de-duplication baked in just yet!)

P.S Handles a good mix like this well :

mail.contoso.com
CONTOSOHOSTNAME
10.0.13.2/28
192.168.222.1/24
https://mail.contoso.com

TODO

Implement aiohttp based solution for sending requests
Integrate a spraying library
Add other authentication schemes found to the output
Automatic detection of autodiscover domains if domain

Acknowledgements

@nyxgeek for the idea behind ntlmscan.

ntlmrecon's People

Contributors

Stargazers

Watchers

Forkers

jonathanzhou348 dskho chouaibhm vysecurity rhankare shantanu561993 sasqwatch techknowclub marciopocebon zshell mlynchcogent rajivraj 5l1v3r1 sagar-jangam c0axx darknesschieftain reanimat0r jermainlaforce masterscott polling-repo-continua techris45 th3cyb3rc0p jcartes tubbz-alt reewardius jenetiks hackinfinity x0xr00t ziqi521 nosorry hartl3y94 tommalvoriddle zephrfish reverse-ex bbhunter slooppe itzbawantha kopfjager007 tmp63498 sandromelobrazil josegzf y0d4a ghost5683 ipc-security startagain2016 filipesam zha0 jrandomsage m4rvxpn hdys0vn dagda76 mellonaut unclenull ramirezrick oakkaya puzzlepeaches m00zh33 cyb3rm3g c0de-sin wisdark ongyuann apollon33

ntlmrecon's Issues

Connection breaks

Connection breaks after enumeration of the endpoints, I guess this is related to the authentication attempt

Find below the error log:

Traceback (most recent call last):
File "/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py", line 600, in urlopen
httplib_response = self._make_request(conn, method, url,
File "/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py", line 387, in _make_request
six.raise_from(e, None)
File "", line 2, in raise_from
File "/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py", line 383, in _make_request
httplib_response = conn.getresponse()
File "/usr/lib/python3.8/http/client.py", line 1322, in getresponse
response.begin()
File "/usr/lib/python3.8/http/client.py", line 303, in begin
version, status, reason = self._read_status()
File "/usr/lib/python3.8/http/client.py", line 264, in _read_status
line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1")
File "/usr/lib/python3.8/socket.py", line 669, in readinto
return self._sock.recv_into(b)
File "/usr/local/lib/python3.8/dist-packages/urllib3/contrib/pyopenssl.py", line 309, in recv_into
raise SocketError(str(e))
OSError: (104, 'ECONNRESET')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.8/dist-packages/requests/adapters.py", line 439, in send
resp = conn.urlopen(
File "/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py", line 666, in urlopen
return self.urlopen(method, url, body, headers, retries,
File "/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py", line 666, in urlopen
return self.urlopen(method, url, body, headers, retries,
File "/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py", line 666, in urlopen
return self.urlopen(method, url, body, headers, retries,
File "/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py", line 640, in urlopen
retries = retries.increment(method, url, error=e, _pool=self,
File "/usr/local/lib/python3.8/dist-packages/urllib3/util/retry.py", line 399, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='xxx.xxx.xxx.xxx', port=443): Max retries exceeded with url: /Exchange/ (Caused by ProtocolError('Connection aborted.', OSError("(104, 'ECONNRESET')")))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/bin/ntlmrecon", line 8, in
sys.exit(main())
File "/usr/local/lib/python3.8/dist-packages/ntlmrecon/init.py", line 114, in main
results = pool.map(gather_ntlm_info, all_combos)
File "/usr/lib/python3.8/multiprocessing/pool.py", line 364, in map
return self._map_async(func, iterable, mapstar, chunksize).get()
File "/usr/lib/python3.8/multiprocessing/pool.py", line 768, in get
raise self._value
File "/usr/lib/python3.8/multiprocessing/pool.py", line 125, in worker
result = (True, func(*args, **kwds))
File "/usr/lib/python3.8/multiprocessing/pool.py", line 48, in mapstar
return list(map(*args))
File "/usr/local/lib/python3.8/dist-packages/ntlmrecon/ntlmutil.py", line 223, in gather_ntlm_info
auth_response = requests_retry_session().get(url, verify=False, headers=headers)
File "/usr/local/lib/python3.8/dist-packages/requests/sessions.py", line 543, in get
return self.request('GET', url, **kwargs)
File "/usr/local/lib/python3.8/dist-packages/requests/sessions.py", line 530, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.8/dist-packages/requests/sessions.py", line 643, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.8/dist-packages/requests/adapters.py", line 516, in send
raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='IPAddress:xxx.xxx.xxx.xxx', port=443): Max retries exceeded with url: /Exchange/ (Caused by ProtocolError('Connection aborted.', OSError("(104, 'ECONNRESET')")))

pwnfoo / ntlmrecon Goto Github PK

ntlmrecon's Introduction

NTLMRecon

Overview

Installation

BlackArch

Build from source

Example Usage

Recon on a single URL

Recon on a CIDR range or IP address

Recon on an input file

TODO

Acknowledgements

ntlmrecon's People

Contributors

Stargazers

Watchers

Forkers

ntlmrecon's Issues

Recommend Projects

Recommend Topics

Recommend Org