Home page logo
/

nmap-dev logo Nmap Development mailing list archives

[NSE] Script Submission: HTTP NTLM Information Disclosure
From: nmap user <nmapuser1 () gmail com>
Date: Tue, 4 Feb 2014 15:53:00 -0500

Hello,

Attached is a NSE implementation to anonymously enumerate remote NetBIOS,
DNS, and OS details from HTTP services with NTLM authentication enabled.

By sending a HTTP NTLM authentication request with null domain and user
credentials (passed in the 'Authorization' header), the remote web server
will respond with a NTLMSSP message (encoded within the 'WWW-Authenticate'
header) and disclose information including NetBIOS, DNS, and OS build
version.

Example output:
#nmap -p443 1.2.3.4 --script http-ntlm-info-disclosure

Nmap scan report for 1.2.3.4
Host is up (0.040s latency).
PORT    STATE  SERVICE  VERSION
443/tcp open   https
| http-ntlm-info-disclosure:
|   Target_Name: ACTIVEWEB
|   NetBIOS_Domain_Name: ACTIVEWEB
|   NetBIOS_Computer_Name: PRODWEB001
|   DNS_Domain_Name: activeweb.somedomain.com
|   DNS_Computer_Name: prodweb001.activeweb.somedomain.com
|   DNS_Tree_Name: activeweb.somedomain.com
|_ Product_Version: 5.2 (Build 3790)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

This script has been tested against all Microsoft IIS versions and open
source HTTP NTLM implementations.

Cheers,
-Justin

Attachment: http-ntlm-info-disclosure.nse
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault