mailing list archives
Re: [NSE] Script Submission: HTTP NTLM Information Disclosure
From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 05 Feb 2014 12:22:45 -0600
On 02/04/2014 02:53 PM, nmap user wrote:
Attached is a NSE implementation to anonymously enumerate remote NetBIOS,
DNS, and OS details from HTTP services with NTLM authentication enabled.
By sending a HTTP NTLM authentication request with null domain and user
credentials (passed in the 'Authorization' header), the remote web server
will respond with a NTLMSSP message (encoded within the 'WWW-Authenticate'
header) and disclose information including NetBIOS, DNS, and OS build
#nmap -p443 188.8.131.52 --script http-ntlm-info-disclosure
Nmap scan report for 184.108.40.206
Host is up (0.040s latency).
PORT STATE SERVICE VERSION
443/tcp open https
| Target_Name: ACTIVEWEB
| NetBIOS_Domain_Name: ACTIVEWEB
| NetBIOS_Computer_Name: PRODWEB001
| DNS_Domain_Name: activeweb.somedomain.com
| DNS_Computer_Name: prodweb001.activeweb.somedomain.com
| DNS_Tree_Name: activeweb.somedomain.com
|_ Product_Version: 5.2 (Build 3790)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
This script has been tested against all Microsoft IIS versions and open
source HTTP NTLM implementations.
Thanks for this script! It looks like some good information, and I'm
excited to add it to Nmap. There are a few things I'd like to see first,
if you don't mind:
1. You've chosen "default" as a category. In your testing, did you see
what kind of logs this query leaves behind? If it causes 403 Forbidden
logs that wouldn't otherwise be left by a browser, we may have to remove
it from the "default" category.
2. I'm pretty sure the smbauth.get_host_info_from_security_blob()
function does a lot of the parsing you do in this script, including the
Unicode (UCS-2) handling. It would be better to use this function, if at
all possible, in order to avoid duplicating code. I just wrote some
documentation for it, so hopefully that will show up soon.
3. We've started enforcing some code quality standards. If you follow
the guidelines here, it will make integration easier for everyone:
Thanks again, and I look forward to seeing your answers.
Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/