Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] Script Submission: HTTP NTLM Information Disclosure
From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 05 Feb 2014 12:22:45 -0600

On 02/04/2014 02:53 PM, nmap user wrote:

Attached is a NSE implementation to anonymously enumerate remote NetBIOS,
DNS, and OS details from HTTP services with NTLM authentication enabled.

By sending a HTTP NTLM authentication request with null domain and user
credentials (passed in the 'Authorization' header), the remote web server
will respond with a NTLMSSP message (encoded within the 'WWW-Authenticate'
header) and disclose information including NetBIOS, DNS, and OS build

Example output:
#nmap -p443 --script http-ntlm-info-disclosure

Nmap scan report for
Host is up (0.040s latency).
443/tcp open   https
| http-ntlm-info-disclosure:
|   Target_Name: ACTIVEWEB
|   NetBIOS_Domain_Name: ACTIVEWEB
|   NetBIOS_Computer_Name: PRODWEB001
|   DNS_Domain_Name: activeweb.somedomain.com
|   DNS_Computer_Name: prodweb001.activeweb.somedomain.com
|   DNS_Tree_Name: activeweb.somedomain.com
|_ Product_Version: 5.2 (Build 3790)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

This script has been tested against all Microsoft IIS versions and open
source HTTP NTLM implementations.



Thanks for this script! It looks like some good information, and I'm excited to add it to Nmap. There are a few things I'd like to see first, if you don't mind:

1. You've chosen "default" as a category. In your testing, did you see what kind of logs this query leaves behind? If it causes 403 Forbidden logs that wouldn't otherwise be left by a browser, we may have to remove it from the "default" category.

2. I'm pretty sure the smbauth.get_host_info_from_security_blob() function does a lot of the parsing you do in this script, including the Unicode (UCS-2) handling. It would be better to use this function, if at all possible, in order to avoid duplicating code. I just wrote some documentation for it, so hopefully that will show up soon.

3. We've started enforcing some code quality standards. If you follow the guidelines here, it will make integration easier for everyone: https://secwiki.org/w/Nmap/Code_Standards

Thanks again, and I look forward to seeing your answers.

Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]