Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] Script Submission: HTTP NTLM Information Disclosure
From: nmap user <nmapuser1 () gmail com>
Date: Thu, 6 Feb 2014 15:55:46 -0500

Hi Daniel,

Thanks for the feedback.

Attached is the revised code leveraging the
smbauth.get_host_info_from_security_blob() function where possible.

As for logging -- within IIS, the script event is logged as '401'
(Unauthorized), the same as if a web browser visited the page with NTLM
authentication enabled.  When anonymous access is permitted to the web
server this request is simply logged as a '200' (since NTLM auth is


On Wed, Feb 5, 2014 at 1:22 PM, Daniel Miller <bonsaiviking () gmail com>wrote:

On 02/04/2014 02:53 PM, nmap user wrote:


Attached is a NSE implementation to anonymously enumerate remote NetBIOS,
DNS, and OS details from HTTP services with NTLM authentication enabled.

By sending a HTTP NTLM authentication request with null domain and user
credentials (passed in the 'Authorization' header), the remote web server
will respond with a NTLMSSP message (encoded within the 'WWW-Authenticate'
header) and disclose information including NetBIOS, DNS, and OS build

Example output:
#nmap -p443 --script http-ntlm-info-disclosure

Nmap scan report for
Host is up (0.040s latency).
443/tcp open   https
| http-ntlm-info-disclosure:
|   Target_Name: ACTIVEWEB
|   NetBIOS_Domain_Name: ACTIVEWEB
|   NetBIOS_Computer_Name: PRODWEB001
|   DNS_Domain_Name: activeweb.somedomain.com
|   DNS_Computer_Name: prodweb001.activeweb.somedomain.com
|   DNS_Tree_Name: activeweb.somedomain.com
|_ Product_Version: 5.2 (Build 3790)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

This script has been tested against all Microsoft IIS versions and open
source HTTP NTLM implementations.



Thanks for this script! It looks like some good information, and I'm
excited to add it to Nmap. There are a few things I'd like to see first, if
you don't mind:

1. You've chosen "default" as a category. In your testing, did you see
what kind of logs this query leaves behind? If it causes 403 Forbidden logs
that wouldn't otherwise be left by a browser, we may have to remove it from
the "default" category.

2. I'm pretty sure the smbauth.get_host_info_from_security_blob()
function does a lot of the parsing you do in this script, including the
Unicode (UCS-2) handling. It would be better to use this function, if at
all possible, in order to avoid duplicating code. I just wrote some
documentation for it, so hopefully that will show up soon.

3. We've started enforcing some code quality standards. If you follow the
guidelines here, it will make integration easier for everyone:

Thanks again, and I look forward to seeing your answers.


Attachment: http-ntlm-info-disclosure.nse

Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]