Nmap Development mailing list archives
Re: [NSE] Script Submission: HTTP NTLM Information Disclosure
From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 05 Feb 2014 12:22:45 -0600
On 02/04/2014 02:53 PM, nmap user wrote:
Hello, Attached is a NSE implementation to anonymously enumerate remote NetBIOS, DNS, and OS details from HTTP services with NTLM authentication enabled. By sending a HTTP NTLM authentication request with null domain and user credentials (passed in the 'Authorization' header), the remote web server will respond with a NTLMSSP message (encoded within the 'WWW-Authenticate' header) and disclose information including NetBIOS, DNS, and OS build version. Example output: #nmap -p443 1.2.3.4 --script http-ntlm-info-disclosure Nmap scan report for 1.2.3.4 Host is up (0.040s latency). PORT STATE SERVICE VERSION 443/tcp open https | http-ntlm-info-disclosure: | Target_Name: ACTIVEWEB | NetBIOS_Domain_Name: ACTIVEWEB | NetBIOS_Computer_Name: PRODWEB001 | DNS_Domain_Name: activeweb.somedomain.com | DNS_Computer_Name: prodweb001.activeweb.somedomain.com | DNS_Tree_Name: activeweb.somedomain.com |_ Product_Version: 5.2 (Build 3790) Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows This script has been tested against all Microsoft IIS versions and open source HTTP NTLM implementations. Cheers, -Justin
Justin,Thanks for this script! It looks like some good information, and I'm excited to add it to Nmap. There are a few things I'd like to see first, if you don't mind:
1. You've chosen "default" as a category. In your testing, did you see what kind of logs this query leaves behind? If it causes 403 Forbidden logs that wouldn't otherwise be left by a browser, we may have to remove it from the "default" category.
2. I'm pretty sure the smbauth.get_host_info_from_security_blob() function does a lot of the parsing you do in this script, including the Unicode (UCS-2) handling. It would be better to use this function, if at all possible, in order to avoid duplicating code. I just wrote some documentation for it, so hopefully that will show up soon.
3. We've started enforcing some code quality standards. If you follow the guidelines here, it will make integration easier for everyone: https://secwiki.org/w/Nmap/Code_Standards
Thanks again, and I look forward to seeing your answers. Dan _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Script Submission: HTTP NTLM Information Disclosure nmap user (Feb 04)
- Re: [NSE] Script Submission: HTTP NTLM Information Disclosure Daniel Miller (Feb 05)
- Re: [NSE] Script Submission: HTTP NTLM Information Disclosure nmap user (Feb 06)
- Re: [NSE] Script Submission: HTTP NTLM Information Disclosure Daniel Miller (Feb 07)
- Re: [NSE] Script Submission: HTTP NTLM Information Disclosure nmap user (Feb 06)
- Re: [NSE] Script Submission: HTTP NTLM Information Disclosure Daniel Miller (Feb 05)