Re: [NSE] Script Submission: NTLM Information Disclosure (MS-SQL, SMTP, IMAP, POP3, Telnet, NNTP)

[Daniel Miller <bonsaiviking () gmail com>]

On 04/23/2014 11:16 AM, NMap User1 wrote:
> Hello,
>
> Expanding on the http-ntlm-info script, attached are six additional scripts
> that support this enumeration method among other common protocols that
> support NTLM authentication.
>
> In summary, if NTLM authentication is enabled, by sending a NTLM
> authentication request with null domain and user credentials, the remote
> service will respond with a NTLMSSP message and disclose information
> including NetBIOS, DNS, and OS build version.  No log entry is created.
>
> The attached scripts include the following services:
> * MS-SQL
> * SMTP
> * IMAP
> * POP3
> * Telnet
> * NNTP
>
> Similar to the HTTP NTLM information disclosure script, these function with
> identical/consistent behavior and output.  As an example, below demonstrates
> usage of the MS-SQL script:
>
> #nmap -p1433 1.2.3.4 --script ms-sql-ntlm-info
> Nmap scan report for 1.2.3.4
> Host is up (0.040s latency).
> PORT STATE SERVICE VERSION
> 1433/tcp open ms-sql-s
> | ms-sql-ntlm-info:
> |  Target_Name: ACTIVESQL
> |  NetBIOS_Domain_Name: ACTIVESQL
> |  NetBIOS_Computer_Name: DB-TEST2
> |  DNS_Domain_Name: somedomain.com
> |  DNS_Computer_Name: db-test2.somedomain.com
> |  DNS_Tree_Name: somedomain.com
> |_ Product_Version: 6.1 (Build 7601)
>
> Below demonstrates SMTP:
> #nmap -p25 1.2.3.4 --script smtp-ntlm-info
> Nmap scan report for 1.2.3.4
> Host is up (0.10s latency).
> PORT    STATE    SERVICE    VERSION
> 25/tcp  open     smtp
> | smtp-ntlm-info:
> |   Target_Name: ACTIVESMTP
> |   NetBIOS_Domain_Name: ACTIVESMTP
> |   NetBIOS_Computer_Name: SMTP-TEST2
> |   DNS_Domain_Name: somedomain.com
> |   DNS_Computer_Name: smtp-test2.somedomain.com
> |   DNS_Tree_Name: somedomain.com
> |_  Product_Version: 5.2 (Build 3790)
>
> Other protocols (e.g. IMAP, POP3, Telnet, NNTP) have similar implementation:
> --script [proto]-ntlm-info.
>
> These scripts have been tested against all current/past versions of their
> respective Microsoft services and have been classified as 'default' as they
> are non-malicious and no log entries are created.
>
> Just let me know if there are questions.  If these scripts should be
> submitted individually to the mailing list, let me know.
>
> Cheers,
> Justin
>
>
>
> _______________________________________________
> Sent through the dev mailing list
> http://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
Justin,

These look really neat, and I'm sure we can integrate them somehow. Do 
you think that it would be possible to combine them into one script that 
just handles the pre-NTLM protocol handshaking depending on the service, 
then does the NTLM information gathering on its own? Take a look at how 
sslcert library (http://nmap.org/nsedoc/lib/sslcert.html) does things 
with the SPECIALIZED_PREPARE_TLS and StartTLS tables, for instance. Just 
a thought for now, since I haven't had time to take a closer look yet.

Dan
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/