Skip to content


Folders and files

Last commit message
Last commit date

Latest commit



42 Commits

Repository files navigation


scan for NTLM directories

reliable targets are:

  • OWA servers
  • Skype for Business/Lync servers
  • Autodiscover servers ( and
  • ADFS servers

once identified, use nmap and the http-ntlm-info script to extract internal domain/server information

usage: [-h] [--url URL] [--host HOST] [--hostfile HOSTFILE]
                   [--outfile OUTFILE] [--dictionary DICTIONARY]

optional arguments:
  -h, --help              show this help message and exit
  --url URL               full url path to test
  --host HOST             a single host to search for ntlm dirs on
  --hostfile HOSTFILE     file containing ips or hostnames to test
  --outfile OUTFILE       file to write results to
  --dictionary DICTIONARY list of paths to test, default: paths.dict
  --nmap                  run nmap with http-ntlm-info after testing (requires nmap)
  --debug                 show request headers


python3 --url

python3 --host

python3 --hostfile hosts.txt --dictionary big.txt

Screenshot of usage