Skip to content
master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

ntlmscan

scan for NTLM directories

reliable targets are:

  • OWA servers
  • Skype for Business/Lync servers
  • Autodiscover servers (autodiscover.domain.com and lyncdiscover.domain.com)
  • ADFS servers

once identified, use nmap and the http-ntlm-info script to extract internal domain/server information

usage: ntlmscan.py [-h] [--url URL] [--host HOST] [--hostfile HOSTFILE]
                   [--outfile OUTFILE] [--dictionary DICTIONARY]

optional arguments:
  -h, --help              show this help message and exit
  --url URL               full url path to test
  --host HOST             a single host to search for ntlm dirs on
  --hostfile HOSTFILE     file containing ips or hostnames to test
  --outfile OUTFILE       file to write results to
  --dictionary DICTIONARY list of paths to test, default: paths.dict
  --nmap                  run nmap with http-ntlm-info after testing (requires nmap)
  --debug                 show request headers

Examples:

python3 ntlmscan.py --url https://autodiscover.domain.com/autodiscover

python3 ntlmscan.py --host autodiscover.domain.com

python3 ntlmscan.py --hostfile hosts.txt --dictionary big.txt

Screenshot of usage

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages