NTLMRecon

A fast NTLM reconnaissance tool without external dependencies. Useful to find out information about NTLM endpoints when working with a large set of potential IP addresses and domains.

NTLMRecon is built with flexibility in mind. Need to run recon on a single URL, an IP address, an entire CIDR range or combination of all of it all put in a single input file? No problem! NTLMRecon got you covered. Read on.

Internal wordlists are from the awesome nyxgeek/lyncsmash repo

NTLMRecon looks for NTLM enabled web endpoints, sends a fake authentication request and enumerates the following information from the NTLMSSP response:

1. AD Domain Name
2. Server name
3. DNS Domain Name
4. FQDN
5. Parent DNS Domain

Since ntlmrecon leverages a python implementation of NTLMSSP, it eliminates the overhead of running Nmap NSE http-ntlm-info for every successful discovery.

Install

1. Clone the repository – git clone https://github.com/sachinkamath/ntlmrecon/
2. RECOMMENDED – Install virtualenv pip install virtualenv
3. Start a new virtual environment – virtualenv venv and activate it with source venv/bin/activate
4. Run the setup file – python setup.py install
5. Run ntlmrecon – ntlmrecon –help

Usage

Example

Recon on a single URL

$ ntlmrecon –input https://mail.contoso.com –outfile ntlmrecon.csv

Recon on a CIDR range or IP address

$ ntlmrecon –input 192.168.1.1/24 –outfile ntlmrecon-ranges.csv

Recon on an input file

NTLM recon automatically detects the type of input per line and gives you results automatically. CIDR ranges are expanded automatically even when read from a text file.

The input file can be something as mixed up as :

mail.contoso.com
CONTOSOHOSTNAME
10.0.13.2/28
192.168.222.1/24
https://mail.contoso.com

To run recon with an input file, just run :

$ ntlmrecon –infile /path/to/input/file –outfile ntlmrecon-fromfile.csv

Copyright (c) 2019, Sachin S. Kamath
All rights reserved.

Source: https://github.com/sachinkamath/