An NTLM reconnaissance tool without external dependencies. Useful to find out information about NTLM endpoints when working with a large set of potential IP addresses and domains.
NTLMRecon is built with flexibilty in mind. Need to run recon on a single URL, an IP address, an entire CIDR range or combination of all of it all put in a single input file? No problem! NTLMRecon got you covered. Read on.
NTLMRecon looks for NTLM enabled web endpoints, sends a fake authentication request and enumerates the following information from the NTLMSSP response:
Since NTLMRecon leverages a python implementation of NTLMSSP, it eliminates the overhead of running Nmap NSE
http-ntlm-info for every successful discovery.
On every successful discovery of a NTLM enabled web endpoint, the tool enumerates and saves information about the domain as follows to a CSV file :
|URL||Domain Name||Server Name||DNS Domain Name||FQDN||DNS Domain|
NTLMRecon is already packaged for BlackArch and can be installed by running
pacman -S ntlmrecon
git clone https://github.com/pwnfoo/ntlmrecon/
pip install virtualenv
virtualenv venvand activate it with
python setup.py install
$ ntlmrecon --input https://mail.contoso.com --outfile ntlmrecon.csv
$ ntlmrecon --input 192.168.1.1/24 --outfile ntlmrecon-ranges.csv
The tool automatically detects the type of input per line and takes actions accordingly. CIDR ranges are expanded by default (please note that there is no de-duplication baked in just yet!)
P.S Handles a good mix like this well :
mail.contoso.com CONTOSOHOSTNAME 10.0.13.2/28 192.168.222.1/24 https://mail.contoso.com