Become an AceSign inSign up
nyxgeek/ ntlmscan
Python pentest Windows
View on GitHub
Need help with ntlmscan?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

nyxgeek
132 Stars 34 Forks 32 Commits 2 Opened issues

Description

scan for NTLM directories

Services available

!
?

Need anything else?

Contributors list

nyxgeek nyxgeek
# 166,046
office3...
Shell
Python
brute-f...
 22 commits
Justin Bollinger bandrel
# 79,960
Python
Shell
Perl
entropy
 5 commits
Sachin S. Kamath pwnfoo
# 123,839
C
blackar...
kali-li...
web-app...
 1 commit

ntlmscan

scan for NTLM directories

reliable targets are: * OWA servers * Skype for Business/Lync servers * Autodiscover servers (autodiscover.domain.com and lyncdiscover.domain.com) * ADFS servers

once identified, use nmap and the http-ntlm-info script to extract internal domain/server information 

usage: ntlmscan.py [-h] [--url URL] [--host HOST] [--hostfile HOSTFILE]
                   [--outfile OUTFILE] [--dictionary DICTIONARY]


optional arguments:
  -h, --help              show this help message and exit
  --url URL               full url path to test
  --host HOST             a single host to search for ntlm dirs on
  --hostfile HOSTFILE     file containing ips or hostnames to test
  --outfile OUTFILE       file to write results to
  --dictionary DICTIONARY list of paths to test, default: paths.dict
  --nmap                  run nmap with http-ntlm-info after testing (requires nmap)
  --debug                 show request headers

Examples: ``` python3 ntlmscan.py --url https://autodiscover.domain.com/autodiscover

python3 ntlmscan.py --host autodiscover.domain.com

python3 ntlmscan.py --hostfile hosts.txt --dictionary big.txt ```

Screenshot of usage

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.