nuclei-templates/miscellaneous/ntlm-directories.yaml

81 lines
1.8 KiB
YAML
Raw Normal View History

2020-08-20 07:42:18 +00:00
id: ntlm-directories
info:
name: Discovering directories w/ NTLM
2021-08-13 23:42:43 +00:00
author: puzzlepeaches,incogbyte
2020-08-20 07:42:18 +00:00
severity: info
2021-08-13 23:42:43 +00:00
tags: misc,fuzz,windows
reference: https://medium.com/swlh/internal-information-disclosure-using-hidden-ntlm-authentication-18de17675666
2020-08-20 07:42:18 +00:00
requests:
- raw:
- |
GET {{path}} HTTP/1.1
Host: {{Hostname}}
Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
2022-01-28 10:24:49 +00:00
threads: 10
payloads:
2021-08-13 23:42:43 +00:00
path:
- /
- /abs/
- /ecp/
- /etc/
- /ews/
- /mcx/
- /oab/
- /owa/
- /rgs/
- /rpc/
- /conf/
- /meet/
- /ocsp/
- /ucwa/
- /adfs/
- /dialin/
- /public/
- /certsrv/
- /exchweb/
- /meeting/
- /certprov/
- /exchange/
- /scheduler/
- /webticket/
- /autoupdate/
- /certenroll/
- /powershell/
- /rgsclients/
- /rpcwithcert/
- /autodiscover/
- /hybridconfig/
- /reach/sip.svc
- /aspnet_client/
- /groupexpansion/
- /persistentchat/
- /requesthandler/
- /unifiedmessaging/
- /mcx/mcxservice.svc
- /phoneconferencing/
- /requesthandlerext/
- /deviceupdatefiles_ext/
- /deviceupdatefiles_int/
- /microsoft-server-activesync/
- /webticket/webticketservice.svc
- /webticket/webticketservice.svcabs/
- /adfs/services/trust/2005/windowstransport
2020-09-09 11:30:30 +00:00
matchers-condition: and
2020-08-20 07:42:18 +00:00
matchers:
2021-08-13 23:42:43 +00:00
- type: dsl
dsl:
- "contains(tolower(all_headers), 'www-authenticate: ntlm')"
2020-09-09 11:30:30 +00:00
- type: status
status:
- 401
2021-08-13 23:42:43 +00:00
extractors:
- type: kval
kval:
- 'www_authenticate'