2020-08-20 07:42:18 +00:00
|
|
|
id: ntlm-directories
|
|
|
|
|
|
|
|
info:
|
|
|
|
name: Discovering directories w/ NTLM
|
2021-08-13 23:42:43 +00:00
|
|
|
author: puzzlepeaches,incogbyte
|
2020-08-20 07:42:18 +00:00
|
|
|
severity: info
|
2021-08-13 23:42:43 +00:00
|
|
|
tags: misc,fuzz,windows
|
|
|
|
reference: https://medium.com/swlh/internal-information-disclosure-using-hidden-ntlm-authentication-18de17675666
|
2020-08-20 07:42:18 +00:00
|
|
|
|
|
|
|
requests:
|
2021-08-22 18:09:33 +00:00
|
|
|
- raw:
|
|
|
|
- |
|
|
|
|
GET {{path}} HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
|
|
|
Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
|
|
|
|
|
2022-01-28 10:24:49 +00:00
|
|
|
threads: 10
|
2021-08-22 18:09:33 +00:00
|
|
|
payloads:
|
2021-08-13 23:42:43 +00:00
|
|
|
path:
|
|
|
|
- /
|
|
|
|
- /abs/
|
|
|
|
- /ecp/
|
|
|
|
- /etc/
|
|
|
|
- /ews/
|
|
|
|
- /mcx/
|
|
|
|
- /oab/
|
|
|
|
- /owa/
|
|
|
|
- /rgs/
|
|
|
|
- /rpc/
|
|
|
|
- /conf/
|
|
|
|
- /meet/
|
|
|
|
- /ocsp/
|
|
|
|
- /ucwa/
|
|
|
|
- /adfs/
|
|
|
|
- /dialin/
|
|
|
|
- /public/
|
|
|
|
- /certsrv/
|
|
|
|
- /exchweb/
|
|
|
|
- /meeting/
|
|
|
|
- /certprov/
|
|
|
|
- /exchange/
|
|
|
|
- /scheduler/
|
|
|
|
- /webticket/
|
|
|
|
- /autoupdate/
|
|
|
|
- /certenroll/
|
|
|
|
- /powershell/
|
|
|
|
- /rgsclients/
|
|
|
|
- /rpcwithcert/
|
|
|
|
- /autodiscover/
|
|
|
|
- /hybridconfig/
|
|
|
|
- /reach/sip.svc
|
|
|
|
- /aspnet_client/
|
|
|
|
- /groupexpansion/
|
|
|
|
- /persistentchat/
|
|
|
|
- /requesthandler/
|
|
|
|
- /unifiedmessaging/
|
|
|
|
- /mcx/mcxservice.svc
|
|
|
|
- /phoneconferencing/
|
|
|
|
- /requesthandlerext/
|
|
|
|
- /deviceupdatefiles_ext/
|
|
|
|
- /deviceupdatefiles_int/
|
|
|
|
- /microsoft-server-activesync/
|
|
|
|
- /webticket/webticketservice.svc
|
|
|
|
- /webticket/webticketservice.svcabs/
|
|
|
|
- /adfs/services/trust/2005/windowstransport
|
|
|
|
|
2020-09-09 11:30:30 +00:00
|
|
|
matchers-condition: and
|
2020-08-20 07:42:18 +00:00
|
|
|
matchers:
|
2021-08-13 23:42:43 +00:00
|
|
|
- type: dsl
|
|
|
|
dsl:
|
|
|
|
- "contains(tolower(all_headers), 'www-authenticate: ntlm')"
|
2020-09-09 11:30:30 +00:00
|
|
|
|
|
|
|
- type: status
|
|
|
|
status:
|
|
|
|
- 401
|
2021-08-13 23:42:43 +00:00
|
|
|
|
|
|
|
extractors:
|
|
|
|
- type: kval
|
|
|
|
kval:
|
|
|
|
- 'www_authenticate'
|