nuclei-templates/miscellaneous/ntlm-directories.yaml

id: ntlm-directories

info:
  name: Discovering directories w/ NTLM
  author: puzzlepeaches
  severity: info

requests:
  - method: GET
    path:
      - "{{BaseURL}}/abs/"
      - "{{BaseURL}}/adfs/services/trust/2005/windowstransport"
      - "{{BaseURL}}/aspnet_client/"
      - "{{BaseURL}}/autodiscover/"
      - "{{BaseURL}}/autoupdate/"
      - "{{BaseURL}}/certenroll/"
      - "{{BaseURL}}/certprov/"
      - "{{BaseURL}}/certsrv/"
      - "{{BaseURL}}/conf/"
      - "{{BaseURL}}/deviceupdatefiles_ext/"
      - "{{BaseURL}}/deviceupdatefiles_int/"
      - "{{BaseURL}}/dialin/"
      - "{{BaseURL}}/ecp/"
      - "{{BaseURL}}/etc/"
      - "{{BaseURL}}/ews/"
      - "{{BaseURL}}/exchange/"
      - "{{BaseURL}}/exchweb/"
      - "{{BaseURL}}/groupexpansion/"
      - "{{BaseURL}}/hybridconfig/"
      - "{{BaseURL}}/mcx/"
      - "{{BaseURL}}/mcx/mcxservice.svc"
      - "{{BaseURL}}/meet/"
      - "{{BaseURL}}/meeting/"
      - "{{BaseURL}}/microsoft-server-activesync/"
      - "{{BaseURL}}/oab/"
      - "{{BaseURL}}/ocsp/"
      - "{{BaseURL}}/owa/"
      - "{{BaseURL}}/persistentchat/"
      - "{{BaseURL}}/phoneconferencing/"
      - "{{BaseURL}}/powershell/"
      - "{{BaseURL}}/public/"
      - "{{BaseURL}}/reach/sip.svc"
      - "{{BaseURL}}/requesthandler/"
      - "{{BaseURL}}/requesthandlerext/"
      - "{{BaseURL}}/rgs/"
      - "{{BaseURL}}/rgsclients/"
      - "{{BaseURL}}/rpc/"
      - "{{BaseURL}}/rpcwithcert/"
      - "{{BaseURL}}/scheduler/"
      - "{{BaseURL}}/ucwa/"
      - "{{BaseURL}}/unifiedmessaging/"
      - "{{BaseURL}}/webticket/"
      - "{{BaseURL}}/webticket/webticketservice.svc"
      - "{{BaseURL}}/webticket/webticketservice.svcabs/"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "WWW-Authenticate: NTLM"
          - "Www-Authenticate: NTLM"
        part: header
        condition: or

      - type: status
        status:
          - 401
drafting ntlm 2020-08-20 07:42:18 +00:00			`id: ntlm-directories`

			`info:`
			`name: Discovering directories w/ NTLM`
			`author: puzzlepeaches`
			`severity: info`

			`requests:`
			`- method: GET`
			`path:`
			`- "{{BaseURL}}/abs/"`
			`- "{{BaseURL}}/adfs/services/trust/2005/windowstransport"`
			`- "{{BaseURL}}/aspnet_client/"`
			`- "{{BaseURL}}/autodiscover/"`
			`- "{{BaseURL}}/autoupdate/"`
			`- "{{BaseURL}}/certenroll/"`
			`- "{{BaseURL}}/certprov/"`
			`- "{{BaseURL}}/certsrv/"`
			`- "{{BaseURL}}/conf/"`
			`- "{{BaseURL}}/deviceupdatefiles_ext/"`
			`- "{{BaseURL}}/deviceupdatefiles_int/"`
			`- "{{BaseURL}}/dialin/"`
			`- "{{BaseURL}}/ecp/"`
			`- "{{BaseURL}}/etc/"`
			`- "{{BaseURL}}/ews/"`
			`- "{{BaseURL}}/exchange/"`
			`- "{{BaseURL}}/exchweb/"`
			`- "{{BaseURL}}/groupexpansion/"`
			`- "{{BaseURL}}/hybridconfig/"`
			`- "{{BaseURL}}/mcx/"`
			`- "{{BaseURL}}/mcx/mcxservice.svc"`
			`- "{{BaseURL}}/meet/"`
			`- "{{BaseURL}}/meeting/"`
			`- "{{BaseURL}}/microsoft-server-activesync/"`
			`- "{{BaseURL}}/oab/"`
			`- "{{BaseURL}}/ocsp/"`
			`- "{{BaseURL}}/owa/"`
			`- "{{BaseURL}}/persistentchat/"`
			`- "{{BaseURL}}/phoneconferencing/"`
			`- "{{BaseURL}}/powershell/"`
			`- "{{BaseURL}}/public/"`
			`- "{{BaseURL}}/reach/sip.svc"`
			`- "{{BaseURL}}/requesthandler/"`
			`- "{{BaseURL}}/requesthandlerext/"`
			`- "{{BaseURL}}/rgs/"`
			`- "{{BaseURL}}/rgsclients/"`
			`- "{{BaseURL}}/rpc/"`
			`- "{{BaseURL}}/rpcwithcert/"`
			`- "{{BaseURL}}/scheduler/"`
			`- "{{BaseURL}}/ucwa/"`
			`- "{{BaseURL}}/unifiedmessaging/"`
			`- "{{BaseURL}}/webticket/"`
			`- "{{BaseURL}}/webticket/webticketservice.svc"`
			`- "{{BaseURL}}/webticket/webticketservice.svcabs/"`
updating template 2020-09-09 11:30:30 +00:00
			`matchers-condition: and`
drafting ntlm 2020-08-20 07:42:18 +00:00			`matchers:`
			`- type: word`
			`words:`
Update ntlm-directories.yaml 2020-09-10 15:43:37 +00:00			`- "WWW-Authenticate: NTLM"`
			`- "Www-Authenticate: NTLM"`
drafting ntlm 2020-08-20 07:42:18 +00:00			`part: header`
Update ntlm-directories.yaml 2020-09-10 15:43:37 +00:00			`condition: or`
updating template 2020-09-09 11:30:30 +00:00
			`- type: status`
			`status:`
			`- 401`