Merge pull request #2397 from projectdiscovery/ntlm-directories-update
ntlm-directories path/payload updatepatch-1
commit
787cbebd1f
|
@ -2,67 +2,81 @@ id: ntlm-directories
|
|||
|
||||
info:
|
||||
name: Discovering directories w/ NTLM
|
||||
author: puzzlepeaches
|
||||
author: puzzlepeaches,incogbyte
|
||||
severity: info
|
||||
tags: misc
|
||||
tags: misc,fuzz,windows
|
||||
reference: https://medium.com/swlh/internal-information-disclosure-using-hidden-ntlm-authentication-18de17675666
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
- payloads:
|
||||
path:
|
||||
- "{{BaseURL}}/abs/"
|
||||
- "{{BaseURL}}/adfs/services/trust/2005/windowstransport"
|
||||
- "{{BaseURL}}/aspnet_client/"
|
||||
- "{{BaseURL}}/autodiscover/"
|
||||
- "{{BaseURL}}/autoupdate/"
|
||||
- "{{BaseURL}}/certenroll/"
|
||||
- "{{BaseURL}}/certprov/"
|
||||
- "{{BaseURL}}/certsrv/"
|
||||
- "{{BaseURL}}/conf/"
|
||||
- "{{BaseURL}}/deviceupdatefiles_ext/"
|
||||
- "{{BaseURL}}/deviceupdatefiles_int/"
|
||||
- "{{BaseURL}}/dialin/"
|
||||
- "{{BaseURL}}/ecp/"
|
||||
- "{{BaseURL}}/etc/"
|
||||
- "{{BaseURL}}/ews/"
|
||||
- "{{BaseURL}}/exchange/"
|
||||
- "{{BaseURL}}/exchweb/"
|
||||
- "{{BaseURL}}/groupexpansion/"
|
||||
- "{{BaseURL}}/hybridconfig/"
|
||||
- "{{BaseURL}}/mcx/"
|
||||
- "{{BaseURL}}/mcx/mcxservice.svc"
|
||||
- "{{BaseURL}}/meet/"
|
||||
- "{{BaseURL}}/meeting/"
|
||||
- "{{BaseURL}}/microsoft-server-activesync/"
|
||||
- "{{BaseURL}}/oab/"
|
||||
- "{{BaseURL}}/ocsp/"
|
||||
- "{{BaseURL}}/owa/"
|
||||
- "{{BaseURL}}/persistentchat/"
|
||||
- "{{BaseURL}}/phoneconferencing/"
|
||||
- "{{BaseURL}}/powershell/"
|
||||
- "{{BaseURL}}/public/"
|
||||
- "{{BaseURL}}/reach/sip.svc"
|
||||
- "{{BaseURL}}/requesthandler/"
|
||||
- "{{BaseURL}}/requesthandlerext/"
|
||||
- "{{BaseURL}}/rgs/"
|
||||
- "{{BaseURL}}/rgsclients/"
|
||||
- "{{BaseURL}}/rpc/"
|
||||
- "{{BaseURL}}/rpcwithcert/"
|
||||
- "{{BaseURL}}/scheduler/"
|
||||
- "{{BaseURL}}/ucwa/"
|
||||
- "{{BaseURL}}/unifiedmessaging/"
|
||||
- "{{BaseURL}}/webticket/"
|
||||
- "{{BaseURL}}/webticket/webticketservice.svc"
|
||||
- "{{BaseURL}}/webticket/webticketservice.svcabs/"
|
||||
- /
|
||||
- /abs/
|
||||
- /ecp/
|
||||
- /etc/
|
||||
- /ews/
|
||||
- /mcx/
|
||||
- /oab/
|
||||
- /owa/
|
||||
- /rgs/
|
||||
- /rpc/
|
||||
- /conf/
|
||||
- /meet/
|
||||
- /ocsp/
|
||||
- /ucwa/
|
||||
- /adfs/
|
||||
- /dialin/
|
||||
- /public/
|
||||
- /certsrv/
|
||||
- /exchweb/
|
||||
- /meeting/
|
||||
- /certprov/
|
||||
- /exchange/
|
||||
- /scheduler/
|
||||
- /webticket/
|
||||
- /autoupdate/
|
||||
- /certenroll/
|
||||
- /powershell/
|
||||
- /rgsclients/
|
||||
- /rpcwithcert/
|
||||
- /autodiscover/
|
||||
- /hybridconfig/
|
||||
- /reach/sip.svc
|
||||
- /aspnet_client/
|
||||
- /groupexpansion/
|
||||
- /persistentchat/
|
||||
- /requesthandler/
|
||||
- /unifiedmessaging/
|
||||
- /mcx/mcxservice.svc
|
||||
- /phoneconferencing/
|
||||
- /requesthandlerext/
|
||||
- /deviceupdatefiles_ext/
|
||||
- /deviceupdatefiles_int/
|
||||
- /microsoft-server-activesync/
|
||||
- /webticket/webticketservice.svc
|
||||
- /webticket/webticketservice.svcabs/
|
||||
- /adfs/services/trust/2005/windowstransport
|
||||
|
||||
attack: sniper
|
||||
threads: 50
|
||||
|
||||
raw:
|
||||
- |
|
||||
GET {{path}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "WWW-Authenticate: NTLM"
|
||||
- "Www-Authenticate: NTLM"
|
||||
part: header
|
||||
condition: or
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "contains(tolower(all_headers), 'www-authenticate: ntlm')"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 401
|
||||
|
||||
extractors:
|
||||
- type: kval
|
||||
kval:
|
||||
- 'www_authenticate'
|
||||
|
|
Loading…
Reference in New Issue