Merge pull request #2397 from projectdiscovery/ntlm-directories-update

ntlm-directories path/payload update
patch-1
Sandeep Singh 2021-08-14 16:59:59 +05:30 committed by GitHub
commit 787cbebd1f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 68 additions and 54 deletions

View File

@ -2,67 +2,81 @@ id: ntlm-directories
info:
name: Discovering directories w/ NTLM
author: puzzlepeaches
author: puzzlepeaches,incogbyte
severity: info
tags: misc
tags: misc,fuzz,windows
reference: https://medium.com/swlh/internal-information-disclosure-using-hidden-ntlm-authentication-18de17675666
requests:
- method: GET
- payloads:
path:
- "{{BaseURL}}/abs/"
- "{{BaseURL}}/adfs/services/trust/2005/windowstransport"
- "{{BaseURL}}/aspnet_client/"
- "{{BaseURL}}/autodiscover/"
- "{{BaseURL}}/autoupdate/"
- "{{BaseURL}}/certenroll/"
- "{{BaseURL}}/certprov/"
- "{{BaseURL}}/certsrv/"
- "{{BaseURL}}/conf/"
- "{{BaseURL}}/deviceupdatefiles_ext/"
- "{{BaseURL}}/deviceupdatefiles_int/"
- "{{BaseURL}}/dialin/"
- "{{BaseURL}}/ecp/"
- "{{BaseURL}}/etc/"
- "{{BaseURL}}/ews/"
- "{{BaseURL}}/exchange/"
- "{{BaseURL}}/exchweb/"
- "{{BaseURL}}/groupexpansion/"
- "{{BaseURL}}/hybridconfig/"
- "{{BaseURL}}/mcx/"
- "{{BaseURL}}/mcx/mcxservice.svc"
- "{{BaseURL}}/meet/"
- "{{BaseURL}}/meeting/"
- "{{BaseURL}}/microsoft-server-activesync/"
- "{{BaseURL}}/oab/"
- "{{BaseURL}}/ocsp/"
- "{{BaseURL}}/owa/"
- "{{BaseURL}}/persistentchat/"
- "{{BaseURL}}/phoneconferencing/"
- "{{BaseURL}}/powershell/"
- "{{BaseURL}}/public/"
- "{{BaseURL}}/reach/sip.svc"
- "{{BaseURL}}/requesthandler/"
- "{{BaseURL}}/requesthandlerext/"
- "{{BaseURL}}/rgs/"
- "{{BaseURL}}/rgsclients/"
- "{{BaseURL}}/rpc/"
- "{{BaseURL}}/rpcwithcert/"
- "{{BaseURL}}/scheduler/"
- "{{BaseURL}}/ucwa/"
- "{{BaseURL}}/unifiedmessaging/"
- "{{BaseURL}}/webticket/"
- "{{BaseURL}}/webticket/webticketservice.svc"
- "{{BaseURL}}/webticket/webticketservice.svcabs/"
- /
- /abs/
- /ecp/
- /etc/
- /ews/
- /mcx/
- /oab/
- /owa/
- /rgs/
- /rpc/
- /conf/
- /meet/
- /ocsp/
- /ucwa/
- /adfs/
- /dialin/
- /public/
- /certsrv/
- /exchweb/
- /meeting/
- /certprov/
- /exchange/
- /scheduler/
- /webticket/
- /autoupdate/
- /certenroll/
- /powershell/
- /rgsclients/
- /rpcwithcert/
- /autodiscover/
- /hybridconfig/
- /reach/sip.svc
- /aspnet_client/
- /groupexpansion/
- /persistentchat/
- /requesthandler/
- /unifiedmessaging/
- /mcx/mcxservice.svc
- /phoneconferencing/
- /requesthandlerext/
- /deviceupdatefiles_ext/
- /deviceupdatefiles_int/
- /microsoft-server-activesync/
- /webticket/webticketservice.svc
- /webticket/webticketservice.svcabs/
- /adfs/services/trust/2005/windowstransport
attack: sniper
threads: 50
raw:
- |
GET {{path}} HTTP/1.1
Host: {{Hostname}}
Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
matchers-condition: and
matchers:
- type: word
words:
- "WWW-Authenticate: NTLM"
- "Www-Authenticate: NTLM"
part: header
condition: or
- type: dsl
dsl:
- "contains(tolower(all_headers), 'www-authenticate: ntlm')"
- type: status
status:
- 401
extractors:
- type: kval
kval:
- 'www_authenticate'