id: ntlm-directories info: name: Discovering directories w/ NTLM author: puzzlepeaches,incogbyte severity: info reference: - https://medium.com/swlh/internal-information-disclosure-using-hidden-ntlm-authentication-18de17675666 metadata: max-request: 47 tags: miscellaneous,misc,bruteforce,windows http: - raw: - | GET {{path}} HTTP/1.1 Host: {{Hostname}} Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= threads: 10 payloads: path: - / - /abs/ - /ecp/ - /etc/ - /ews/ - /mcx/ - /oab/ - /owa/ - /rgs/ - /rpc/ - /conf/ - /meet/ - /ocsp/ - /ucwa/ - /adfs/ - /dialin/ - /public/ - /certsrv/ - /exchweb/ - /meeting/ - /certprov/ - /exchange/ - /scheduler/ - /webticket/ - /autoupdate/ - /certenroll/ - /powershell/ - /rgsclients/ - /rpcwithcert/ - /autodiscover/ - /hybridconfig/ - /reach/sip.svc - /aspnet_client/ - /groupexpansion/ - /persistentchat/ - /requesthandler/ - /unifiedmessaging/ - /mcx/mcxservice.svc - /phoneconferencing/ - /requesthandlerext/ - /deviceupdatefiles_ext/ - /deviceupdatefiles_int/ - /microsoft-server-activesync/ - /webticket/webticketservice.svc - /webticket/webticketservice.svcabs/ - /adfs/services/trust/2005/windowstransport - /internal_windows_authentication/ matchers-condition: and matchers: - type: dsl dsl: - "contains(tolower(header), 'www-authenticate: ntlm')" - type: status status: - 401 extractors: - type: kval kval: - 'www_authenticate' # digest: 490a0046304402200998332a900ab3a010afc671de86d7e0dce353842f87b01101f55fc8d3dfa8680220470194bf7c344099f16ae411b214e3f983275e7c5eb172f3d2fb448b8b16921a:922c64590222798bb761d5b6d8e72950