id: ntlm-directories info: name: Discovering directories w/ NTLM author: puzzlepeaches severity: info requests: - method: GET path: - "{{BaseURL}}/abs/" - "{{BaseURL}}/adfs/services/trust/2005/windowstransport" - "{{BaseURL}}/aspnet_client/" - "{{BaseURL}}/autodiscover/" - "{{BaseURL}}/autoupdate/" - "{{BaseURL}}/certenroll/" - "{{BaseURL}}/certprov/" - "{{BaseURL}}/certsrv/" - "{{BaseURL}}/conf/" - "{{BaseURL}}/deviceupdatefiles_ext/" - "{{BaseURL}}/deviceupdatefiles_int/" - "{{BaseURL}}/dialin/" - "{{BaseURL}}/ecp/" - "{{BaseURL}}/etc/" - "{{BaseURL}}/ews/" - "{{BaseURL}}/exchange/" - "{{BaseURL}}/exchweb/" - "{{BaseURL}}/groupexpansion/" - "{{BaseURL}}/hybridconfig/" - "{{BaseURL}}/mcx/" - "{{BaseURL}}/mcx/mcxservice.svc" - "{{BaseURL}}/meet/" - "{{BaseURL}}/meeting/" - "{{BaseURL}}/microsoft-server-activesync/" - "{{BaseURL}}/oab/" - "{{BaseURL}}/ocsp/" - "{{BaseURL}}/owa/" - "{{BaseURL}}/persistentchat/" - "{{BaseURL}}/phoneconferencing/" - "{{BaseURL}}/powershell/" - "{{BaseURL}}/public/" - "{{BaseURL}}/reach/sip.svc" - "{{BaseURL}}/requesthandler/" - "{{BaseURL}}/requesthandlerext/" - "{{BaseURL}}/rgs/" - "{{BaseURL}}/rgsclients/" - "{{BaseURL}}/rpc/" - "{{BaseURL}}/rpcwithcert/" - "{{BaseURL}}/scheduler/" - "{{BaseURL}}/ucwa/" - "{{BaseURL}}/unifiedmessaging/" - "{{BaseURL}}/webticket/" - "{{BaseURL}}/webticket/webticketservice.svc" - "{{BaseURL}}/webticket/webticketservice.svcabs/" matchers-condition: and matchers: - type: word words: - "WWW-Authenticate: NTLM" - "Www-Authenticate: NTLM" part: header condition: or - type: status status: - 401