id: ntlm-directories info: name: Discovering directories w/ NTLM author: puzzlepeaches,incogbyte severity: info tags: misc,fuzz,windows reference: https://medium.com/swlh/internal-information-disclosure-using-hidden-ntlm-authentication-18de17675666 requests: - raw: - | GET {{path}} HTTP/1.1 Host: {{Hostname}} Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= payloads: path: - / - /abs/ - /ecp/ - /etc/ - /ews/ - /mcx/ - /oab/ - /owa/ - /rgs/ - /rpc/ - /conf/ - /meet/ - /ocsp/ - /ucwa/ - /adfs/ - /dialin/ - /public/ - /certsrv/ - /exchweb/ - /meeting/ - /certprov/ - /exchange/ - /scheduler/ - /webticket/ - /autoupdate/ - /certenroll/ - /powershell/ - /rgsclients/ - /rpcwithcert/ - /autodiscover/ - /hybridconfig/ - /reach/sip.svc - /aspnet_client/ - /groupexpansion/ - /persistentchat/ - /requesthandler/ - /unifiedmessaging/ - /mcx/mcxservice.svc - /phoneconferencing/ - /requesthandlerext/ - /deviceupdatefiles_ext/ - /deviceupdatefiles_int/ - /microsoft-server-activesync/ - /webticket/webticketservice.svc - /webticket/webticketservice.svcabs/ - /adfs/services/trust/2005/windowstransport attack: sniper threads: 50 matchers-condition: and matchers: - type: dsl dsl: - "contains(tolower(all_headers), 'www-authenticate: ntlm')" - type: status status: - 401 extractors: - type: kval kval: - 'www_authenticate'