nuclei-templates/http/miscellaneous/ntlm-directories.yaml

85 lines
2.1 KiB
YAML

id: ntlm-directories
info:
name: Discovering directories w/ NTLM
author: puzzlepeaches,incogbyte
severity: info
reference:
- https://medium.com/swlh/internal-information-disclosure-using-hidden-ntlm-authentication-18de17675666
metadata:
max-request: 47
tags: miscellaneous,misc,brute-force,windows
http:
- raw:
- |
GET {{path}} HTTP/1.1
Host: {{Hostname}}
Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
threads: 10
payloads:
path:
- /
- /abs/
- /ecp/
- /etc/
- /ews/
- /mcx/
- /oab/
- /owa/
- /rgs/
- /rpc/
- /conf/
- /meet/
- /ocsp/
- /ucwa/
- /adfs/
- /dialin/
- /public/
- /certsrv/
- /exchweb/
- /meeting/
- /certprov/
- /exchange/
- /scheduler/
- /webticket/
- /autoupdate/
- /certenroll/
- /powershell/
- /rgsclients/
- /rpcwithcert/
- /autodiscover/
- /hybridconfig/
- /reach/sip.svc
- /aspnet_client/
- /groupexpansion/
- /persistentchat/
- /requesthandler/
- /unifiedmessaging/
- /mcx/mcxservice.svc
- /phoneconferencing/
- /requesthandlerext/
- /deviceupdatefiles_ext/
- /deviceupdatefiles_int/
- /microsoft-server-activesync/
- /webticket/webticketservice.svc
- /webticket/webticketservice.svcabs/
- /adfs/services/trust/2005/windowstransport
- /internal_windows_authentication/
matchers-condition: and
matchers:
- type: dsl
dsl:
- "contains(tolower(header), 'www-authenticate: ntlm')"
- type: status
status:
- 401
extractors:
- type: kval
kval:
- 'www_authenticate'
# digest: 490a0046304402200a05ea870666eee48577a157024321b3b701df3941aa08adbe86c1c7578f45800220292bd31848e67981ba0ccf179e803f3828df98bdd978eb74f1403f9501642131:922c64590222798bb761d5b6d8e72950