nuclei-templates/technologies/ntlm-directories.yaml

102 lines
3.1 KiB
YAML

id: ntlm-directories
info:
name: Discovering directories w/ NTLM
author: puzzlepeaches
severity: low
requests:
- method: GET
path:
- "{{BaseURL}}/abs/"
- "{{BaseURL}}/adfs/services/trust/2005/windowstransport"
- "{{BaseURL}}/aspnet_client/"
- "{{BaseURL}}/autodiscover/"
- "{{BaseURL}}/autoupdate/"
- "{{BaseURL}}/certenroll/"
- "{{BaseURL}}/certprov/"
- "{{BaseURL}}/certsrv/"
- "{{BaseURL}}/conf/"
- "{{BaseURL}}/deviceupdatefiles_ext/"
- "{{BaseURL}}/deviceupdatefiles_int/"
- "{{BaseURL}}/dialin/"
- "{{BaseURL}}/ecp/"
- "{{BaseURL}}/etc/"
- "{{BaseURL}}/ews/"
- "{{BaseURL}}/exchange/"
- "{{BaseURL}}/exchweb/"
- "{{BaseURL}}/hybridconfig/"
- "{{BaseURL}}/groupexpansion/"
- "{{BaseURL}}/mcx/"
- "{{BaseURL}}/mcx/mcxservice.svc"
- "{{BaseURL}}/meet/"
- "{{BaseURL}}/meeting/"
- "{{BaseURL}}/microsoft-server-activesync/"
- "{{BaseURL}}/oab/"
- "{{BaseURL}}/ocsp/"
- "{{BaseURL}}/owa/"
- "{{BaseURL}}/persistentchat/"
- "{{BaseURL}}/phoneconferencing/"
- "{{BaseURL}}/powershell/"
- "{{BaseURL}}/public/"
- "{{BaseURL}}/reach/sip.svc"
- "{{BaseURL}}/requesthandler/"
- "{{BaseURL}}/requesthandlerext/"
- "{{BaseURL}}/rgs/"
- "{{BaseURL}}/rgsclients/"
- "{{BaseURL}}/rpc/"
- "{{BaseURL}}/rpcwithcert/"
- "{{BaseURL}}/scheduler/"
- "{{BaseURL}}/ucwa/"
- "{{BaseURL}}/unifiedmessaging/"
- "{{BaseURL}}/webticket/"
- "{{BaseURL}}/webticket/webticketservice.svcabs/"
- "{{BaseURL}}/adfs/services/trust/2005/windowstransport"
- "{{BaseURL}}/aspnet_client/"
- "{{BaseURL}}/autodiscover/"
- "{{BaseURL}}/autoupdate/"
- "{{BaseURL}}/certenroll/"
- "{{BaseURL}}/certprov/"
- "{{BaseURL}}/certsrv/"
- "{{BaseURL}}/conf/"
- "{{BaseURL}}/deviceupdatefiles_ext/"
- "{{BaseURL}}/deviceupdatefiles_int/"
- "{{BaseURL}}/dialin/"
- "{{BaseURL}}/ecp/"
- "{{BaseURL}}/etc/"
- "{{BaseURL}}/ews/"
- "{{BaseURL}}/exchange/"
- "{{BaseURL}}/exchweb/"
- "{{BaseURL}}/hybridconfig/"
- "{{BaseURL}}/groupexpansion/"
- "{{BaseURL}}/mcx/"
- "{{BaseURL}}/mcx/mcxservice.svc"
- "{{BaseURL}}/meet/"
- "{{BaseURL}}/meeting/"
- "{{BaseURL}}/microsoft-server-activesync/"
- "{{BaseURL}}/oab/"
- "{{BaseURL}}/ocsp/"
- "{{BaseURL}}/owa/"
- "{{BaseURL}}/persistentchat/"
- "{{BaseURL}}/phoneconferencing/"
- "{{BaseURL}}/powershell/"
- "{{BaseURL}}/public/"
- "{{BaseURL}}/reach/sip.svc"
- "{{BaseURL}}/requesthandler/"
- "{{BaseURL}}/requesthandlerext/"
- "{{BaseURL}}/rgs/"
- "{{BaseURL}}/rgsclients/"
- "{{BaseURL}}/rpc/"
- "{{BaseURL}}/rpcwithcert/"
- "{{BaseURL}}/scheduler/"
- "{{BaseURL}}/ucwa/"
- "{{BaseURL}}/unifiedmessaging/"
- "{{BaseURL}}/webticket/"
- "{{BaseURL}}/webticket/webticketservice.svc"
matchers:
- type: word
words:
- "WWW-Authenticate"
condition: and
part: header