85 lines
2.1 KiB
YAML
85 lines
2.1 KiB
YAML
id: ntlm-directories
|
|
|
|
info:
|
|
name: Discovering directories w/ NTLM
|
|
author: puzzlepeaches,incogbyte
|
|
severity: info
|
|
reference:
|
|
- https://medium.com/swlh/internal-information-disclosure-using-hidden-ntlm-authentication-18de17675666
|
|
metadata:
|
|
max-request: 47
|
|
tags: miscellaneous,misc,fuzz,windows
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET {{path}} HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
|
|
|
|
threads: 10
|
|
payloads:
|
|
path:
|
|
- /
|
|
- /abs/
|
|
- /ecp/
|
|
- /etc/
|
|
- /ews/
|
|
- /mcx/
|
|
- /oab/
|
|
- /owa/
|
|
- /rgs/
|
|
- /rpc/
|
|
- /conf/
|
|
- /meet/
|
|
- /ocsp/
|
|
- /ucwa/
|
|
- /adfs/
|
|
- /dialin/
|
|
- /public/
|
|
- /certsrv/
|
|
- /exchweb/
|
|
- /meeting/
|
|
- /certprov/
|
|
- /exchange/
|
|
- /scheduler/
|
|
- /webticket/
|
|
- /autoupdate/
|
|
- /certenroll/
|
|
- /powershell/
|
|
- /rgsclients/
|
|
- /rpcwithcert/
|
|
- /autodiscover/
|
|
- /hybridconfig/
|
|
- /reach/sip.svc
|
|
- /aspnet_client/
|
|
- /groupexpansion/
|
|
- /persistentchat/
|
|
- /requesthandler/
|
|
- /unifiedmessaging/
|
|
- /mcx/mcxservice.svc
|
|
- /phoneconferencing/
|
|
- /requesthandlerext/
|
|
- /deviceupdatefiles_ext/
|
|
- /deviceupdatefiles_int/
|
|
- /microsoft-server-activesync/
|
|
- /webticket/webticketservice.svc
|
|
- /webticket/webticketservice.svcabs/
|
|
- /adfs/services/trust/2005/windowstransport
|
|
- /internal_windows_authentication/
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- "contains(tolower(header), 'www-authenticate: ntlm')"
|
|
|
|
- type: status
|
|
status:
|
|
- 401
|
|
|
|
extractors:
|
|
- type: kval
|
|
kval:
|
|
- 'www_authenticate'
|
|
# digest: 4a0a0047304502205d7dadfbaf6f4fa5ee42494a2c579a1e1e673e8326c6524b66a397b17b38644002210099a781aec9fa8081e77aa23d7f6b6a14046ccd4ef8fd390b6376781f660d71ac:922c64590222798bb761d5b6d8e72950 |