Nmap Development mailing list archives
Re: [NSE] Script Submission: HTTP NTLM Information Disclosure
From: nmap user <nmapuser1 () gmail com>
Date: Thu, 6 Feb 2014 15:55:46 -0500
Hi Daniel, Thanks for the feedback. Attached is the revised code leveraging the smbauth.get_host_info_from_security_blob() function where possible. As for logging -- within IIS, the script event is logged as '401' (Unauthorized), the same as if a web browser visited the page with NTLM authentication enabled. When anonymous access is permitted to the web server this request is simply logged as a '200' (since NTLM auth is disabled). Thanks, Justin On Wed, Feb 5, 2014 at 1:22 PM, Daniel Miller <bonsaiviking () gmail com>wrote:
On 02/04/2014 02:53 PM, nmap user wrote:Hello, Attached is a NSE implementation to anonymously enumerate remote NetBIOS, DNS, and OS details from HTTP services with NTLM authentication enabled. By sending a HTTP NTLM authentication request with null domain and user credentials (passed in the 'Authorization' header), the remote web server will respond with a NTLMSSP message (encoded within the 'WWW-Authenticate' header) and disclose information including NetBIOS, DNS, and OS build version. Example output: #nmap -p443 1.2.3.4 --script http-ntlm-info-disclosure Nmap scan report for 1.2.3.4 Host is up (0.040s latency). PORT STATE SERVICE VERSION 443/tcp open https | http-ntlm-info-disclosure: | Target_Name: ACTIVEWEB | NetBIOS_Domain_Name: ACTIVEWEB | NetBIOS_Computer_Name: PRODWEB001 | DNS_Domain_Name: activeweb.somedomain.com | DNS_Computer_Name: prodweb001.activeweb.somedomain.com | DNS_Tree_Name: activeweb.somedomain.com |_ Product_Version: 5.2 (Build 3790) Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows This script has been tested against all Microsoft IIS versions and open source HTTP NTLM implementations. Cheers, -Justin Justin,Thanks for this script! It looks like some good information, and I'm excited to add it to Nmap. There are a few things I'd like to see first, if you don't mind: 1. You've chosen "default" as a category. In your testing, did you see what kind of logs this query leaves behind? If it causes 403 Forbidden logs that wouldn't otherwise be left by a browser, we may have to remove it from the "default" category. 2. I'm pretty sure the smbauth.get_host_info_from_security_blob() function does a lot of the parsing you do in this script, including the Unicode (UCS-2) handling. It would be better to use this function, if at all possible, in order to avoid duplicating code. I just wrote some documentation for it, so hopefully that will show up soon. 3. We've started enforcing some code quality standards. If you follow the guidelines here, it will make integration easier for everyone: https://secwiki.org/w/Nmap/Code_Standards Thanks again, and I look forward to seeing your answers. Dan
Attachment:
http-ntlm-info-disclosure.nse
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Script Submission: HTTP NTLM Information Disclosure nmap user (Feb 04)
- Re: [NSE] Script Submission: HTTP NTLM Information Disclosure Daniel Miller (Feb 05)
- Re: [NSE] Script Submission: HTTP NTLM Information Disclosure nmap user (Feb 06)
- Re: [NSE] Script Submission: HTTP NTLM Information Disclosure Daniel Miller (Feb 07)
- Re: [NSE] Script Submission: HTTP NTLM Information Disclosure nmap user (Feb 06)
- Re: [NSE] Script Submission: HTTP NTLM Information Disclosure Daniel Miller (Feb 05)