- Joined
- May 15, 2017
- Messages
- 982
- Likes
- 760
- Points
- 1,045
A fast and flexible NTLM reconnaissance tool without external dependencies. Useful to find out information about NTLM endpoints when working with a large set of potential IP addresses and domains.
NTLMRecon is built with flexibilty in mind. Need to run recon on a single URL, an IP address, an entire CIDR range or combination of all of it all put in a single input file? No problem! NTLMRecon got you covered. Read on.
Internal wordlists are from the awesome nyxgeek/lyncsmash repo
Overview
NTLMRecon looks for NTLM enabled web endpoints, sends a fake authentication request and enumerates the following information from the NTLMSSP response:
- AD Domain Name
- Server name
- DNS Domain Name
- FQDN
- Parent DNS Domain
Installation
Arch
If you're on Arch Linux or any Arch linux based distribution, you can grab the latest build from AUR
Generic Installation
- Clone the repository - git clone https://github.com/sachinkamath/ntlmrecon/
- RECOMMENDED - Install virtualenv pip install virtualenv
- Start a new virtual environment - virtualenv venv and activate it with source venv/bin/activate
- Run the setup file - python setup.py install
- Run ntlmrecon - ntlmrecon --help