Tuesday, February 24, 2015 At 10:06AM
Expanding on our previous blog post detailing NTLM information disclosure over HTTP, we’ve released six additional Nmap scripts to support this method among other common protocols that support NTLM authentication. The new supported protocols include MS-SQL, SMTP, IMAP, POP3, NNTP, and Telnet.
Similar to the HTTP NTLM information disclosure script, these function with identical behavior and provide the same output. The example below demonstrates usage of the MS-SQL script which leverages the MS-TDS protocol:
$ nmap –p1433 1.2.3.4 ––script ms-sql-ntlm-info
Nmap scan report for 1.2.3.4
Host is up (0.040s latency).
PORT STATE SERVICE VERSION
1433/tcp open ms-sql-s
| ms-sql-ntlm-info:
| Target_Name: ACTIVEDB
| NetBIOS_Domain_Name: ACTIVEDB
| NetBIOS_Computer_Name: DB-TEST2
| DNS_Domain_Name: somedomain.com
| DNS_Computer_Name: db-test2.somedomain.com
| DNS_Tree_Name: somedomain.com
|_ Product_Version: 6.1 (Build 7601)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Utilizing such information is useful for network reconnaissance as the information disclosed may be used as part of more complex attacks, such as leveraging domain information for brute forcing accounts, identifying internal hostnames during external to internal pivoting activities, or determining end-of-life operating systems.
These scripts have been tested against all current/past versions of Microsoft SQL, SMTP, IMAP, POP3, NNTP, and Telnet. The HTTP NTLM script (http-ntlm-info.nse) has been committed into the Nmap source. All other scripts have been submitted and are awaiting commitment.
The scripts along with documentation have been published on the GDS Github repository at the following location:
https://github.com/GDSSecurity/Nmap-Scripts/tree/master/NTLM-Info-Disclosure
Author: Justin Cacak
©Aon plc 2023