Nmap Development mailing list archives
[NSE] Script Submissions: NTLM Information Disclosure (MS-SQL, SMTP, IMAP, & POP3)
From: "NMap User1" <nmapuser1 () gmail com>
Date: Tue, 8 Apr 2014 10:44:03 -0400
Hello, Following up on my previous script, http-ntlm-info, attached are four additional scripts that support this enumeration method among other common protocols that support NTLM authentication. In summary, if NTLM authentication is enabled, by sending a NTLM authentication request with null domain and user credentials, the remote service will respond with a NTLMSSP message and disclose information including NetBIOS, DNS, and OS build version. The attached scripts include the following services: * MS-SQL * SMTP * IMAP * POP3 Similar to the HTTP NTLM information disclosure script, these function with identical/consistent behavior and output. As an example, below demonstrates usage of the MS-SQL script leveraging the MS-TDS protocol: #nmap -p1433 1.2.3.4 --script ms-sql-ntlm-info Nmap scan report for 1.2.3.4 Host is up (0.040s latency). PORT STATE SERVICE VERSION 1433/tcp open ms-sql-s | ms-sql-ntlm-info: | Target_Name: ACTIVESQL | NetBIOS_Domain_Name: ACTIVESQL | NetBIOS_Computer_Name: DB-TEST2 | DNS_Domain_Name: somedomain.com | DNS_Computer_Name: db-test2.somedomain.com | DNS_Tree_Name: somedomain.com |_ Product_Version: 6.1 (Build 7601) Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows These scripts have been classified as 'default' as they are non-malicious and no log entries are created. Cheers, Justin
Attachment:
ms-sql-ntlm-info.nse
Description:
Attachment:
imap-ntlm-info.nse
Description:
Attachment:
pop3-ntlm-info.nse
Description:
Attachment:
smtp-ntlm-info.nse
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Script Submissions: NTLM Information Disclosure (MS-SQL, SMTP, IMAP, & POP3) NMap User1 (Apr 08)