[NSE] Script Submissions: NTLM Information Disclosure (MS-SQL, SMTP, IMAP, & POP3)

["NMap User1" <nmapuser1 () gmail com>]

Hello,

Following up on my previous script, http-ntlm-info, attached are four
additional scripts that support this enumeration method among other common
protocols that support NTLM authentication.

In summary, if NTLM authentication is enabled, by sending a NTLM
authentication request with null domain and user credentials, the remote
service will respond with a NTLMSSP message and disclose information
including NetBIOS, DNS, and OS build version.

The attached scripts include the following services:
* MS-SQL
* SMTP
* IMAP
* POP3

Similar to the HTTP NTLM information disclosure script, these function with
identical/consistent behavior and output.  As an example, below demonstrates
usage of the MS-SQL script leveraging the MS-TDS protocol:

#nmap -p1433 1.2.3.4 --script ms-sql-ntlm-info
Nmap scan report for 1.2.3.4
Host is up (0.040s latency). 
PORT STATE SERVICE VERSION
1433/tcp open ms-sql-s
| ms-sql-ntlm-info:
|  Target_Name: ACTIVESQL
|  NetBIOS_Domain_Name: ACTIVESQL
|  NetBIOS_Computer_Name: DB-TEST2
|  DNS_Domain_Name: somedomain.com
|  DNS_Computer_Name: db-test2.somedomain.com
|  DNS_Tree_Name: somedomain.com
|_ Product_Version: 6.1 (Build 7601)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

 These scripts have been classified as 'default' as they are non-malicious
and no log entries are created.

Cheers,
Justin

Attachment: ms-sql-ntlm-info.nse
Description:

Attachment: imap-ntlm-info.nse
Description:

Attachment: pop3-ntlm-info.nse
Description:

Attachment: smtp-ntlm-info.nse
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/