Re: [NSE] Script Submission: HTTP NTLM Information Disclosure

[nmap user <nmapuser1 () gmail com>]

Hi Daniel,

Thanks for the feedback.

Attached is the revised code leveraging the
smbauth.get_host_info_from_security_blob() function where possible.

As for logging -- within IIS, the script event is logged as '401'
(Unauthorized), the same as if a web browser visited the page with NTLM
authentication enabled.  When anonymous access is permitted to the web
server this request is simply logged as a '200' (since NTLM auth is
disabled).

Thanks,
Justin


On Wed, Feb 5, 2014 at 1:22 PM, Daniel Miller <bonsaiviking () gmail com>wrote:

> On 02/04/2014 02:53 PM, nmap user wrote:
>
> > Hello,
> >
> > Attached is a NSE implementation to anonymously enumerate remote NetBIOS,
> > DNS, and OS details from HTTP services with NTLM authentication enabled.
> >
> > By sending a HTTP NTLM authentication request with null domain and user
> > credentials (passed in the 'Authorization' header), the remote web server
> > will respond with a NTLMSSP message (encoded within the 'WWW-Authenticate'
> > header) and disclose information including NetBIOS, DNS, and OS build
> > version.
> >
> > Example output:
> > #nmap -p443 1.2.3.4 --script http-ntlm-info-disclosure
> >
> > Nmap scan report for 1.2.3.4
> > Host is up (0.040s latency).
> > PORT    STATE  SERVICE  VERSION
> > 443/tcp open   https
> > | http-ntlm-info-disclosure:
> > |   Target_Name: ACTIVEWEB
> > |   NetBIOS_Domain_Name: ACTIVEWEB
> > |   NetBIOS_Computer_Name: PRODWEB001
> > |   DNS_Domain_Name: activeweb.somedomain.com
> > |   DNS_Computer_Name: prodweb001.activeweb.somedomain.com
> > |   DNS_Tree_Name: activeweb.somedomain.com
> > |_ Product_Version: 5.2 (Build 3790)
> > Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
> >
> > This script has been tested against all Microsoft IIS versions and open
> > source HTTP NTLM implementations.
> >
> > Cheers,
> > -Justin
> >
> >  Justin,
>
> Thanks for this script! It looks like some good information, and I'm
> excited to add it to Nmap. There are a few things I'd like to see first, if
> you don't mind:
>
> 1. You've chosen "default" as a category. In your testing, did you see
> what kind of logs this query leaves behind? If it causes 403 Forbidden logs
> that wouldn't otherwise be left by a browser, we may have to remove it from
> the "default" category.
>
> 2. I'm pretty sure the smbauth.get_host_info_from_security_blob()
> function does a lot of the parsing you do in this script, including the
> Unicode (UCS-2) handling. It would be better to use this function, if at
> all possible, in order to avoid duplicating code. I just wrote some
> documentation for it, so hopefully that will show up soon.
>
> 3. We've started enforcing some code quality standards. If you follow the
> guidelines here, it will make integration easier for everyone:
> https://secwiki.org/w/Nmap/Code_Standards
>
> Thanks again, and I look forward to seeing your answers.
>
> Dan

Attachment: http-ntlm-info-disclosure.nse
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/