Nmap Development mailing list archives

[NSE] Script Submission: NTLM Information Disclosure (MS-SQL, SMTP, IMAP, POP3, Telnet, NNTP)

From: "NMap User1" <nmapuser1 () gmail com>
Date: Wed, 23 Apr 2014 12:16:32 -0400

Hello,

Expanding on the http-ntlm-info script, attached are six additional scripts
that support this enumeration method among other common protocols that
support NTLM authentication.

In summary, if NTLM authentication is enabled, by sending a NTLM
authentication request with null domain and user credentials, the remote
service will respond with a NTLMSSP message and disclose information
including NetBIOS, DNS, and OS build version.  No log entry is created.

The attached scripts include the following services:
* MS-SQL
* SMTP
* IMAP
* POP3
* Telnet
* NNTP

Similar to the HTTP NTLM information disclosure script, these function with
identical/consistent behavior and output.  As an example, below demonstrates
usage of the MS-SQL script:

#nmap -p1433 1.2.3.4 --script ms-sql-ntlm-info
Nmap scan report for 1.2.3.4
Host is up (0.040s latency). 
PORT STATE SERVICE VERSION
1433/tcp open ms-sql-s
| ms-sql-ntlm-info:
|  Target_Name: ACTIVESQL
|  NetBIOS_Domain_Name: ACTIVESQL
|  NetBIOS_Computer_Name: DB-TEST2
|  DNS_Domain_Name: somedomain.com
|  DNS_Computer_Name: db-test2.somedomain.com
|  DNS_Tree_Name: somedomain.com
|_ Product_Version: 6.1 (Build 7601)

Below demonstrates SMTP:
#nmap -p25 1.2.3.4 --script smtp-ntlm-info
Nmap scan report for 1.2.3.4
Host is up (0.10s latency).
PORT    STATE    SERVICE    VERSION
25/tcp  open     smtp       
| smtp-ntlm-info: 
|   Target_Name: ACTIVESMTP
|   NetBIOS_Domain_Name: ACTIVESMTP
|   NetBIOS_Computer_Name: SMTP-TEST2
|   DNS_Domain_Name: somedomain.com
|   DNS_Computer_Name: smtp-test2.somedomain.com
|   DNS_Tree_Name: somedomain.com
|_  Product_Version: 5.2 (Build 3790)

Other protocols (e.g. IMAP, POP3, Telnet, NNTP) have similar implementation:
--script [proto]-ntlm-info.

These scripts have been tested against all current/past versions of their
respective Microsoft services and have been classified as 'default' as they
are non-malicious and no log entries are created.

Just let me know if there are questions.  If these scripts should be
submitted individually to the mailing list, let me know.

Cheers,
Justin

Attachment: telnet-ntlm-info.nse
Description:

Attachment: nntp-ntlm-info.nse
Description:

Attachment: pop3-ntlm-info.nse
Description:

Attachment: smtp-ntlm-info.nse
Description:

Attachment: imap-ntlm-info.nse
Description:

Attachment: ms-sql-ntlm-info.nse
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] Script Submission: NTLM Information Disclosure (MS-SQL, SMTP, IMAP, POP3, Telnet, NNTP) NMap User1 (Apr 23)
- Re: [NSE] Script Submission: NTLM Information Disclosure (MS-SQL, SMTP, IMAP, POP3, Telnet, NNTP) Daniel Miller (Apr 23)
  - RE: [NSE] Script Submission: NTLM Information Disclosure (MS-SQL, SMTP, IMAP, POP3, Telnet, NNTP) NMap User1 (Apr 25)
  - RE: [NSE] Script Submission: NTLM Information Disclosure (MS-SQL, SMTP, IMAP, POP3, Telnet, NNTP) NMap User1 (May 13)
    - Re: [NSE] Script Submission: NTLM Information Disclosure (MS-SQL, SMTP, IMAP, POP3, Telnet, NNTP) Daniel Miller (May 20)
    - Re: [NSE] Script Submission: NTLM Information Disclosure (MS-SQL, SMTP, IMAP, POP3, Telnet, NNTP) Daniel Miller (May 20)