Nmap Development mailing list archives
[NSE] Script Submission: NTLM Information Disclosure (MS-SQL, SMTP, IMAP, POP3, Telnet, NNTP)
From: "NMap User1" <nmapuser1 () gmail com>
Date: Wed, 23 Apr 2014 12:16:32 -0400
Hello, Expanding on the http-ntlm-info script, attached are six additional scripts that support this enumeration method among other common protocols that support NTLM authentication. In summary, if NTLM authentication is enabled, by sending a NTLM authentication request with null domain and user credentials, the remote service will respond with a NTLMSSP message and disclose information including NetBIOS, DNS, and OS build version. No log entry is created. The attached scripts include the following services: * MS-SQL * SMTP * IMAP * POP3 * Telnet * NNTP Similar to the HTTP NTLM information disclosure script, these function with identical/consistent behavior and output. As an example, below demonstrates usage of the MS-SQL script: #nmap -p1433 1.2.3.4 --script ms-sql-ntlm-info Nmap scan report for 1.2.3.4 Host is up (0.040s latency). PORT STATE SERVICE VERSION 1433/tcp open ms-sql-s | ms-sql-ntlm-info: | Target_Name: ACTIVESQL | NetBIOS_Domain_Name: ACTIVESQL | NetBIOS_Computer_Name: DB-TEST2 | DNS_Domain_Name: somedomain.com | DNS_Computer_Name: db-test2.somedomain.com | DNS_Tree_Name: somedomain.com |_ Product_Version: 6.1 (Build 7601) Below demonstrates SMTP: #nmap -p25 1.2.3.4 --script smtp-ntlm-info Nmap scan report for 1.2.3.4 Host is up (0.10s latency). PORT STATE SERVICE VERSION 25/tcp open smtp | smtp-ntlm-info: | Target_Name: ACTIVESMTP | NetBIOS_Domain_Name: ACTIVESMTP | NetBIOS_Computer_Name: SMTP-TEST2 | DNS_Domain_Name: somedomain.com | DNS_Computer_Name: smtp-test2.somedomain.com | DNS_Tree_Name: somedomain.com |_ Product_Version: 5.2 (Build 3790) Other protocols (e.g. IMAP, POP3, Telnet, NNTP) have similar implementation: --script [proto]-ntlm-info. These scripts have been tested against all current/past versions of their respective Microsoft services and have been classified as 'default' as they are non-malicious and no log entries are created. Just let me know if there are questions. If these scripts should be submitted individually to the mailing list, let me know. Cheers, Justin
Attachment:
telnet-ntlm-info.nse
Description:
Attachment:
nntp-ntlm-info.nse
Description:
Attachment:
pop3-ntlm-info.nse
Description:
Attachment:
smtp-ntlm-info.nse
Description:
Attachment:
imap-ntlm-info.nse
Description:
Attachment:
ms-sql-ntlm-info.nse
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Script Submission: NTLM Information Disclosure (MS-SQL, SMTP, IMAP, POP3, Telnet, NNTP) NMap User1 (Apr 23)
- Re: [NSE] Script Submission: NTLM Information Disclosure (MS-SQL, SMTP, IMAP, POP3, Telnet, NNTP) Daniel Miller (Apr 23)