nyxgeek/ntlmscan nyxgeek/ntlmscan

  • Stars
    star
    344
  • Rank 123,066 (Top 3 %)
  • Language
    Python
  • Created about 5 years ago
  • Updated 5 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
nyxgeek/ntlmscan
github

nyxgeek

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

scan for NTLM directories

ntlmscan

scan for NTLM directories

reliable targets are:

  • OWA servers
  • Skype for Business/Lync servers
  • Autodiscover servers (autodiscover.domain.com and lyncdiscover.domain.com)
  • ADFS servers

once identified, use nmap and the http-ntlm-info script to extract internal domain/server information

usage: ntlmscan.py [-h] [--url URL] [--host HOST] [--hostfile HOSTFILE]
                   [--outfile OUTFILE] [--dictionary DICTIONARY]

optional arguments:
  -h, --help              show this help message and exit
  --url URL               full url path to test
  --host HOST             a single host to search for ntlm dirs on
  --hostfile HOSTFILE     file containing ips or hostnames to test
  --outfile OUTFILE       file to write results to
  --dictionary DICTIONARY list of paths to test, default: paths.dict
  --nmap                  run nmap with http-ntlm-info after testing (requires nmap)
  --debug                 show request headers

Examples:

python3 ntlmscan.py --url https://autodiscover.domain.com/autodiscover

python3 ntlmscan.py --host autodiscover.domain.com

python3 ntlmscan.py --hostfile hosts.txt --dictionary big.txt

Screenshot of usage

More Repositories

1

o365recon

retrieve information via O365 and AzureAD with a valid cred
PowerShell
685
star
2

onedrive_user_enum

onedrive user enumeration - pentest tool to enumerate valid o365 users
Python
595
star
3

lyncsmash

locate and attack Lync/Skype for Business
Python
330
star
4

AzureAD_Autologon_Brute

Brute force attack tool for Azure AD Autologon/Seamless SSO - Source: https://arstechnica.com/information-technology/2021/09/new-azure-active-directory-password-brute-forcing-flaw-has-no-fix/
Python
97
star
5

guestlist

tool for identifying guest relationships between companies
Python
83
star
6

nyxgeek-rules

Custom password cracking rules for Hashcat and John the Ripper
Shell
77
star
7

dumpsniffer

tools for analyzing strings from password lists
Shell
56
star
8

track_the_planet

DEFCON 31
56
star
9

teamstracker

using graph proxy to monitor teams user presence
Python
51
star
10

imgdevil

quick and dirty proof-of-concept to hide shells in images
PowerShell
47
star
11

weakpass_generator

generates weak passwords based on current date
Python
40
star
12

dirdevil

hiding in plain sight: part 2
PowerShell
38
star
13

username-lists

list of usernames and email addresses for pentests
34
star
14

nyxgeek-wordlists

wordlists for password cracking
25
star
15

twitter-usernames-wordlist

Wordlist compiled from Twitter usernames
13
star
16

rpcfiend

Use rpc null sessions to retrieve machine list, domain admin list, domain controllers
Shell
12
star
17

nyxgeek-readinglist

hacker folklore, history, and culture
11
star
18

bad_guest

PowerShell
7
star
19

simple_scanners

simple pentest scanning scripts with no db
Python
6
star
20

f5-cookie-monster

give it a url, will decode f5 cookies to reveal internal IPs
PowerShell
5
star
21

phrack69

mirror of phrack issue 69
4
star
22

classic_hacking_tools

archive of classic hack tools < 2000
3
star
23

graphninja

Python
3
star
24

vulnmgmt

Be alerted ONLY on new vulnerabilities discovered in software you use
Python
3
star
25

h4x0rsearch

list of domains that are included in h4x0rsearch.com
3
star
26

nyxgeek-slides

slide decks etc
2
star
27

exploits

my public exploit code
PowerShell
2
star
28

bashscan

simple bash portscanner using nc
Shell
1
star
29

cloudkicker

[redacted]
1
star
30

retrocomputing_resources

collection of old computing stuff
1
star
31

autodiscover_enum

time-based user enum via Basic Auth in Azure
Python
1
star
32

media

images, gifs, movies i've modded or made
1
star