Home

Awesome

NTLM Challenger

ntlm_challenger will send a NTLM negotiate message to a provided HTTP, SMB or MSSQL endpoint that accepts NTLM authentication, parse the challenge message, and print information received from the server.

Requirements

ntlm_challenger supports Python 3.

The requests library is used to make HTTP(S) requests. impacket is used to set up the SMB or MSSQL connection.

Usage

Send NTLM negotiate message to the provided URL and parse the challenge message.

python3 ntlm_challenger.py <URL>

HTTP Example:

$ python3 ntlm_challenger.py 'https://autodiscover.hackin.club/autodiscover/'

Target (Domain): HACKIN

Version: Server 2012 / Windows 8 (build 9200)

TargetInfo:
        MsvAvNbDomainName: HACKIN
        MsvAvNbComputerName: EXCH01
        MsvAvDnsDomainName: hackin.club
        MsvAvDnsComputerName: EXCH01.hackin.club
        MsvAvDnsTreeName: hackin.club
        MsvAvTimestamp: Nov 3, 2019 01:07:16.573170

Negotiate Flags:
        NTLMSSP_NEGOTIATE_UNICODE
        NTLMSSP_REQUEST_TARGET
        NTLMSSP_NEGOTIATE_ALWAYS_SIGN
        NTLMSSP_TARGET_TYPE_DOMAIN
        NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
        NTLMSSP_NEGOTIATE_TARGET_INFO
        NTLMSSP_NEGOTIATE_VERSION

SMB Example:

$ python3 ntlm_challenger.py 'smb://192.168.39.152'

Target (Server): DESKTOP-G1984A4

Version: Server 2016 or 2019 / Windows 10 (build 18362)

TargetInfo:
  MsvAvNbDomainName: DESKTOP-G1984A4
  MsvAvNbComputerName: DESKTOP-G1984A4
  MsvAvDnsDomainName: DESKTOP-G1984A4
  MsvAvDnsComputerName: DESKTOP-G1984A4
  MsvAvTimestamp: Mar 20, 2020 01:54:23.634713

Negotiate Flags:
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_TARGET_TYPE_SERVER
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_56

MSSQL Example:

$ python3 ntlm_challenger.py 'mssql://172.16.10.1'

Target (Domain): BLACKARROW

Version: Server 2016 or 2019 / Windows 10 (build 17763)

TargetInfo:
  MsvAvNbDomainName: BLACKARROW
  MsvAvNbComputerName: WINSQL01
  MsvAvDnsDomainName: blackarrow.lab
  MsvAvDnsComputerName: WINSQL01.blackarrow.lab
  MsvAvDnsTreeName: blackarrow.lab
  MsvAvTimestamp: Sep 30, 2022 10:55:18.194742

Negotiate Flags:
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_TARGET_TYPE_DOMAIN
  NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_56