Intro

This page is a slowly growing collection of external network hack tricks.

DNS Recon

  • todo

NTLM Auth

A lot of web servers won’t request your user-agent to authenticate with NTLM, yet will still accept an NTLM header and do an AD lookup if you explicitly provide an Authorization: NTLM header. Fortunately, there’s an Nmap script which does this:

nmap --script http-ntlm-info <hostname>

Unfortunately, despite the script being marked as default and safe, it does not trigger by default when you run a script scan or any default scan using Nmap, so must be done explicitly.

At time of writing, at least one Alexa top-1000 host provided an NTLM response, leaking information and provided a direct avenue to attempt a dictionary attack against the AD server.