External Network Hackery Tricks
Intro
This page is a slowly growing collection of external network hack tricks.
DNS Recon
- todo
NTLM Auth
A lot of web servers won’t request your user-agent to authenticate with NTLM, yet will
still accept an NTLM header and do an AD lookup if you explicitly provide an Authorization: NTLM
header. Fortunately, there’s an Nmap script which does this:
nmap --script http-ntlm-info <hostname>
Unfortunately, despite the script being marked as default and safe, it does not trigger by default when you run a script scan or any default scan using Nmap, so must be done explicitly.
At time of writing, at least one Alexa top-1000 host provided an NTLM response, leaking information and provided a direct avenue to attempt a dictionary attack against the AD server.