This page is a slowly growing collection of external network hack tricks.
A lot of web servers won’t request your user-agent to authenticate with NTLM, yet will
still accept an NTLM header and do an AD lookup if you explicitly provide an
header. Fortunately, there’s an Nmap script which does this:
nmap --script http-ntlm-info <hostname>
Unfortunately, despite the script being marked as default and safe, it does not trigger by default when you run a script scan or any default scan using Nmap, so must be done explicitly.
At time of writing, at least one Alexa top-1000 host provided an NTLM response, leaking information and provided a direct avenue to attempt a dictionary attack against the AD server.