Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nmapJustin CacakNMAP:TELNET-NTLM-INFO.NSE
HistoryJan 08, 2016 - 3:54 p.m.

telnet-ntlm-info NSE Script

2016-01-0815:54:53
Justin Cacak
nmap.org
212

EPSS

0.973

Percentile

99.9%

JSON

This script enumerates information from remote Microsoft Telnet services with NTLM authentication enabled.

Sending a MS-TNAP NTLM authentication request with null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version.

Script Arguments

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -p 23 --script telnet-ntlm-info <target>

Script Output

23/tcp   open     telnet
| telnet-ntlm-info:
|   Target_Name: ACTIVETELNET
|   NetBIOS_Domain_Name: ACTIVETELNET
|   NetBIOS_Computer_Name: HOST-TEST2
|   DNS_Domain_Name: somedomain.com
|   DNS_Computer_Name: host-test2.somedomain.com
|   DNS_Tree_Name: somedomain.com
|_  Product_Version: 5.1.2600

Requires

local datetime = require "datetime"
local os = require "os"
local comm = require "comm"
local shortport = require "shortport"
local stdnse = require "stdnse"
local smbauth = require "smbauth"
local string = require "string"


description = [[
This script enumerates information from remote Microsoft Telnet services with NTLM
authentication enabled.

Sending a MS-TNAP NTLM authentication request with null credentials will cause the
remote service to respond with a NTLMSSP message disclosing information to include
NetBIOS, DNS, and OS build version.
]]


---
-- @usage
-- nmap -p 23 --script telnet-ntlm-info <target>
--
-- @output
-- 23/tcp   open     telnet
-- | telnet-ntlm-info:
-- |   Target_Name: ACTIVETELNET
-- |   NetBIOS_Domain_Name: ACTIVETELNET
-- |   NetBIOS_Computer_Name: HOST-TEST2
-- |   DNS_Domain_Name: somedomain.com
-- |   DNS_Computer_Name: host-test2.somedomain.com
-- |   DNS_Tree_Name: somedomain.com
-- |_  Product_Version: 5.1.2600
--
--@xmloutput
-- <elem key="Target_Name">ACTIVETELNET</elem>
-- <elem key="NetBIOS_Domain_Name">ACTIVETELNET</elem>
-- <elem key="NetBIOS_Computer_Name">HOST-TEST2</elem>
-- <elem key="DNS_Domain_Name">somedomain.com</elem>
-- <elem key="DNS_Computer_Name">host-test2.somedomain.com</elem>
-- <elem key="DNS_Tree_Name">somedomain.com</elem>
-- <elem key="Product_Version">5.1.2600</elem>


author = "Justin Cacak"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"default", "discovery", "safe"}


local _, ntlm_auth_blob = smbauth.get_security_blob(
  nil, nil, nil, nil, nil, nil, nil,
  0x00000001 + -- Negotiate Unicode
  0x00000002 + -- Negotiate OEM strings
  0x00000004 + -- Request Target
  0x00000200 + -- Negotiate NTLM
  0x00008000 + -- Negotiate Always Sign
  0x00080000 + -- Negotiate NTLM2 Key
  0x20000000 + -- Negotiate 128
  0x80000000 -- Negotiate 56
  )

--
-- Create MS-TNAP Login Packet (Option Command IS)
-- Ref: http://msdn.microsoft.com/en-us/library/cc247789.aspx
local tnap_login_packet = string.pack("<BBBBBBB I4I4",
  0xff, -- IAC
  0xfa, -- Sub-option (250)
  0x25, -- Subcommand: auth option
  0x00, -- Auth Cmd: IS (0)
  0x0f, -- Auth Type: NTLM (15)
  0x00, -- Who: Mask client to server (0)
  0x00, -- Command: NTLM_NEGOTIATE (0)
  #ntlm_auth_blob, -- NTLM_DataSize (4 bytes, little-endian)
  0x00000002) -- NTLM_BufferType (4 bytes, little-endian)
  .. ntlm_auth_blob .. string.pack("<BB",
  0xff, 0xf0) -- Sub-option End

portrule = shortport.port_or_service(23, "telnet")

action = function(host, port)

  local output = stdnse.output_table()

  local socket, response, early_resp = comm.opencon(host, port, tnap_login_packet, {recv_before=true})

  if not socket then
    return nil
  end

  local recvtime = os.time()
  socket:close()

  -- Continue only if NTLMSSP response is returned.
  -- Verify that the response is terminated with Sub-option End values as various
  -- non Microsoft telnet implementations support NTLM but do not return valid data.
  local data = string.match(response, "(NTLMSSP.*)\xff\xf0")
  if not data then
    return nil
  end

  -- Leverage smbauth.get_host_info_from_security_blob() for decoding
  local ntlm_decoded = smbauth.get_host_info_from_security_blob(data)

  if ntlm_decoded.timestamp then
    -- 64-bit number of 100ns clicks since 1/1/1601
    local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600
    datetime.record_skew(host, unixstamp, recvtime)
  end

  -- Target Name will always be returned under any implementation
  output.Target_Name = ntlm_decoded.target_realm

  -- Display information returned & ignore responses with null values
  if ntlm_decoded.netbios_domain_name and #ntlm_decoded.netbios_domain_name > 0 then
    output.NetBIOS_Domain_Name = ntlm_decoded.netbios_domain_name
  end

  if ntlm_decoded.netbios_computer_name and #ntlm_decoded.netbios_computer_name > 0 then
    output.NetBIOS_Computer_Name = ntlm_decoded.netbios_computer_name
  end

  if ntlm_decoded.dns_domain_name and #ntlm_decoded.dns_domain_name > 0 then
    output.DNS_Domain_Name = ntlm_decoded.dns_domain_name
  end

  if ntlm_decoded.fqdn and #ntlm_decoded.fqdn > 0 then
    output.DNS_Computer_Name = ntlm_decoded.fqdn
  end

  if ntlm_decoded.dns_forest_name and #ntlm_decoded.dns_forest_name > 0 then
    output.DNS_Tree_Name = ntlm_decoded.dns_forest_name
  end

  if ntlm_decoded.os_major_version then
    output.Product_Version = string.format("%d.%d.%d",
      ntlm_decoded.os_major_version, ntlm_decoded.os_minor_version, ntlm_decoded.os_build)
  end

  return output

end

Related

nmap 200
nmap
nmap
http-iis-webdav-vuln NSE Script
2009-05-20 00:43:30
smb-enum-domains NSE Script
2008-11-06 02:52:59
http-fetch NSE Script
2015-08-14 12:34:09

EPSS

0.973

Percentile

99.9%

JSON
Related for NMAP:TELNET-NTLM-INFO.NSE
nmap200