hunt-ntlm-info
This Claude Code skill identifies NTLM information disclosure vulnerabilities on internet-exposed IIS, SharePoint, and Exchange servers by capturing anonymous NTLM Type-2 challenges. It extracts sensitive reconnaissance data including NetBIOS domain names, internal DNS forests, computer hostnames, and Active Directory timestamps from the NTLM protocol response. Use this skill when target services advertise WWW-Authenticate headers with NTLM or Negotiate methods, particularly on enterprise endpoints like SharePoint REST APIs, Exchange Web Services, or Outlook Web App instances.
git clone --depth 1 https://github.com/elementalsouls/Claude-BugHunter /tmp/hunt-ntlm-info && cp -r /tmp/hunt-ntlm-info/skills/hunt-ntlm-info ~/.claude/skills/hunt-ntlm-infoSKILL.md
## Crown Jewel Targets NTLM info disclosure is a **Medium-severity finding when chained to context** — the leak itself is intentional protocol behavior (RFC-compliant NTLMSSP challenge), but on internet-exposed enterprise infrastructure it provides exact reconnaissance for the next stage of an attack. Highest-value targets: - **Internet-reachable IIS / SharePoint / Exchange / OWA** with dual-auth (Forms + NTLM, or NTLM + Kerberos) - **Citrix NetScaler / VMware Horizon View** internet-facing gateways with NTLM-backed AD auth - **Lync / Skype for Business / Teams On-Prem** edge servers - **WSUS / Windows Update Services** with NTLM-protected admin paths - **CIFS-style fileshare proxies** (HCL Sametime, IBM Notes Domino) that proxy NTLM - **Legacy SharePoint farms** that left NTLM enabled on the public-zone IIS binding **What makes this pay:** - Internal AD domain disclosure (parent-forest mapping, e.g. `customer.parent-corp.example` → tenant inside corporate-AD tree) - Default-Windows-hostname disclosure (`WIN-XXXXXXXXXXX` pattern signals rushed provisioning → likely default service-account passwords) - Timestamp leak (used in NTLMv2 hash cracking acceleration) - Direct attack-map enrichment for credential spraying combined with `hunt-auth-bypass` Legacy-Protocol Matrix --- ## Attack Surface Signals **Response headers signaling NTLM availability:** ``` WWW-Authenticate: NTLM WWW-Authenticate: Negotiate WWW-Authenticate: NTLM, Negotiate WWW-Authenticate: Negotiate, NTLM ``` **URL patterns where NTLM is commonly exposed:** ``` /_api/web/CurrentUser (SharePoint REST) /_vti_bin/*.asmx (SharePoint legacy SOAP) /EWS/Exchange.asmx (Exchange Web Services) /Autodiscover/Autodiscover.xml (Exchange autodiscover) /owa/ (Outlook Web App) /Microsoft-Server-ActiveSync (ActiveSync) /PowerShell (Exchange Mgmt Shell over HTTPS) /api/v3/ (TeamCity, Atlassian) /wsus/ (Windows Server Update Services) /manager/html (some Tomcat behind IIS) /iisstart.htm (default IIS, sometimes reveals NTLM upstream) ``` **Tech-stack signals:** - IIS on the public internet (almost always NTLM-capable, even if Forms is the front) - SharePoint Web Front End (almost always dual-auth Forms + NTLM) - Exchange edge transport - Server header `Microsoft-HTTPAPI/2.0`, `Microsoft-IIS/*`, `IIS/*` --- ## Step-by-Step Hunting Methodology 1. **Probe every anonymous endpoint for `WWW-Authenticate: NTLM`.** Send a vanilla GET and inspect response headers. If NTLM is offered, proceed. 2. **Send a valid NTLMSSP Type-1 message anonymously.** The Type-1 base64 below requests NetBIOS-domain and Workstation info from the server: ``` Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw== ``` This is the standard test Type-1 with negotiate flags `NTLMSSP_NEGOTIATE_UNICODE | NTLMSSP_NEGOTIATE_OEM | NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_KEY_EXCH | NTLMSSP_NEGOTIATE_56 | NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_TARGET_INFO`. The `OS Version` field (`06 01 B1 1D 00 00 00 0F`) is Windows 7 build 7601 — accepted by virtually every NTLM responder. 3. **Use a keep-alive raw socket, not Python requests / curl one-shot.** Most HTTP libraries close the connection between the Type-1 send and Type-2 reception. Use one of: - Burp Repeater with `Connection: keep-alive` set explicitly - Burp `mcp__burp__send_http1_request` (handles keep-alive natively) - Python raw `socket` + `ssl.wrap_socket` (see Payload section) 4. **Parse the Type-2 challenge from the `WWW-Authenticate: NTLM <base64>` response header.** Base64-decode the value. The structure is NTLMSSP per MS-NLMP: - Bytes 0-7: literal `NTLMSSP\0` - Bytes 8-11: MessageType = `\x02\x00\x00\x00` - Bytes 12-19: TargetName SecurityBuffer (len, alloc, offset) - Bytes 20-23: NegotiateFlags - Bytes 24-31: Server Challenge (8 bytes — useful for offline cracking) - Bytes 40-47: TargetInfo SecurityBuffer (len, alloc, offset) - TargetInfo body: `AV_PAIRS` array of (AvId u16, AvLen u16, Value) 5. **Decode the AV_PAIRS.** The AvIds you care about: - `1` = NetBIOS Computer Name - `2` = NetBIOS Domain Name - `3` = DNS Computer Name (FQDN of the responding server) - `4` = DNS Domain Name (the AD domain) - `5` = DNS Tree Name (the AD forest root) - `7` = Timestamp (FILETIME, useful for NTLMv2 hash relay / cracking) - `9` = Target Name (in newer NTLMSSP) 6. **Map findings to severity tier:** - Internet-exposed + default `WIN-XXXXXXXXXXX` hostname + corporate-AD-tree disclosure → **Medium** - Internet-exposed + named-server hostname (`SPWEB01.corp.example`) + corporate-AD-tree → **Low-Medium** - Intranet-only + any disclosure → **Informational** - Combine with `hunt-auth-bypass` Legacy-Protocol Matrix findings on the same host → **upgrade the auth-bypass finding's severity** since the attacker has UPN/SAM format ready 7. **Check the timestamp.** If `AV[7]` returns a current FILETIME within ~5s of `Date:` header, the system clock is synced — useful intel for Kerberos golden-ticket forging (out of bug-bounty scope but red-team relevant). 8. **Cross-reference with subdomain enum.** The DNS Tree name often reveals the *parent forest* — e.g. `customer.parent-corp.example` reveals the customer is a sub-domain INSIDE corporate-parent AD, not a separate tenant. This is a privacy / topology-disclosure escalation that programs sometimes accept as Medium. --- ## Payload & Detection Patterns **Generic NTLM Type-1 anonymous probe (curl + raw socket fallback):** ```bash # Most one-shot curl runs DON'T return Type-2 because the connection closes. # Use this as a quick probe to confirm NTLM is offered: curl -sk -I -H "Authorization: NTLM TlRMTVNTUAAB
Run autonomous hunt loop on a target — scope check → recon → rank surface → hunt → validate → report with configurable checkpoints. Usage: /autopilot target.com [--paranoid|--normal|--yolo]
Build an exploit chain — given bug A, finds B and C to combine for higher severity and payout. Knows common chain patterns: IDOR→ATO, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth. Usage: /chain
Active vulnerability hunting. Two-track dispatcher — asks Red Team vs WAPT, hands off to hunt-dispatch skill and sibling commands. Usage: /hunt target.com | /hunt *.target.com | /hunt targets.txt [--vuln-class X] [--source-code P] [--chrome]
On-demand intelligence fetch for a target — CVEs, disclosed reports, new features. Wraps learn.py + hunt memory context. Usage: /intel target.com
Inspect or rotate hunt-memory JSONL files (audit.jsonl, patterns.jsonl, journal.jsonl). Caps file size and keeps N rotated backups so memory does not grow unbounded.
Pick up a previous hunt on a target — shows hunt history, untested endpoints, and memory-informed suggestions. Usage: /pickup target.com
Run full recon pipeline on a target — subdomain enum (Chaos API + subfinder), live host discovery (dnsx + httpx), URL crawl (katana + waybackurls + gau), gf pattern classification, nuclei scan. Outputs to recon/<target>/ directory. Usage: /recon target.com
Log current finding or successful pattern to hunt memory. Auto-fills from /validate output if available. Usage: /remember