NTLM_Spray

NTLM & NetNTLM

Microsoft's Windows New Technology LAN Manager (NTLM) is a set of security protocols that verify the identity of users and keep their activities private and secure. At its core, NTLM is a single sign-on (SSO) tool that uses a challenge-response protocol to verify the user without asking for a password.

Even though NTLM has known flaws, it is still used on many new systems to keep them compatible with older clients and servers. Even though Microsoft still supports NTLM, it is no longer the default authentication protocol in Windows 2000 and later Active Directory (AD) domains. Instead, Kerberos is used by default.

The internet can also get to services that use NetNTLM. Here are some of the most well-known ones:

• Internally-hosted Exchange (Mail) servers that expose an Outlook Web App (OWA) login portal.
• Remote Desktop Protocol (RDP) service of a server being exposed to the internet.
• Exposed VPN endpoints that were integrated with AD.
• Web applications that are internet-facing and make use of NetNTLM.

Brute-Force Login Attacks

Since account lockout is set up in most AD environments, we won't be able to do a full brute-force attack. Instead, we need to do an attack called "password spraying." Instead of trying a lot of different passwords, which could cause the account to be locked, we choose one password and use it with all of the usernames we have.

NTLM_Spray is a Password Sprayer, which attempts to spray password on to the NTLM Login and tries to retrieve usernames.

NTLM_Spray takes the following inputs -

• userfile: txt file containing all the usernames to try brute-force
• fqdn: Fully Qualified Domain Name for the Directory
• password: Password to spray with
• attackurl: URL to attack on

Library Dependencies

requests, requests_ntlm2