👀 What ?
SMTP NTLM authentication information disclosure refers to the exploitation of vulnerabilities in the NTLM authentication process to extract sensitive internal information.
🧐 Why ?
SMTP NTLM authentication information disclosure presents an enticing opportunity to gain access to sensitive internal information. By exploiting vulnerabilities in the NTLM authentication process, you can gather details about the server, such as NetBIOS, DNS, and OS build version information. This valuable information allows you to identify potential targets, understand internal naming conventions, determine end-of-life operating systems, and discover internal DNS names.
⛏️ How ?
To exploit SMTP NTLM authentication information disclosure, you can initiate a connection and send anonymous (null) credentials to the target server. This will prompt the server to respond with an NTLM Type 2 challenge response, which you can decode to unveil critical internal information.
To perform SMTP NTLM authentication information disclosure, you can follow these manual steps or use NMAP to automate the process.
- Start by establishing a Telnet connection to the SMTP server:
telnet example.com 587
- Greet the SMTP server using the HELO command:
- Initiate the NTLM authentication process:
- Submit an anonymous (null) credentials by providing the following code:
Here's an example of the complete manual command execution:
root@kali: telnet example.com 587
220 example.com SMTP Server Banner
250 example.com Hello [x.x.x.x]
>> AUTH NTLM
334 NTLM supported
- You need then to decode the challenge receive
You can use a dedicated script :
git clone https://github.com/Cyber-Courses/NTLM-Challenge-Decoder.git
python3 ntlm_challenge_decoder.py "TlRMTVNTUAACAAAADgAOADgAAAAFgomiATnkfKRMCOEAAAAAAAAAAJYAlgBGAAAABgOAJQAAAA9UAEsAQQAuAEMATwBNAAIADgBUAEsAQQAuAEMATwBNAAEAHAAyAEsAMQAyAFMASABBAFIARQBQAE8ASQBOAFQABAAOAHQAawBhAC4AYwBvAG0AAwAsADIASwAxADIAUwBIAEEAUgBFAFAATwBJAE4AVAAuAHQAawBhAC4AYwBvAG0ABQAOAHQAawBhAC4AYwBvAG0ABwAIAMUyAfUe0dMBAAAAAA=="
Or using the ntlm-challenge-decoder Burp pluggin :
You can also use NMAP with the following command to automate the process:
nmap --script=smtp-ntlm-info --script-timeout=60s example.com
In this command, NMAP will execute the smtp-ntlm-info script against the target host, prioritizing open ports. This script scans for the SMTP NTLM authentication information disclosure vulnerability.