Script http-ntlm-info

Script types: portrule
Categories: default, discovery, safe

Script Summary

This script enumerates information from remote HTTP services with NTLM authentication enabled.

By sending a HTTP NTLM authentication request with null domain and user credentials (passed in the 'Authorization' header), the remote service will respond with a NTLMSSP message (encoded within the 'WWW-Authenticate' header) and disclose information to include NetBIOS, DNS, and OS build version if available.

Script Arguments


The URI path to request


See the documentation for the slaxml library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library., http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

Example Usage

nmap -p 80 --script http-ntlm-info --script-args http-ntlm-info.root=/root/ <target>

Script Output

80/tcp   open     http
| http-ntlm-info:
|   Target_Name: ACTIVEWEB
|   NetBIOS_Domain_Name: ACTIVEWEB
|   NetBIOS_Computer_Name: WEB-TEST2
|   DNS_Domain_Name:
|   DNS_Computer_Name:
|   DNS_Tree_Name:
|_  Product_Version: 6.1.7601



  • Justin Cacak

License: Same as Nmap--See