hunt-ntlm-info
Identifies NTLM information disclosure vulnerabilities in internet-exposed IIS/SharePoint/Exchange servers for enhanced security assessments.
Install this skill
or
69/100
Security score
The hunt-ntlm-info skill was audited on May 29, 2026 and we found 9 security issues across 2 threat categories, including 1 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
medium line 75
Base64 decode operation
SourceSKILL.md
| 75 | 4. **Parse the Type-2 challenge from the `WWW-Authenticate: NTLM <base64>` response header.** Base64-decode the value. The structure is NTLMSSP per MS-NLMP: |
low line 151
Base64 decode operation
SourceSKILL.md
| 151 | b = base64.b64decode(m.group(1).decode("ascii")) |
high line 77
Hex-encoded characters
SourceSKILL.md
| 77 | - Bytes 8-11: MessageType = `\x02\x00\x00\x00` |
medium line 152
Hex-encoded characters
SourceSKILL.md
| 152 | assert b[:8] == b"NTLMSSP\x00" |
low line 112
External URL reference
SourceSKILL.md
| 112 | "https://target.example/_api/web/CurrentUser" 2>&1 | grep -i "WWW-Authenticate" |
low line 234
External URL reference
SourceSKILL.md
| 234 | Target: `https://target-portal.example/` — a enterprise dealer portal (test mirror) operated by a system integrator. |
low line 256
External URL reference
SourceSKILL.md
| 256 | Target: `https://mail.example.com/EWS/Exchange.asmx`. Type-1 probe returns Type-2 with DNS Tree Name `corp.example.com` and DNS Computer Name `MAIL01.corp.example.com`. Confirms the Exchange edge is d |
low line 260
External URL reference
SourceSKILL.md
| 260 | Target: `https://intranet.corp.example` (clearly internal, behind VPN). Type-1 returns full AV-pair set. Not reportable — this is intended NTLM behavior on intranet, and the disclosure is to authentic |
low line 267
External URL reference
SourceSKILL.md
| 267 | - **`m365-entra-attack`** — Leaked NetBIOS domain + UPN suffix is the missing piece for a credible password spray. Chain primitive: NTLM Type-2 yields `corp.example.com` DNS tree → cross-reference Ent |
Scanned on May 29, 2026
View Security Dashboard