id: ntlm-info

info:
  name: NTLM Information - Detection
  author: pussycat0x
  severity: info
  description: |
    Windows New Technology LAN Manager (NTLM) is a suite of security protocols offered by Microsoft to authenticate users' identity and protect the integrity and confidentiality of their activity. At its core, NTLM is a single sign on (SSO) tool that relies on a challenge-response protocol to confirm the user without requiring them to submit a password.
  reference:
    - https://www.crowdstrike.com/cybersecurity-101/ntlm-windows-new-technology-lan-manager/
  metadata:
    shodan-query: "port:445"
    verified: true
  tags: js,network,smb,enum

javascript:
  - code: |
      var m = require("nuclei/smb");
      var c = m.SMBClient();
      var response = c.ConnectSMBInfoMode(Host, Port);
      to_json(response);

    args:
      Host: "{{Host}}"
      Port: "445"

    matchers:
      - type: dsl
        dsl:
          - "len(ntlm) != 0"

    extractors:
      - type: json
        internal: true
        part: response
        name: ntlm
        json:
          - '.NTLM'

      - type: json
        json:
          - '"NTLM: "+ .NTLM'
# digest: 4b0a00483046022100b88c9974500f4dc40564a8681b18d913968e4c28a5b738d4923dce7ff5f1c63a0221008de02bb9e4068ed2254595fefca8fd3dbb1d2e3d150668bd62fbd0865900b268:922c64590222798bb761d5b6d8e72950