Skills

hunt-ntlm-info

Installation
SKILL.md

Crown Jewel Targets

NTLM info disclosure is a Medium-severity finding when chained to context — the leak itself is intentional protocol behavior (RFC-compliant NTLMSSP challenge), but on internet-exposed enterprise infrastructure it provides exact reconnaissance for the next stage of an attack. Highest-value targets:

  • Internet-reachable IIS / SharePoint / Exchange / OWA with dual-auth (Forms + NTLM, or NTLM + Kerberos)
  • Citrix NetScaler / VMware Horizon View internet-facing gateways with NTLM-backed AD auth
  • Lync / Skype for Business / Teams On-Prem edge servers
  • WSUS / Windows Update Services with NTLM-protected admin paths
  • CIFS-style fileshare proxies (HCL Sametime, IBM Notes Domino) that proxy NTLM
  • Legacy SharePoint farms that left NTLM enabled on the public-zone IIS binding

What makes this pay:

  • Internal AD domain disclosure (parent-forest mapping, e.g. customer.parent-corp.example → tenant inside corporate-AD tree)
  • Default-Windows-hostname disclosure (WIN-XXXXXXXXXXX pattern signals rushed provisioning → likely default service-account passwords)
  • Timestamp leak (used in NTLMv2 hash cracking acceleration)
  • Direct attack-map enrichment for credential spraying combined with hunt-auth-bypass Legacy-Protocol Matrix
Installs
7
Repository
elementalsouls/…ughunter
GitHub Stars
2.6K
First Seen
12 days ago
Security Audits
Gen Agent Trust HubPass
SocketWarn
SnykFail
hunt-ntlm-info — elementalsouls/claude-bughunter