NTLM can be used as part of Integrated Windows Authentication, where users can authenticate using their domain credentials:

So if we enable Windows Authentication on IIS site, then we create a simple ASP page to show the authenticated user’s information and navigate it we will obtain this output:

The following is an example ASP page that get information about logged on user:

<%
' Retrieve server variables related to the authenticated user
Dim logonUser, authUser, remoteUser, authType, userDomain

logonUser = Request.ServerVariables("LOGON_USER")
authUser = Request.ServerVariables("AUTH_USER")
remoteUser = Request.ServerVariables("REMOTE_USER")
authType = Request.ServerVariables("AUTH_TYPE")

' Split the LOGON_USER to get domain and username separately
Dim domainName, userName
If InStr(logonUser, "\\") > 0 Then
    domainName = Left(logonUser, InStr(logonUser, "\\") - 1)
    userName = Mid(logonUser, InStr(logonUser, "\\") + 1)
Else
    domainName = "N/A"
    userName = logonUser
End If

' Display the collected information
Response.Write "<html><body>"
Response.Write "<h2>Authenticated User Information</h2>"
Response.Write "<p><strong>LOGON_USER:</strong> " & logonUser & "</p>"
Response.Write "<p><strong>AUTH_USER:</strong> " & authUser & "</p>"
Response.Write "<p><strong>REMOTE_USER:</strong> " & remoteUser & "</p>"
Response.Write "<p><strong>AUTH_TYPE:</strong> " & authType & "</p>"
Response.Write "<p><strong>Domain Name:</strong> " & domainName & "</p>"
Response.Write "<p><strong>User Name:</strong> " & userName & "</p>"
Response.Write "</body></html>"
%>

Enumeration Domain Information

In order to brute-force NTLM authentication over HTTP, we must know the Active Directory domain information like domain’s name, server’s hostname and so on.

We can use the BApp extension NTLM Challenge Decoder that automatically decode interesting information from NTLM SSP headers:

In this example, we send the request using Burp’s Repeater:

Brute-force attack

<aside> ⚠️

                                                                      **PREMISE**                                                                                     

In order to complete the attack in a reasonable time, you need to know the domain name enumerated above and the username whose password you want to brute-force!

</aside>

Tools used to brute-force hashes, may not be applicable to the NTLM HTTP Authentication. Burp for example cannot brute force NTLM authentication. Two of the tools which can be used to brute forcing of NTLM Authentication are curl and wget.

To specify NTLM authentication, specify –-ntlm and specify the user with -u user:password

curl --html -u superconfigure.com\\mario:password  <https://website>

One way for us to leverage the curl NTLM Authentication capability and brute-force passwords as well is to script it using Python.