NTLMRecon is a lightweight reconnaissance tool that enumerates detailed information from NTLM authentication enabled web endpoints without external dependencies.
Enumerate information from NTLM authentication enabled web endpoints 🔎
This tool is primarily used by security professionals and penetration testers to identify and gather domain-related information from NTLM-enabled web services across single URLs, IP ranges, or mixed input files. It helps streamline reconnaissance efforts in environments with numerous potential targets by automating NTLM endpoint discovery and data extraction.
NTLMRecon currently does not perform de-duplication of expanded CIDR ranges, so users should be aware of potential duplicate entries in output. Future updates plan to include asynchronous request handling and integration with spraying libraries. Running within a virtual environment is recommended to manage dependencies cleanly.
Clone the repository: git clone https://github.com/pwnfoo/ntlmrecon/
Install virtualenv (recommended): pip install virtualenv
Create and activate a virtual environment: virtualenv venv && source venv/bin/activate
Run the setup script: python setup.py install
Run the tool with: ntlmrecon --help
Alternatively, install on BlackArch Linux using: pacman -S ntlmreconntlmrecon --input https://mail.contoso.com --outfile ntlmrecon.csv
Run reconnaissance on a single URL and save output to a CSV file
ntlmrecon --input 192.168.1.1/24 --outfile ntlmrecon-ranges.csv
Run reconnaissance on an IP CIDR range and save results to a CSV file
ntlmrecon --input <input_file> --outfile <output_file>
Run reconnaissance on a mixed input file containing URLs, hostnames, IPs, and CIDR ranges with automatic input type detection