Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Reconky is an great Content Discovery bash script for bug bounty hunters which automate lot of task and organized in the well mannered form which help them to look forward.

Stars: ✭ 167 (-33.73%)

Mutual labels: osint, enumeration, recon, reconnaissance

Hosthunter

HostHunter a recon tool for discovering hostnames using OSINT techniques.

Stars: ✭ 427 (+69.44%)

Mutual labels: osint, hacking, reconnaissance, recon

Favfreak

Making Favicon.ico based Recon Great again !

Stars: ✭ 564 (+123.81%)

Mutual labels: osint, hacking, reconnaissance, recon

Bigbountyrecon

BigBountyRecon tool utilises 58 different techniques using various Google dorks and open source tools to expedite the process of initial reconnaissance on the target organisation.

Stars: ✭ 541 (+114.68%)

Mutual labels: osint, cybersecurity, reconnaissance, recon

Bbrecon

Python library and CLI for the Bug Bounty Recon API

Stars: ✭ 169 (-32.94%)

Mutual labels: osint, hacking, cybersecurity, recon

Raccoon

A high performance offensive security tool for reconnaissance and vulnerability scanning

Stars: ✭ 2,312 (+817.46%)

Mutual labels: osint, hacking, reconnaissance, enumeration

Theharvester

E-mails, subdomains and names Harvester - OSINT

Stars: ✭ 6,175 (+2350.4%)

Mutual labels: osint, redteam, reconnaissance, recon

Sherlock

🔎 Hunt down social media accounts by username across social networks

Stars: ✭ 28,569 (+11236.9%)

Mutual labels: osint, redteam, reconnaissance, tools

Scilla

🏴‍☠️ Information Gathering tool 🏴‍☠️ DNS / Subdomains / Ports / Directories enumeration

Stars: ✭ 116 (-53.97%)

Mutual labels: hacking, reconnaissance, recon, enumeration

Intrec Pack

Intelligence and Reconnaissance Package/Bundle installer.

Stars: ✭ 177 (-29.76%)

Mutual labels: osint, reconnaissance, recon, enumeration

Iky

OSINT Project

Stars: ✭ 203 (-19.44%)

Mutual labels: osint, hacking, recon

Reconness

ReconNess is a platform to allow continuous recon (CR) where you can set up a pipeline of #recon tools (Agents) and trigger it base on schedule or events.

Stars: ✭ 131 (-48.02%)

Mutual labels: redteam, recon, tools

Intelspy

Perform automated network reconnaissance scans

Stars: ✭ 134 (-46.83%)

Mutual labels: hacking, reconnaissance, enumeration

Osint Tools

👀 Some of my favorite OSINT tools.

Stars: ✭ 155 (-38.49%)

Mutual labels: osint, reconnaissance, recon

H8mail

Email OSINT & Password breach hunting tool, locally or using premium services. Supports chasing down related email

Stars: ✭ 2,163 (+758.33%)

Mutual labels: osint, hacking, recon

Powershell Red Team

Collection of PowerShell functions a Red Teamer may use to collect data from a machine

Stars: ✭ 155 (-38.49%)

Mutual labels: cybersecurity, redteam, enumeration

Discover

Custom bash scripts used to automate various penetration testing tasks including recon, scanning, parsing, and creating malicious payloads and listeners with Metasploit.

Stars: ✭ 2,548 (+911.11%)

Mutual labels: osint, reconnaissance, recon

Asnlookup

Leverage ASN to look up IP addresses (IPv4 & IPv6) owned by a specific organization for reconnaissance purposes, then run port scanning on it.

Stars: ✭ 163 (-35.32%)

Mutual labels: hacking, reconnaissance, enumeration

View All Similar Projects ➔

NTLMRecon

A fast and flexible NTLM reconnaissance tool without external dependencies. Useful to find out information about NTLM endpoints when working with a large set of potential IP addresses and domains.

NTLMRecon is built with flexibilty in mind. Need to run recon on a single URL, an IP address, an entire CIDR range or combination of all of it all put in a single input file? No problem! NTLMRecon got you covered. Read on.

Demo

TODO

Implement aiohttp based solution for sending requests
Integrate a spraying library
Add other authentication schemes found to the output
Automatic detection of autodiscover domains if domain

Overview

NTLMRecon looks for NTLM enabled web endpoints, sends a fake authentication request and enumerates the following information from the NTLMSSP response:

AD Domain Name
Server name
DNS Domain Name
FQDN
Parent DNS Domain

Since NTLMRecon leverages a python implementation of NTLMSSP, it eliminates the overhead of running Nmap NSE http-ntlm-info for every successful discovery.

On every successful discovery of a NTLM enabled web endpoint, the tool enumerates and saves information about the domain as follows to a CSV file :

URL	Domain Name	Server Name	DNS Domain Name	FQDN	DNS Domain
https://contoso.com/EWS/	XCORP	EXCHANGE01	xcorp.contoso.net	EXCHANGE01.xcorp.contoso.net	contoso.net

Installation

BlackArch

NTLMRecon is already packaged for BlackArch and can be installed by running pacman -S ntlmrecon

Arch

If you're on Arch Linux or any Arch linux based distribution, you can grab the latest build from the Arch User Repository.

Build from source

Clone the repository : git clone https://github.com/sachinkamath/ntlmrecon/
RECOMMENDED - Install virtualenv : pip install virtualenv
Start a new virtual environment : virtualenv venv and activate it with source venv/bin/activate
Run the setup file : python setup.py install
Run ntlmrecon : ntlmrecon --help

Usage

$ ntlmrecon --help

         _   _ _____ _     ___  _________
        | \ | |_   _| |    |  \/  || ___ \
        |  \| | | | | |    | .  . || |_/ /___  ___ ___  _ __
        | . ` | | | | |    | |\/| ||    // _ \/ __/ _ \| '_ \
        | |\  | | | | |____| |  | || |\ \  __/ (_| (_) | | | |
        \_| \_/ \_/ \_____/\_|  |_/\_| \_\___|\___\___/|_| |_| - @pwnfoo

             v.0.4 beta - Y'all still exposing NTLM endpoints?

 Bug Reports, Feature Requests : https://git.io/JIR5z


usage: ntlmrecon [-h] [--input INPUT | --infile INFILE] [--wordlist WORDLIST]
                 [--threads THREADS] [--output-type] [--outfile OUTFILE]
                 [--random-user-agent] [--force-all] [--shuffle] [-f]

optional arguments:
  -h, --help            show this help message and exit
  --input INPUT, -i INPUT
                        Pass input as an IP address, URL or CIDR to enumerate
                        NTLM endpoints
  --infile INFILE, -I INFILE
                        Pass input from a local file
  --wordlist WORDLIST   Override the internal wordlist with a custom wordlist
  --threads THREADS     Set number of threads (Default: 10)
  --output-type, -o     Set output type. JSON (TODO) and CSV supported
                        (Default: CSV)
  --outfile OUTFILE, -O OUTFILE
                        Set output file name (Default: ntlmrecon.csv)
  --random-user-agent   TODO: Randomize user agents when sending requests
                        (Default: False)
  --force-all           Force enumerate all endpoints even if a valid endpoint
                        is found for a URL (Default : False)
  --shuffle             Break order of the input files
  -f, --force           Force replace output file if it already exists

Example Usage

Recon on a single URL

$ ntlmrecon --input https://mail.contoso.com --outfile ntlmrecon.csv

Recon on a CIDR range or IP address

$ ntlmrecon --input 192.168.1.1/24 --outfile ntlmrecon-ranges.csv

Recon on an input file

The tool automatically detects the type of input per line and gives you results automatically. CIDR ranges are expanded automatically even when read from a text file.

Input file can be something as mixed up as :

mail.contoso.com
CONTOSOHOSTNAME
10.0.13.2/28
192.168.222.1/24
https://mail.contoso.com

To run recon with an input file, just run :

$ ntlmrecon --infile /path/to/input/file --outfile ntlmrecon-fromfile.csv

Acknowledgements

@nyxgeek for the idea behind ntlmscan.

Feedback

If you'd like to see a feature added into the tool or something doesn't work for you, please open a new issue.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].

Stars: ✭ 252

Visit Git Page 🔗Visit User Page 🔗Visit Issues Page (6) 🔗