A fast and flexible NTLM


  1. Implement aiohttp based solution for sending requests
  2. Integrate a spraying library
  3. Add other authentication schemes found to the output
  4. Automatic detection of autodiscover domains if domain


NTLMRecon looks for NTLM enabled web endpoints, sends a fake authentication request and enumerates the following information from the NTLMSSP response:

  1. AD Domain Name
  2. Server name
  3. DNS Domain Name
  4. FQDN
  5. Parent DNS Domain

Since NTLMRecon leverages a python implementation of NTLMSSP, it eliminates the overhead of running Nmap NSE http-ntlm-info for every successful discovery.

On every successful discovery of a NTLM enabled web endpoint, the tool enumerates and saves information about the domain as follows to a CSV file :

URL Domain Name Server Name DNS Domain Name FQDN DNS Domain
https://contoso.com/EWS/ XCORP EXCHANGE01 xcorp.contoso.net EXCHANGE01.xcorp.contoso.net contoso.net



NTLMRecon is already packaged for BlackArch and can be installed by running pacman -S ntlmrecon


If you’re on Arch Linux or any Arch linux based distribution, you can grab the latest build from the Arch User Repository.

Build from source

  1. Clone the repository : git clone https://github.com/sachinkamath/ntlmrecon/
  2. RECOMMENDED – Install virtualenv : pip install virtualenv
  3. Start a new virtual environment : virtualenv venv and activate it with source venv/bin/activate
  4. Run the setup file : python setup.py install
  5. Run ntlmrecon : ntlmrecon --help


$ ntlmrecon --help

_ _ _____ _ ___ _________
| | |_ _| | | / || ___
| | | | | | | | . . || |_/ /___ ___ ___ _ __
| . ` | | | | | | |/| || // _ / __/ _ | '_
| | | | | | |____| | | || | __/ (_| (_) | | | |
_| _/ _/ _____/_| |_/_| ____|______/|_| |_| - @pwnfoo

v.0.4 beta - Y'all still exposing NTLM endpoints?

Bug Reports, Feature Requests : https://git.io/JIR5z

usage: ntlmrecon [-h] [--input INPUT | --infile INFILE] [--wordlist WORDLIST]
[--threads THREADS] [--output-type] [--outfile OUTFILE]
[--random-user-agent] [--force-all] [--shuffle] [-f]

optional arguments:
-h, --help show this help message and exit
--input INPUT, -i INPUT
Pass input as an IP address, URL or CIDR to enumerate
NTLM endpoints
--infile INFILE, -I INFILE
Pass input from a local file
--wordlist WORDLIST Override the internal wordlist with a custom wordlist
--threads THREADS Set number of threads (Default: 10)
--output-type, -o Set output type. JSON (TODO) and CSV supported
(Default: CSV)
Set output file name (Default: ntlmrecon.csv)
--random-user-agent TODO: Randomize user agents when sending requests
(Default: False)
--force-all Force enumerate all endpoints even if a valid endpoint
is found for a URL (Default : False)
--shuffle Break order of the input files
-f, --force Force replace output file if it already exists

Example Usage

Recon on a single URL

$ ntlmrecon --input https://mail.contoso.com --outfile ntlmrecon.csv

Recon on a CIDR range or IP address

$ ntlmrecon --input --outfile ntlmrecon-ranges.csv

Recon on an input file

The tool automatically detects the type of input per line and gives you results automatically. CIDR ranges are expanded automatically even when read from a text file.

Input file can be something as mixed up as :


To run recon with an input file, just run :

$ ntlmrecon --infile /path/to/input/file --outfile ntlmrecon-fromfile.csv


  • @nyxgeek for the idea behind ntlmscan.


If you’d like to see a feature added into the tool or something doesn’t work for you, please open a new issue.

Download NTLMRecon

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.


Original Source