Skip to main content

hunt-ntlm-info

Identifies NTLM information disclosure vulnerabilities in internet-exposed IIS/SharePoint/Exchange servers for enhanced security assessments.

Install this skill

or
69/100

Security score

The hunt-ntlm-info skill was audited on May 29, 2026 and we found 9 security issues across 2 threat categories, including 1 high-severity. Review the findings below before installing.

Categories Tested

Security Issues

medium line 75

Base64 decode operation

SourceSKILL.md
754. **Parse the Type-2 challenge from the `WWW-Authenticate: NTLM <base64>` response header.** Base64-decode the value. The structure is NTLMSSP per MS-NLMP:
low line 151

Base64 decode operation

SourceSKILL.md
151b = base64.b64decode(m.group(1).decode("ascii"))
high line 77

Hex-encoded characters

SourceSKILL.md
77- Bytes 8-11: MessageType = `\x02\x00\x00\x00`
medium line 152

Hex-encoded characters

SourceSKILL.md
152assert b[:8] == b"NTLMSSP\x00"
low line 112

External URL reference

SourceSKILL.md
112"https://target.example/_api/web/CurrentUser" 2>&1 | grep -i "WWW-Authenticate"
low line 234

External URL reference

SourceSKILL.md
234Target: `https://target-portal.example/` — a enterprise dealer portal (test mirror) operated by a system integrator.
low line 256

External URL reference

SourceSKILL.md
256Target: `https://mail.example.com/EWS/Exchange.asmx`. Type-1 probe returns Type-2 with DNS Tree Name `corp.example.com` and DNS Computer Name `MAIL01.corp.example.com`. Confirms the Exchange edge is d
low line 260

External URL reference

SourceSKILL.md
260Target: `https://intranet.corp.example` (clearly internal, behind VPN). Type-1 returns full AV-pair set. Not reportable — this is intended NTLM behavior on intranet, and the disclosure is to authentic
low line 267

External URL reference

SourceSKILL.md
267- **`m365-entra-attack`** — Leaked NetBIOS domain + UPN suffix is the missing piece for a credible password spray. Chain primitive: NTLM Type-2 yields `corp.example.com` DNS tree → cross-reference Ent
Scanned on May 29, 2026
View Security Dashboard
Installation guide →
Rate this skill
Categorydevelopment
UpdatedJune 15, 2026
openclawapibackendsecurity-engineerbackend-developerdata-analystgithubdevelopmentdata analytics
AKasem1/claude-bug-bounty