Skip to content

Instantly share code, notes, and snippets.

@FrankSpierings

FrankSpierings/http-ntlm.py

Created February 4, 2024 06:36
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save FrankSpierings/7c90f889f0a99345fa5adf58e6ee7b3e to your computer and use it in GitHub Desktop.
Save FrankSpierings/7c90f889f0a99345fa5adf58e6ee7b3e to your computer and use it in GitHub Desktop.
Download ZIP
Request website using NTLM (can do pass-the-hash if you change getNTLMSSPType3)
Raw
http-ntlm.py
from impacket.ntlm import getNTLMSSPType1, getNTLMSSPType3
import requests
import base64
# Replace these values with your IIS server details
target_url = "http://localhost"
username = "username"
password = "password"
domain = ''
# This must be performed within the same session, otherwise authentication will fail!
session = requests.Session()
# Create a negotiation NTLM Type 1
ntlm_negotiate = getNTLMSSPType1()
ntlm_negotiate_b64 = base64.b64encode(ntlm_negotiate.getData()).decode('ascii')
headers = {'Authorization': f'NTLM {ntlm_negotiate_b64}'}
response = session.get(target_url, headers=headers)
# Extract the challenge from the server response; NTLM Type 2
ntlm_challenge_b64 = response.headers.get('WWW-Authenticate')[5:]
ntlm_challenge = base64.b64decode(ntlm_challenge_b64)
# Generate the NTLM Type 3 message
ntlm_authenticate, session_key = getNTLMSSPType3(
type1=ntlm_negotiate,
type2=ntlm_challenge,
user=username,
password=password,
domain=domain,
use_ntlmv2=True)
# Convert to Base64
ntlm_authenticate_b64 = base64.b64encode(ntlm_authenticate.getData()).decode('ascii')
# Make the authenticated request
headers = {'Authorization': f'NTLM {ntlm_authenticate_b64}'}
response = session.get(target_url, headers=headers)
# Print the server response
print(f'Status code: {response.status_code}')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment