HTTP NTLM Information Disclosure

medium Web App Scanning Plugin ID 114115

Synopsis

HTTP NTLM Information Disclosure

Description

Windows New Technology LAN Manager (NTLM) is a suite of Microsoft security protocols designed to offer authentication, integrity and confidentiality to users. In Windows environments, NTLM authentication is often supported over HTTP in order to protect access to specific resources. During the protocol negotation phase, the clients and the server exchange multiple encoded challenge-response messages.

By sending a fake NTLM authentication request, a remote server supporting this protocol will response with a NTLMSSP message and disclose information including NetBIOS, DNS and OS build version. By leveraging these information, an attacker could try conducting further attacks on the target environment.

Solution

The information disclosure is due to the NTLM protocol design and can be mitigated by disabling the NTLM authentication on the target server.

See Also

https://cyber.aon.com/aon_cyber_labs/http-ntlm-information-disclosure/

https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/understanding-http-authentication

Plugin Details

Severity: Medium

ID: 114115

Type: remote

Published: 12/11/2023

Updated: 12/11/2023

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 2.9

CVSS v2

Risk Factor: Low

Base Score: 2.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Low

Base Score: 3.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Medium

Base Score: 6.3

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information