Brute-forcing Microsoft Lync via NTLM

Ok, so there is good reason why Lync should not be accessible over the Internet similarly to any single factor system. BRUTE-FORCE will usually prevail!!!!

I installed burp’s certificate on my Windows host and attempted to login from Lync (From this I was an HTTP NTLM Login request to

NTLM like many other services is made fairly simple to brute-force or attempt one password guess against many accounts. I have used hydra for this once before but a colleague recently wrote a pretty decent python script that makes it even easier and you don’t need to know all the switches etc (

Anyway, to make obtaining the NTLM url simple I wrote a quick python script that located the company DNS records for lyncdiscover and then finds the NTLM url as shown below:


Leave a comment

Your email address will not be published. Required fields are marked *