Source https://github.com/pwnfoo/NTLMRecon Search for web paths that uses NTLM authentication and extract internal domain ntlmrecon --input <url> --outfile <file>