WebApp Sec mailing list archives
RE: NTLM and man-in-the-middle proxies not working
From: "Ofer Maor" <ofer.hacktics () gmail com>
Date: Tue, 27 Sep 2005 12:10:36 +0200
Hi, I noticed this thread only today, and read back a litte, trying to figure out the problems. We have had a lot of problems in the past with NTLM authentication (I have actually discussed this with the developers of Odysseus a long while ago), and proxies have had an actual problem handling this, as amit has mentioned, due to the fact NTLM authentication depends on a stateful end-to-end connection between the client and the server. I can see from the discussion that some way has been found around it, yet I understand you are still experiencing problems with it at your customer site. While I am not certain of the problem there (quite hard troubleshooting over the email ;), I can offer you a few other alternatives which we have used over the years... 1. Move to use Burp Proxy (http://portswigger.net/proxy). It's not the best interception proxy around, but handles NTLM (as well as Basic/Digest) authentication for you. That means that your browser is not required to submit the NTLM credentials, but the proxy provides them instead. As the proxy maintains an end-to-end connection with the server, the problem is solved. 2. If you dislike the Burp Proxy, you can mimick this behavior by chaining two proxies. The first proxy would be your normal interception proxy (Paros/WebScarab/Odysseus/etc.). The 2nd proxy is called 'NTLM Authorization Proxy Server (APS)'. This tool which was originally designed for users of non MS browsers who wish to connect to NTLM based servers. Basically, it converts performs NTLM authentication with the server, and maintains the authentcation with the browser using Basic Authentication (so you got Browser---(Basic)--->Proxy----(NTLM)---->Server), with the basic credentials provided in the browser used for the NTLM authentication. 3. 3rd option is to go to another approach, which personally I like the best. The whole concept of interception proxies, in my opinion, is only a workaround to an "ultimate" tool - which is an open browser that lets you control the requests. While doing so in IE is not trivial (I have developed a prototype of such an application, wrapping an IE COM object, but it is still problematic), Mozilla Firefox now offers a wide range of plugins which you can use to override various browser limitations, including the ability to intercept every navigation event before it is sent out by the browser. This way, you have nothing in the middle interfering, which solves a lot of testing problems where man-in-the-middle is problematic, such as NTLM auth, and even more so - SSL Client side certificates. Good luck. --- Ofer Maor CTO Hacktics Ltd. Mobile: +972-54-6545406 Office: +972-9-9565840 Fax: +972-9-9500047 Web: www.hacktics.com
Current thread:
- Re: NTLM and man-in-the-middle proxies not working, (continued)
- Re: NTLM and man-in-the-middle proxies not working Amit Klein (AKsecurity) (Sep 16)
- Re: NTLM and man-in-the-middle proxies not working Eoin Keary (Sep 19)
- Re: NTLM and man-in-the-middle proxies not working Amit Klein (AKsecurity) (Sep 19)
- Re: NTLM and man-in-the-middle proxies not working Michael Eddington (Sep 20)
- Re: NTLM and man-in-the-middle proxies not working Amit Klein (AKsecurity) (Sep 20)
- Re: NTLM and man-in-the-middle proxies not working Amit Klein (AKsecurity) (Sep 16)
- Re: NTLM and man-in-the-middle proxies not working Amit Klein (AKsecurity) (Sep 21)
- Re: NTLM and man-in-the-middle proxies not working lists (Sep 22)
- Re: NTLM and man-in-the-middle proxies not working Amit Klein (AKsecurity) (Sep 22)
- RE: NTLM and man-in-the-middle proxies not working Ofer Maor (Sep 27)