Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
RE: NTLM and man-in-the-middle proxies not working
From: Ofer Maor (ofer.hackticsgmail.com)
Date: Tue Sep 27 2005 - 05:10:36 CDT
I noticed this thread only today, and read back a litte, trying to figure
out the problems. We have had a lot of problems in the past with NTLM
authentication (I have actually discussed this with the developers of
Odysseus a long while ago), and proxies have had an actual problem handling
this, as amit has mentioned, due to the fact NTLM authentication depends on
a stateful end-to-end connection between the client and the server.
I can see from the discussion that some way has been found around it, yet I
understand you are still experiencing problems with it at your customer
site. While I am not certain of the problem there (quite hard
troubleshooting over the email ;), I can offer you a few other alternatives
which we have used over the years...
1. Move to use Burp Proxy (http://portswigger.net/proxy). It's not the best
interception proxy around, but handles NTLM (as well as Basic/Digest)
authentication for you. That means that your browser is not required to
submit the NTLM credentials, but the proxy provides them instead. As the
proxy maintains an end-to-end connection with the server, the problem is
2. If you dislike the Burp Proxy, you can mimick this behavior by chaining
two proxies. The first proxy would be your normal interception proxy
(Paros/WebScarab/Odysseus/etc.). The 2nd proxy is called 'NTLM Authorization
Proxy Server (APS)'. This tool which was originally designed for users of
non MS browsers who wish to connect to NTLM based servers. Basically, it
converts performs NTLM authentication with the server, and maintains the
authentcation with the browser using Basic Authentication (so you got
Browser---(Basic)--->Proxy----(NTLM)---->Server), with the basic credentials
provided in the browser used for the NTLM authentication.
3. 3rd option is to go to another approach, which personally I like the
best. The whole concept of interception proxies, in my opinion, is only a
workaround to an "ultimate" tool - which is an open browser that lets you
control the requests. While doing so in IE is not trivial (I have developed
a prototype of such an application, wrapping an IE COM object, but it is
still problematic), Mozilla Firefox now offers a wide range of plugins which
you can use to override various browser limitations, including the ability
to intercept every navigation event before it is sent out by the browser.
This way, you have nothing in the middle interfering, which solves a lot of
testing problems where man-in-the-middle is problematic, such as NTLM auth,
and even more so - SSL Client side certificates.