webappsec@securityfocus.com
[Top] [All Lists]

Re: NTLM and man-in-the-middle proxies not working

Subject: Re: NTLM and man-in-the-middle proxies not working
From:
Date: Thu, 22 Sep 2005 08:50:02 -0400
Quoting "Amit Klein (AKsecurity)" <aksecurity@xxxxxxxxxx>:

> On 19 Sep 2005 at 10:52, Eoin Keary wrote:
> 
> > I find Burp works well for MITM stuff
> > 
> 
> From a private correspondence with Eoin, I understand that he didn't use IE
> for this test, 
> so this information does not confirm/disprove anything about the phenomenon
> we discuss in 
> this thread.

For what it is worth as a data point, Michael Silk has had success in the past
using WebScarab to proxy SPNEGO authentication.

WebScarab did not (and does not currently) set the "Proxy-Support" header
mentioned below, so there seems to be some inconsistency here.

What happens is that the complete negotiation is visible in WebScarab. 
i.e. 
Request -> 401 Unauthorised (with auth schemes)
Request (with Negotiate) -> 401 Unauthorised (with a challenge)
Request (with Negotiate) -> 200

repeated for each new connection made.

Subsequent requests in the same connection SHOULD (I have no evidence either
way) not result in the 401's, since it is a connection oriented authentication,
rather than request oriented.

Here is the user-agent string from the log he showed me:

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.40607)

Maybe Michael can supply more details? Or maybe someone with access to
appropriate client and server environment (Amit?) could perform some tests
using WebScarab as their proxy?

Regards,

Rogan

<Prev in Thread] Current Thread [Next in Thread>