NTLM Authorization Proxy Server
(from Chapter 5 of the First Edition)

Integrated Windows authentication (formerly known as NTLM authentication and Windows NT challenge/response authentication) uses Microsoft's proprietary NT LAN Manager (NTLM) authentication algorithm over HTTP. It is implemented primarily by Microsoft's Internet Explorer browser and IIS Web servers, but is also available in other popular software like Mozilla's Firefox browser through it's support of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) internet standard (RFC 2478) to negotiate Kerberos, NTLM, or other authentication protocols supported by the operating system (for example, SSPI on Microsoft Windows, GSS-API on Linux, Mac OSX, and other UNIX-like systems implement SPNEGO).

Many Web security assessment tools do not support NTLM or SPNEGO. Consequently, in order to assess a Web application the implements NTLM, you need to use a utility like The NTLM Authorization Proxy Server (APS) by Dmitry Rozmanov, which enables you to use standard HTTP analysis tools to examine applications protected by NTLM-authenticated Web applications. Web security tools like Achilles, whisker, nikto, and many others do not support the NTLM authentication scheme. Consequently, whenever an application relies on this proprietary authentication scheme, your toolkit could be severely hampered.

With APS installed, these tools work quite well against NTLM sites. You will also need a working install of the Python language. The tool does not require any compilation or additional modules that do not come with the standard Python distribution.

TIP: Cygwin's version of Python does not support a specific threading module used by APS. On the Windows platform, you'll have to use the ActivePython distribution from http://www.activestate.com/.

Before you execute the proxy, you must first customize the server.cfg file. Table 4-1 describes some of the available options and their purpose. Another benefit of using this proxy is that you can rewrite or add new HTTP headers. Specify new headers in the [CLIENT_HEADER] section of server.cfg. By default, APS sets the "Accept:" and "User-Agent:" headers. The User-Agent header is useful when you are running such tools as wget, lynx, or whisker behind the proxy. On the other hand, each of these tools lets you customize the User-Agent string anyway. A more useful example might be sites that rely heavily on cookies for session management or authorization. You could hard-code a cookie value in this section in order to spoof or impersonate another's session.

Server.cfg Options:
LISTEN_PORT -- The port on which APS listens for incoming traffic. Note that in the Unix environment you will need root privileges to open a port number below 1024.
PARENT_PROX, PARENT_PROXY_PORT -- APS can be effectively chained to another proxy. If you wish to use an additional server, place the IP address and port number here. If you will not be chaining a second proxy, leave the PARENT_PROXY empty, but specify a port for PARENT_PROXY_PORT. Note that it is often necessary to use an SSL proxy such as stunnel here.
DOMAIN USER PASSWORD -- The user credentials for the NTLM authentication. If you leave PASSWORD blank, then APS will prompt you for the user's password when the program starts. This is preferable to storing a password in cleartext.
FULL_NTLM -- Leave this set to 0 (zero). If you set it to 1, then APS will use the Unicode version of NTLM authentication. Note that the NTLM authentication scheme is poorly documented, so the success of setting this to 1 isn't guaranteed.
NTLM_FLAGS -- This is another option that attempts to overcome
the obscured nature of this authentication protocol. Unless you are comfortable with packet and protocol analysis, do not change this value.
ALLOW_EXTERNAL_CLIENTS -- Set this to 1 to allow any computer to connect to your proxy. If you do this, then any computer can connect to your proxy-but they will be using the credentials specified in this file, not their own.
FRIENDLY_IPS -- Enter IP addresses, separated by spaces,
on this line to allow only specific computers
access to the proxy. If you use this option, set ALLOW_EXTERNAL_CLIENTS to 0. Note that you cannot specify wildcards or net masks in this option, only single IP addresses.
URL_LOG -- Set this option to 1 in order to log all URLs requested through APS. This would be useful for auditing purposes.

The final section of the server.cfg file, [DEBUG], contains debugging directives for the tool. These are more useful for developing and improving APS as opposed to security testing for a Web application. However, the DEBUG and BIN_DEBUG options can be helpful for tracking a Web session in order to go back through the contents at a later time as part of the source-sifting phase.

At this point, you should have a properly configured server.cfg file. Running APS is simple:

$ python main.py
NTLM authorization Proxy Server v0.9.7 at "lothlorien:80".
2001 (C) by Dmitry Rozmanov
-------------------------
Your NT password to be used:

Now, you can use any tool that normally breaks against NTLM authentication. For example, here's how you would run wget through the proxy. In this example, APS is listening on port 80 on the host at 192.168.10.23 and the target application that uses NTLM authentication is at www.victim.com:

$ export http_proxy=http://192.168.10.23:80/
$ wget -r http://www.victim.com/

It's honestly that simple!

TIP: Wget supports the http_proxy environment variable by default. Setting this variable depends on your command shell, but most likely uses the export or setenv command. Use "--proxy=on" to make sure wget uses the proxy.

NTLM Authorization Proxy Server and SSL
There will be other cases where the target Web application requires an SSL connection. In this case, in order to use APS over an SSL connection, you will need to set up an SSL proxy using stunnel or openssh. The first step is to set the PARENT_PROXY and PARENT_PROXY_PORT in APS's server.cfg. In the following example, the target is still www.victim.com, the SSL proxy (using stunnel) listens on port 80 on host 192.168.10.20, and the Authorization Proxy Server listens on port 80 on host 192.168.10.10. You will have to go through quite a few steps just to get this to work, but hopefully the convoluted method pays off when you first run wget (or any other tool) through the proxy.
Here is the SSL proxy setup. Remember to use the -c option because stunnel is accepting cleartext traffic and outputting traffic in SSL:

$ stunnel -p clientcert.pem -f -d 80 -r www.victim.com:443 -c
2002.04.15 17:00:10 LOG5[1916:1416]: Using '80' as tcpwrapper service
name
2002.04.15 17:00:10 LOG5[1916:1416]: stunnel 3.22 on
x86-pc-mingw32-gnu WIN32 with OpenSSL
0.9.6c 21 dec 2001
2002.04.15 17:00:10 LOG5[1916:1416]: FD_SETSIZE=4096, file ulimit=-1
(unlimited) - 2000 clients allowed

Here is the APS configuration of the server.cfg file:
PARENT_PROXY:192.168.10.20
PARENT_PROXY_PORT:80
USER:BARNEY
DOMAIN:OUTLAWS
PASSWORD:

And the command to start APS:
$ python main.py
NTLM authorization Proxy Server v0.9.7 at "192.168.10.10:80".
2001 (C) b y Dmitry Rozmanov
-------------------------
Your NT password to be used:

Finally, you set your tool's proxy setting to port 80 on 192.168.10.10 and you can run it against the NTLM application transparently!

If the browser forces you to start off with HTTPS, then you will also need to run a second stunnel so that you can downgrade SSL traffic from your Web browser to cleartext so it will be acceptable by APS. This command is almost exactly like the previous stunnel, only you omit the -c option. Notice that you point the stunnel command to the proxy server:

$ stunnel -p clientcert.pem -f -d 443 -r 192.168.10.10:80
2002.04.15 16:56:16 LOG5[464:1916]: Using '80' as tcpwrapper service
name
2002.04.15 16:56:16 LOG5[464:1916]: stunnel 3.22 on
x86-pc-mingw32-gnu WIN32 with OpenSSL
0.9.6c 21 dec 2001
2002.04.15 16:56:16 LOG5[464:1916]: FD_SETSIZE=4096, file ulimit=-1
(unlimited) - 2000 clients allowed

There's a final step to this second stunnel requirement. You have to modify your system's /etc/hosts or winnt/system32/drivers/etc/hosts file so that www.victim.com's IP address points to 127.0.0.1. You must do this so that the tool's initial request is sent through the stunnel listening on port 443. After this, each of the proxies will handle the hostname properly. Admittedly, this is a drawn-out process and it would be much easier if APS supported SSL natively, but that's where you have the advantage of open source code. Use the source, Luke!