Search code examples
proxyntlm

Why is CNTLM asking for password?

I have configured CNTLM Proxy Authorization on Windows with configuration file looking like,

Auth            NTLM
PassNT          XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
PassLM          YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
PassNTLMv2      ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ

Proxy           proxy.xxxx.com:8080

Listen          3130

And I use localhost:3130 as proxy in LAN Settings, hit any URL on browser and it is asking for the password again!. If I enter the same password with which I generated the hash, it works. Simply the purpose of Cntlm is beaten. Has anybody faced this? How does this work? Is there any way to get around this problem?

Solution

  • <EDIT> If you are using Windows then I strongly recommend px over Cntlm since it doesn't need any handsake mechanism.

    Notes on px:

    It is primarily designed to run on Windows systems and authenticates on behalf of the application using the currently logged in Windows user account

    </EDIT>

    1) Install CNTLM to default directory (on Windows, C:\Program Files (x86)\cntlm\ ).

    2) Run cmd.exe

    3) Type : cd "C:\Program Files (x86)\cntlm\"

    4) Type : cntlm.exe -H -d your_domain -u your_username

    It will ask your password. Enter your password and cntlm will give you some hashes. Something like this:

    c:\Program Files (x86)\Cntlm>cntlm -H -d your_domain -u your_username
Password:
PassLM          4E9C185900C7CF0B6FFCB2044F81920C
PassNT          6E9F120B83EEA0E875CE8E6F9730EC9A
PassNTLMv2      2A0B7C2457FB7DD8DA4EB737C4FA224F

    Now you have password hashed. Save them to a text editor.

    5) Type : cntlm -M http://www.google.com

    Again enter your password. It will give you something like this:

    c:\Program Files (x86)\Cntlm>cntlm -M http://www.google.com
Password:
Config profile  1/4... Credentials rejected
Config profile  2/4... OK (HTTP code: 302)
----------------------------[ Profile  1 ]------
Auth            NTLM
PassNT          6E9F120B83EEA0E875CE8E6F9730EC9A
PassLM          4E9C185900C7CF0B6FFCB2044F81920C
------------------------------------------------

    Now you see that profile 2 is successful. Because it says OK for profile 2. It may be different on your system.

    The trick is,

    • if the Auth is NT, then you must use only PassNT
    • if the Auth is LM, then you must use only PassLM
    • if the Auth is NTLM, then you must use both PassNT and PassLM
    • if the Auth is NTLMv2, then you must use only PassNTLMv2

    Now we got all we want. For my configuration, Auth says NTLM so I will use both PassNT and PassLM in the cntlm.ini configuration file.

    This is an example configuration file NTLM (not NTLMv2!):

    #
# Cntlm Authentication Proxy Configuration File
#

Username yourusername
Domain yourdomain

Auth NTLM
PassNT 6E9F120B83EEA0E875CE8E6F9730EC9A
PassLM 4E9C185900C7CF0B6FFCB2044F81920C

Workstation yourhostname.yourdomain

# Most probably proxy.yourdomain:8080
Proxy  yourProxyIP:yourProxyPort

NoProxy  localhost, 127.0.0.*, 10.*, 192.168.*

Listen  3132

Gateway yes
# end of config

    6) To test your configuration, type: cntlm -c cntlm.ini -I -M http://www.google.com

    7) To start cntlm, type: net start cntlm

    Now you can use your computer's IP address and port 3132 as a proxy.

    You can get the latest Cntlm binaries here: http://cntlm.sourceforge.net/