Re: NTLM and man-in-the-middle proxies not working

Well, "internal browser" was a browser from inside the organization, while 
"external browser" was the browser from my machine. The browser I was using was 
really IE, with latest patches. 

Most interesting is the fact that IE passes IWA credentials over a proxy. I had 
put in a demo environment, and I did sucessfully manage to use IE/IWA through a 
proxy (in this case Odysseus). Just in case, I tested it again and it does pass 
IWA through proxy.

So the issue has to be something else...

rj

--- "Amit Klein (AKsecurity)" <aksecurity@hotpop.com> wrote:

> It's a bit unclear to me what "external brwoser" vs.
> "internal browser" are. 
>
> Anyway, I think I know why a browser may fail to do
> IWA through a forward proxy server - 
> that is, if this browser happens to be IE. As I
> mentioned in an earlier submission to this 
> list ("NTLM HTTP Authentication is insecure by
> design" - 
> http://www.securityfocus.com/archive/107/405587), IE
> doesn't send IWA (NTLM) credentials if 
> it is configured to use a proxy. Under "Scope of the
> attack" you can find the following 
> text:
> *) If IE is to be tricked, then it mustn't be
> configured with a
> forward proxy server. That means that the attack is
> effective for IE
> (only) with transparent proxy servers (such as ones
> used by many
> ISPs), and reverse proxy servers (as demonstrated
> above). The
> Mozilla browser has no such inhibitions, and
> therefore, a Mozilla
> shop (e.g. some universities and open source
> organizations) may be
> more vulnerable.