Can you name the firefox plugins you are talking about?
----- Original Message -----
From: "Ofer Maor" <ofer.hacktics@gmail.com>
To: <raymond_b_jimenez@yahoo.com>; <webappsec@securityfocus.com>
Sent: Tuesday, September 27, 2005 3:10 AM
Subject: RE: NTLM and man-in-the-middle proxies not working
Hi,
I noticed this thread only today, and read back a litte, trying to figure
out the problems. We have had a lot of problems in the past with NTLM
authentication (I have actually discussed this with the developers of
Odysseus a long while ago), and proxies have had an actual problem
handling
this, as amit has mentioned, due to the fact NTLM authentication depends
on
a stateful end-to-end connection between the client and the server.
I can see from the discussion that some way has been found around it, yet
I
understand you are still experiencing problems with it at your customer
site. While I am not certain of the problem there (quite hard
troubleshooting over the email ;), I can offer you a few other
alternatives
which we have used over the years...
1. Move to use Burp Proxy (http://portswigger.net/proxy). It's not the
best
interception proxy around, but handles NTLM (as well as Basic/Digest)
authentication for you. That means that your browser is not required to
submit the NTLM credentials, but the proxy provides them instead. As the
proxy maintains an end-to-end connection with the server, the problem is
solved.
2. If you dislike the Burp Proxy, you can mimick this behavior by chaining
two proxies. The first proxy would be your normal interception proxy
(Paros/WebScarab/Odysseus/etc.). The 2nd proxy is called 'NTLM
Authorization
Proxy Server (APS)'. This tool which was originally designed for users of
non MS browsers who wish to connect to NTLM based servers. Basically, it
converts performs NTLM authentication with the server, and maintains the
authentcation with the browser using Basic Authentication (so you got
Browser---(Basic)--->Proxy----(NTLM)---->Server), with the basic
credentials
provided in the browser used for the NTLM authentication.
3. 3rd option is to go to another approach, which personally I like the
best. The whole concept of interception proxies, in my opinion, is only a
workaround to an "ultimate" tool - which is an open browser that lets you
control the requests. While doing so in IE is not trivial (I have
developed
a prototype of such an application, wrapping an IE COM object, but it is
still problematic), Mozilla Firefox now offers a wide range of plugins
which
you can use to override various browser limitations, including the ability
to intercept every navigation event before it is sent out by the browser.
This way, you have nothing in the middle interfering, which solves a lot
of
testing problems where man-in-the-middle is problematic, such as NTLM
auth,
and even more so - SSL Client side certificates.
Good luck.
---
Ofer Maor
CTO
Hacktics Ltd.
Mobile: +972-54-6545406
Office: +972-9-9565840
Fax: +972-9-9500047
Web: www.hacktics.com
