Proxy with NTLM authentication: Difference between revisions
		
		
		
		Jump to navigation
		Jump to search
		
| No edit summary | No edit summary | ||
| (48 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| Many Corporates are using Proxys with [https://en.wikipedia.org/wiki/NT_LAN_Manager NTLM]  | Many large Corporates are using Proxys with [https://en.wikipedia.org/wiki/NT_LAN_Manager NTLM] authentication which gives you trouble on '''Linux''' because <br> | ||
| <br>The solution can be '''cntlm''', a tiny tool which sits  | applications such as '''pip, git, wget, cpan, lynx ''' or even '''apt''' do '''NOT''' support NLTM authentication.<br> | ||
| <br>The solution to mitigate can be '''cntlm''',<br> | |||
| This is a tiny proxy tool which sits on localhost between the client application and the corporate proxy.<br> | |||
| <br>This Wiki is about to explain how to setup '''cntlm'''.<br><br> | |||
| =Install cntlm on Debian/Ubuntu= | =Install cntlm on Debian/Ubuntu= | ||
|   apt-get install cntlm |   apt-get install cntlm | ||
| =Configure cntlm= | =Configure cntlm= | ||
| cntlm supports password hashes which is  | ==Create Password Hashes== | ||
| Create Password Hash: | '''cntlm supports password hashes which is strongly recommend to use,<br>''' | ||
| *Create Password Hash: | |||
|   # cntlm -H -d domain.com -u username |   # cntlm -H -d domain.com -u username | ||
|   Password: |   Password: | ||
| Line 12: | Line 16: | ||
|   PassNT          831DE0E83F51180463145ACD2FAB9529 |   PassNT          831DE0E83F51180463145ACD2FAB9529 | ||
|   PassNTLMv2      ACDA91797DCFDAF15CFE369C2EE28AE9    # Only for user 'username', domain 'domain.com' |   PassNTLMv2      ACDA91797DCFDAF15CFE369C2EE28AE9    # Only for user 'username', domain 'domain.com' | ||
|   #nano /etc/cntlm.conf | ==Setup the cntlm configuration:== | ||
| Sample configuration: | *Edit configuration (/etc/cntlm.conf): | ||
|   # nano /etc/cntlm.conf | |||
| *Sample configuration (/etc/cntlm.conf): | |||
|   Username        username |   Username        username | ||
|   Domain          domain.com |   Domain          domain.com | ||
|   Proxy           wwwproxy.corp.com:8080 |   Proxy           wwwproxy.corp.com:8080 | ||
|   NoProxy         localhost, 127.0.0.*, 10.*, 192.168.* |   NoProxy         localhost, 127.0.0.*, 10.*, 192.168.* | ||
|  Listen          3128 | |||
|  #Paste the above user credentials into here | |||
|   PassLM          48A840A3F27888D0552C4BCA4AEBFB11 |   PassLM          48A840A3F27888D0552C4BCA4AEBFB11 | ||
|   PassNT          831DE0E83F51180463145ACD2FAB9529 |   PassNT          831DE0E83F51180463145ACD2FAB9529 | ||
|   PassNTLMv2      ACDA91797DCFDAF15CFE369C2EE28AE9    # Only for user 'username', domain 'domain.com' |   PassNTLMv2      ACDA91797DCFDAF15CFE369C2EE28AE9    # Only for user 'username', domain 'domain.com' | ||
| = | =Operating cntlm= | ||
| '''Use SystemD to control, tested on Debian11 and Ubuntu22  ''' | |||
|   # systemctl status cntlm |   # systemctl status cntlm | ||
|   # systemctl stop cntlm   |   # systemctl stop cntlm   | ||
|   # systemctl start cntlm |   # systemctl start cntlm | ||
|   # systemctl disable cntlm |   # systemctl disable cntlm | ||
|  # systemctl enable cntlm | |||
| =Check cntlm= | =Check cntlm= | ||
| *Check for an open port, note that 127.0.0.1 should be used instead of 0.0.0.0 (gateway mode) | *Check for an open port, note that 127.0.0.1:3128 should be used instead of 0.0.0.0:3128 (gateway mode) | ||
|   # netstat -tpan | grep 3128 |   # netstat -tpan | grep 3128 | ||
|   tcp        0      0 127.0.0.1:3128          0.0.0.0:*               LISTEN      1622441/cntlm |   tcp        0      0 '''127.0.0.1:3128'''          0.0.0.0:*               LISTEN      1622441/cntlm | ||
| *Check syslog | *Check syslog | ||
|   tail -n  |   # tail -n 5000 /var/log/syslog | grep cntlm | ||
| *Check process | *Check process | ||
|   # ps -e | grep cntlm |   # ps -e | grep cntlm | ||
| =Test cntlm= | =Test cntlm= | ||
| *Try without giving a password | *'''Try without giving a password''' | ||
|   # cntlm -M http://google.com |   # cntlm -M http://google.com | ||
|   Password: |   Password: | ||
| Line 57: | Line 66: | ||
| =Finalize= | =Finalize= | ||
| Tools such as | |||
| * apt, apt-get, dpkg | |||
| * pip | * pip | ||
| * git | |||
| * cpan | * cpan | ||
| * curl | * curl | ||
Latest revision as of 07:03, 28 September 2022
Many large Corporates are using Proxys with NTLM authentication which gives you trouble on Linux because 
applications such as pip, git, wget, cpan, lynx  or even apt do NOT support NLTM authentication.
The solution to mitigate can be cntlm,
This is a tiny proxy tool which sits on localhost between the client application and the corporate proxy.
This Wiki is about to explain how to setup cntlm.
Install cntlm on Debian/Ubuntu
apt-get install cntlm
Configure cntlm
Create Password Hashes
cntlm supports password hashes which is strongly recommend to use,
- Create Password Hash:
# cntlm -H -d domain.com -u username Password: PassLM 48A840A3F27888D0552C4BCA4AEBFB11 PassNT 831DE0E83F51180463145ACD2FAB9529 PassNTLMv2 ACDA91797DCFDAF15CFE369C2EE28AE9 # Only for user 'username', domain 'domain.com'
Setup the cntlm configuration:
- Edit configuration (/etc/cntlm.conf):
# nano /etc/cntlm.conf
- Sample configuration (/etc/cntlm.conf):
Username username Domain domain.com Proxy wwwproxy.corp.com:8080 NoProxy localhost, 127.0.0.*, 10.*, 192.168.* Listen 3128 #Paste the above user credentials into here PassLM 48A840A3F27888D0552C4BCA4AEBFB11 PassNT 831DE0E83F51180463145ACD2FAB9529 PassNTLMv2 ACDA91797DCFDAF15CFE369C2EE28AE9 # Only for user 'username', domain 'domain.com'
Operating cntlm
Use SystemD to control, tested on Debian11 and Ubuntu22
# systemctl status cntlm # systemctl stop cntlm # systemctl start cntlm # systemctl disable cntlm # systemctl enable cntlm
Check cntlm
- Check for an open port, note that 127.0.0.1:3128 should be used instead of 0.0.0.0:3128 (gateway mode)
# netstat -tpan | grep 3128 tcp 0 0 127.0.0.1:3128 0.0.0.0:* LISTEN 1622441/cntlm
- Check syslog
# tail -n 5000 /var/log/syslog | grep cntlm
- Check process
# ps -e | grep cntlm
Test cntlm
- Try without giving a password
# cntlm -M http://google.com Password: Config profile 1/4... OK (HTTP code: 301) ----------------------------[ Profile 0 ]------ Auth NTLMv2 PassNTLMv2 4A3FCA2104D7B7B9683DB7472279XXXX ------------------------------------------------
Set Linux environment
export https_proxy=http://127.0.0.1:3128 export http_proxy=http://127.0.0.1:3128
Set APT environment
- /etc/apt/apt.conf
Acquire::http::Proxy "http://127.0.0.1:3128";
Finalize
Tools such as
- apt, apt-get, dpkg
- pip
- git
- cpan
- curl
- wget
- lynx
should now work without any proxy params