Proxy with NTLM authentication

From Coolscript
Revision as of 19:23, 27 September 2022 by Admin (talk | contribs)
Jump to navigation Jump to search

Many Corporates are using Proxys with NTLM authentication which gives you trouble on Linux as many commands such as pip or wget or cpan or even apt do not support NLTM authentication.
The solution can be cntlm, a tiny tool which sits in between the client application and the corporate proxy.

Install cntlm on Debian/Ubuntu

apt-get install cntlm

Configure cntlm

cntlm supports password hashes which is strogly recommend to use,
Create Password Hash:

# cntlm -H -d domain.com -u username
Password:
PassLM          48A840A3F27888D0552C4BCA4AEBFB11
PassNT          831DE0E83F51180463145ACD2FAB9529
PassNTLMv2      ACDA91797DCFDAF15CFE369C2EE28AE9    # Only for user 'username', domain 'domain.com'

Edit the cntlm configuration:

#nano /etc/cntlm.conf

Sample configuration:

Username        username
Domain          domain.com
Proxy           wwwproxy.corp.com:8080
NoProxy         localhost, 127.0.0.*, 10.*, 192.168.*
PassLM          48A840A3F27888D0552C4BCA4AEBFB11
PassNT          831DE0E83F51180463145ACD2FAB9529
PassNTLMv2      ACDA91797DCFDAF15CFE369C2EE28AE9    # Only for user 'username', domain 'domain.com'
Listen          3128

Start/Stop cntlm

# systemctl status cntlm
# systemctl stop cntlm 
# systemctl start cntlm
# systemctl disable cntlm

Check cntlm

  • Check for an open port, note that 127.0.0.1 should be used instead of 0.0.0.0 (gateway mode)
# netstat -tpan | grep 3128
tcp        0      0 127.0.0.1:3128          0.0.0.0:*               LISTEN      1622441/cntlm
  • Check syslog
tail -n 200 /var/log/syslog | grep cntlm
  • Check process
# ps -e | grep cntlm

Test cntlm

  • Try without giving a password
# cntlm -M http://google.com
Password:
Config profile  1/4... OK (HTTP code: 301)
----------------------------[ Profile  0 ]------
Auth            NTLMv2
PassNTLMv2      4A3FCA2104D7B7B9683DB7472279XXXX
------------------------------------------------

Set Linux environment

export https_proxy=http://127.0.0.1:3128
export http_proxy=http://127.0.0.1:3128

Set APT environment

  • /etc/apt/apt.conf
Acquire::http::Proxy "http://127.0.0.1:3128";

Finalize

Network tools such as

  • pip
  • cpan
  • curl
  • wget
  • lynx

should now work without any proxy params