Proxy with NTLM authentication: Difference between revisions

From Coolscript
Jump to navigation Jump to search
No edit summary
 
(25 intermediate revisions by the same user not shown)
Line 1: Line 1:
Many Corporates are using Proxys with [https://en.wikipedia.org/wiki/NT_LAN_Manager NTLM] authentication which gives you trouble on '''Linux''' because many commands like '''pip, git, wget, cpan, lynx ''' or even '''apt''' do '''NOT''' support NLTM authentication.<br>
Many large Corporates are using Proxys with [https://en.wikipedia.org/wiki/NT_LAN_Manager NTLM] authentication which gives you trouble on '''Linux''' because <br>
<br>The solution to mitigate can be '''cntlm''', a tiny tool which sits in between the client application and the corporate proxy.<br>
applications such as '''pip, git, wget, cpan, lynx ''' or even '''apt''' do '''NOT''' support NLTM authentication.<br>
<br>This wiki is about to explain how to setup cntlm.<br><br>
<br>The solution to mitigate can be '''cntlm''',<br>
This is a tiny proxy tool which sits on localhost between the client application and the corporate proxy.<br>
<br>This Wiki is about to explain how to setup '''cntlm'''.<br><br>
=Install cntlm on Debian/Ubuntu=
=Install cntlm on Debian/Ubuntu=
  apt-get install cntlm
  apt-get install cntlm
Line 7: Line 9:
=Configure cntlm=
=Configure cntlm=
==Create Password Hashes==
==Create Password Hashes==
cntlm supports password hashes which is strogly recommend to use,<br>
'''cntlm supports password hashes which is strongly recommend to use,<br>'''
*Create Password Hash:
*Create Password Hash:
  # cntlm -H -d domain.com -u username
  # cntlm -H -d domain.com -u username
Line 16: Line 18:


==Setup the cntlm configuration:==
==Setup the cntlm configuration:==
  #nano /etc/cntlm.conf
*Edit configuration (/etc/cntlm.conf):
*Sample configuration:
  # nano /etc/cntlm.conf
*Sample configuration (/etc/cntlm.conf):
  Username        username
  Username        username
  Domain          domain.com
  Domain          domain.com
Line 29: Line 32:


=Operating cntlm=
=Operating cntlm=
'''Use SystemD to control, tested on Debian11 and Ubuntu22  '''
  # systemctl status cntlm
  # systemctl status cntlm
  # systemctl stop cntlm  
  # systemctl stop cntlm  
Line 36: Line 40:


=Check cntlm=
=Check cntlm=
*Check for an open port, note that 127.0.0.1 should be used instead of 0.0.0.0 (gateway mode)
*Check for an open port, note that 127.0.0.1:3128 should be used instead of 0.0.0.0:3128 (gateway mode)
  # netstat -tpan | grep 3128
  # netstat -tpan | grep 3128
  tcp        0      0 127.0.0.1:3128          0.0.0.0:*              LISTEN      1622441/cntlm
  tcp        0      0 '''127.0.0.1:3128'''         0.0.0.0:*              LISTEN      1622441/cntlm
*Check syslog
*Check syslog
  tail -n 200 /var/log/syslog | grep cntlm
  # tail -n 5000 /var/log/syslog | grep cntlm
*Check process
*Check process
  # ps -e | grep cntlm
  # ps -e | grep cntlm

Latest revision as of 07:03, 28 September 2022

Many large Corporates are using Proxys with NTLM authentication which gives you trouble on Linux because
applications such as pip, git, wget, cpan, lynx or even apt do NOT support NLTM authentication.

The solution to mitigate can be cntlm,
This is a tiny proxy tool which sits on localhost between the client application and the corporate proxy.

This Wiki is about to explain how to setup cntlm.

Install cntlm on Debian/Ubuntu

apt-get install cntlm

Configure cntlm

Create Password Hashes

cntlm supports password hashes which is strongly recommend to use,

  • Create Password Hash:
# cntlm -H -d domain.com -u username
Password:
PassLM          48A840A3F27888D0552C4BCA4AEBFB11
PassNT          831DE0E83F51180463145ACD2FAB9529
PassNTLMv2      ACDA91797DCFDAF15CFE369C2EE28AE9    # Only for user 'username', domain 'domain.com'

Setup the cntlm configuration:

  • Edit configuration (/etc/cntlm.conf):
# nano /etc/cntlm.conf
  • Sample configuration (/etc/cntlm.conf):
Username        username
Domain          domain.com
Proxy           wwwproxy.corp.com:8080
NoProxy         localhost, 127.0.0.*, 10.*, 192.168.*
Listen          3128
#Paste the above user credentials into here
PassLM          48A840A3F27888D0552C4BCA4AEBFB11
PassNT          831DE0E83F51180463145ACD2FAB9529
PassNTLMv2      ACDA91797DCFDAF15CFE369C2EE28AE9    # Only for user 'username', domain 'domain.com'

Operating cntlm

Use SystemD to control, tested on Debian11 and Ubuntu22

# systemctl status cntlm
# systemctl stop cntlm 
# systemctl start cntlm
# systemctl disable cntlm
# systemctl enable cntlm

Check cntlm

  • Check for an open port, note that 127.0.0.1:3128 should be used instead of 0.0.0.0:3128 (gateway mode)
# netstat -tpan | grep 3128
tcp        0      0 127.0.0.1:3128          0.0.0.0:*               LISTEN      1622441/cntlm
  • Check syslog
# tail -n 5000 /var/log/syslog | grep cntlm
  • Check process
# ps -e | grep cntlm

Test cntlm

  • Try without giving a password
# cntlm -M http://google.com
Password:
Config profile  1/4... OK (HTTP code: 301)
----------------------------[ Profile  0 ]------
Auth            NTLMv2
PassNTLMv2      4A3FCA2104D7B7B9683DB7472279XXXX
------------------------------------------------

Set Linux environment

export https_proxy=http://127.0.0.1:3128
export http_proxy=http://127.0.0.1:3128

Set APT environment

  • /etc/apt/apt.conf
Acquire::http::Proxy "http://127.0.0.1:3128";

Finalize

Tools such as

  • apt, apt-get, dpkg
  • pip
  • git
  • cpan
  • curl
  • wget
  • lynx

should now work without any proxy params