Re: NTLM and man-in-the-middle proxies not working

[Michael Eddington <meddington () gmail com>]

That isn't 100% true.  Because NTLM authenticates a TCP connection,
not a web request, a proxy must specifically support NTLM
authentication proxying or bad-things might happen.  To show IE that
this is supported the proxy must set the following header if
WWW-Authenticate header exists:

Proxy-Support: Session-Based-Authentication

this isn't well documented which is why most MITM proxies didn't
support NTLM for a long-ass time.

mike

On 9/19/05, Amit Klein (AKsecurity) <aksecurity () hotpop com> wrote:
> On 19 Sep 2005 at 10:52, Eoin Keary wrote:
>
> > I find Burp works well for MITM stuff
>
> With IE and NTLM? What version (maybe an old one)?
>
> The phenomenon I was talking about was actually observed 4 years ago.
>
> From a Squid-Dev posting by Chemolli Francesco (USI), Mon, 20 Aug 2001
> (http://www.squid-cache.org/mail-archive/squid-dev/200108/0152.html):
>
> "It is worth noticing that recent version of MS Internet Explorer
> WILL NOT EVEN ATTEMPT to perform NTLM authentication if a proxy
> is in use to reach the destination host."
>
> And I also verified this on IE 6.0 SP2 (WinXP SP2).
>
> -Amit
>
> > On 16/09/05, Amit Klein (AKsecurity) <aksecurity () hotpop com> wrote:
> > > On 15 Sep 2005 at 15:42, raymond_b_jimenez () yahoo com wrote:
> > >
> > > > Most interesting is the fact that IE passes IWA credentials over a proxy. I had put in a demo environment, and 
> > > > I did sucessfully manage to use IE/IWA through a proxy (in this case Odysseus). Just in case, I tested it again 
> > > > and it does pass IWA through proxy.
> > >
> > > Weird. I double checked (this time I used Odysseus, 2.0B10), but no good, my IE
> > > (6.0.3790.0) doesn't even ask me for the NTLM credentials when it's configured with a
> > > forward proxy. What's your IE version? Can other people check this please?