NTLM-based proxy Authentication

Take the blog of matrix as an example to analyze the authentication process. (Note that the cookie value used in this article has been processed)

 

{Analysis: note that this is a simple http get request. It is nothing more than a request for www.matrix.org.cn/blog/CAS}

/******************
Proxyserver-> client:
******************/
HTTP/1.1 407 proxy authentication required (the ISA server requires authorization to fulfill the request. Access to the Web Proxy service is denied .)
Via: 1.1 proxyserver
Proxy-Authenticate: NTLM
Proxy-Authenticate: Kerberos
Proxy-Authenticate: negotiate
Connection: keep-alive
Proxy-connection: keep-alive
Pragma: No-Cache
Cache-control: No-Cache
Content-Type: text/html
Content-Length: 2372

... The HTTP object returned to the client, prompting that the page content is omitted ......

{Analysis: Then, proxyserver asked me to provide authentication information. Note that the meaning of the HTTP 407 code is similar to 401, indicating that the customer must first be authorized by the proxy server. We can also see that the proxy-authenticate field contains NTLM and Kerberos, indicating that you can use the client to negotiate and then decide to use one of them}

/******************
Client-> proxyserver:
******************/
Get http://www.matrix.org.cn/blog/cas HTTP/1.0
Accept: image/GIF, image/X-xbitmap, image/JPEG, image/pjpeg, application/vnd. MS-Excel, application/vnd. MS-PowerPoint, application/MSWord, application/X-Shockwave-flash ,*/*
Accept-language: ZH-CN, en; q = 0.8, ZH; q = 0.5, ZH-tw; q = 0.3
COOKIE: user = CAS % 3A % 3aaq3htcasqnlhy % 3A % 3a1; matrix_user_cookie = y2fzfdgzmzm4mureltk17ustmuu4ms05otjdltjerdm4rergnkuyrg =
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon;. Net CLR 2.0.50215)
HOST: www.matrix.org.cn
Proxy-connection: keep-alive
Proxy-Authorization: NTLM tlmtvntuaabaaaab4iaogaaaaaaaaaaaa
Aaaaaaaaafajmiaaaad2 =

{Analysis:
Here, the client sends its NTLM code to the server, which contains some of its own domain accounts to send to proxyserver, proxyserver can know who the user is, then, retrieve the user's domain password from the Domain Server, and encrypt a random string to the challenge user (see below ).

 

/******************
Proxyserver-> client:
******************/
HTTP/1.1 407 proxy authentication required)
Via: 1.1 proxyserver

Proxy-Authenticate:
NTLM tlmtvntuaacaaaagaayadgaaaafgogikmfj
Jzhstw0aaaaaaaaaaioaigbqaaaabqctcaaa
Aa9iae4asqbtaekalgbdae8atqauaematgac
Abgasaboaekauwbjac4aqwbpae0algbdae4a
Aqawafaaugbpafgawqbtaeuaugbwaeuauga
Eabgaaabuagkacwbpac4aywbvag0algbjag4a
Awawahaacgbvahgaeqbzaguacgb2aguacgaua
Ggabgbpahmaaqauagmabwbtac4aywbuaaaaa
AA =

Connection: keep-alive
Proxy-connection: keep-alive
Pragma: No-Cache
Cache-control: No-Cache
Content-Type: text/html
Content-Length: 0

{Analysis: In this step, the proxyserver responds to a proxy-authorization from my IE, whose value is the long character above. This is an authcode for the chanllenge client (IE ). Chanllenge is a kind of identity challenge to the client. For example, if you say you are Zhang San, OK, and the server uses the password of Zhang San to encrypt a piece of information, you can tell the server what this paragraph is, the server will trust you.

 

 

/******************
Client-> proxyserver:
******************/
Get http://www.matrix.org.cn/blog/cas HTTP/1.0
Accept: image/GIF, image/X-xbitmap, image/JPEG, image/pjpeg, application/vnd. MS-Excel, application/vnd. MS-PowerPoint, application/MSWord, application/X-Shockwave-flash ,*/*
Accept-language: ZH-CN, en; q = 0.8, ZH; q = 0.5, ZH-tw; q = 0.3
Proxy-authorization:
NTLM tlmtvntuaadaaaagaayajiaaaayabgaqga
Aabgagabiaaaagaayagaaaaaaababaeaaaa
Aaaaadcaaaabykaoguakwgaaaapaabuagk
Acwbpac4aywbvag0algbjar4aaab1ageabg
Bnahoaaabhag8acqbpag4asabvaeeatgbha
Foasabbae8auqbjae4amqcgrq1i + bzleas2a
Kgexs/cfj3oorsi6prctaw2hyadawwbnqmpo1
Eptq7yjuh4sxd =

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon;. Net CLR 2.0.50215)
HOST: www.matrix.org.cn
Proxy-connection: keep-alive
COOKIE: user = CAS % 3A % 3aaq3htcasqnlhy % 3A % 3a1; matrix_user_cookie = y2fzfdgzmzm4mureltk17ustmuu4ms05otjdltjerdm4rergnkuyrg =

{Analysis: OK. Here is the chanllenge in which the IE client responds to proxyserver. The above NTLM = tirmt .... It is the challenge response code. If this code is correct, proxyserver will acknowledge the user's identity and allow him to access Internet resources.

 

/******************
Proxyserver-> client:
******************/
HTTP/1.1 301 moved permanently
Via: 1.1 proxyserver
Connection: keep-alive
Proxy-connection: keep-alive
Content-Length: 158
Date: Wed, 21 Sep 2005 03:44:57 GMT
Location: http://www.matrix.org.cn/blog//cas/
Content-Type: text/html
Server: Microsoft-Microsoft IIS/6.0

Object Moved

This document may be foundHere

{Analysis: it is obvious that proxyserver has admitted my identity and asked me to access matrix. Here is an episode, where matrix is redirected (people familiar with the HTTP protocol should know that HTTP 301 indicates moving permanetly, that is, the document requested by the customer is elsewhere, the new URL is given in the location header, and the browser should automatically access the new URL .) For example, if we directly access the ingress. Chris is probably trying to back up the data, right? Blog is a frequent problem .}

 

/******************
Client-> proxyserver:
******************/
Get http://www.matrix.org.cn/blog//cas/ HTTP/1.0
Accept: image/GIF, image/X-xbitmap, image/JPEG, image/pjpeg, application/vnd. MS-Excel, application/vnd. MS-PowerPoint, application/MSWord, application/X-Shockwave-flash ,*/*
Accept-language: ZH-CN, en; q = 0.8, ZH; q = 0.5, ZH-tw; q = 0.3
If-modified-since: Mon, 19 Sep 2005 03:19:14 GMT
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon;. Net CLR 2.0.50215)
HOST: www.matrix.org.cn
Proxy-connection: keep-alive
If-None-Match: "ea7c9ee9c8bcc51: 10a4"
COOKIE: user = CAS % 3A % 3aaq3htcasqnlhy % 3A % 3a1; matrix_user_cookie = y2fzfdgzmzm4mureltk17ustmuu4ms05otjdltjerdm4rergnkuyrg =

/******************
Proxyserver-> client:
******************/
HTTP/1.1 200 OK
Via: 1.1 proxyserver
Connection: keep-alive
Proxy-connection: keep-alive
Content-Length: 36149
Date: Wed, 21 Sep 2005 03:44:57 GMT
Content-location: http://www.matrix.org.cn/blog//cas/index.html
Content-Type: text/html
Server: Microsoft-Microsoft IIS/6.0
Last-modified: Tue, 20 Sep 2005 14:29:13 GMT
Accept-ranges: bytes
Etag: "4a5cbacefbdc51: 10ce"

The page content is omitted .........

/******************
Client-> proxyserver:
******************/
Get http://www.matrix.org.cn/blog/cas/styles-site.css HTTP/1.0
Accept :*/*
Referer: http://www.matrix.org.cn/blog//cas/
Accept-language: ZH-CN, en; q = 0.8, ZH; q = 0.5, ZH-tw; q = 0.3
Proxy-connection: keep-alive
If-modified-since: sat, 13 Aug 2005 13:23:57 GMT
If-None-Match: "3cea6142aa0c51: 10a4"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon;. Net CLR 2.0.50215)
HOST: www.matrix.org.cn
COOKIE: user = CAS % 3A % 3aaq3htcasqnlhy % 3A % 3a1; matrix_user_cookie = y2fzfdgzmzm4mureltk17ustmuu4ms05otjdltjerdm4rergnkuyrg =

/******************
Proxyserver-> client:
******************/
HTTP/1.1 200 OK
Via: 1.1 proxyserver
Connection: keep-alive
Proxy-connection: keep-alive
Content-Length: 5379
Date: Wed, 21 Sep 2005 03:44:57 GMT
Content-Type: text/CSS
Server: Microsoft-Microsoft IIS/6.0
Last-modified: sat, 13 Aug 2005 13:23:57 GMT
Accept-ranges: bytes
Etag: "3cea6142aa0c51: 10ce"

Body {
Margin: 0px 0px 20px 0px;
Background: # FFF;
}
A {color: #003366; text-Decoration: underline ;}
A: link {color: #003366; text-Decoration: underline ;}
.....Styles-site.css content is omitted .....
Padding-Right: 15px;
Padding-top: 5px;
Padding-bottom: 5px;
}

Attention, there is a sequence, so you don't have to worry about it.

Analyze the type-3 message. Its structure is as follows:
0 1 2 3
+ ------- +
0: | 'n' | 'T' | 'l' | 'M' |
+ ------- +
4: |'s '| 'P' | 0 |
+ ------- +
8: | 3 | 0 | 0 | 0 |
+ ------- +
12: | lm-Resp Len |
+ ------- +
16: | lm-Resp off | 0 | 0 |
+ ------- +
20: | NT-Resp Len |
+ ------- +
24: | NT-Resp off | 0 | 0 |
+ ------- +
28: | Domain length |
+ ------- +
32: | Domain offset | 0 | 0 |
+ ------- +
36: | user length |
+ ------- +
40: | user offset | 0 | 0 |
+ ------- +
44: | host length |
+ ------- +
48: | host offset | 0 | 0 |
+ ------- +
52: | 0 | 0 | 0 | 0 |
+ ------- +
56: | message Len | 0 | 0 |
+ ------- +
60: | 0x01 | 0x82 | 0 | 0 |
+ ------- +
64: | Domain string |
++
..
..
++ ------------------- +
| User string |
+ ----------- ++
..
..
++ ------------- +
| Host string |
+ ----------------- ++
..
..
+ ----------------------------- +
| LanManager-response |
+ --- ++
..
..
++ ------------------ +
| NT-response |
+ ------------ ++
..
..
+ ------- +

Domain string: host domain name (for example, David turing.mydomain.com)
User string: User Name (David Turing)
LanManager-response: Hash processing of des class
NT-response: md4 hash Processing
For details, refer:
Http://samba.kn.vutbr.cz/samba/docs/man/Samba-Developers-Guide/pwencrypt.html
}

This type-2 message is the second handshake of three times.
0 1 2 3
+ ------- +
0: | 'n' | 'T' | 'l' | 'M' |
+ ------- +
4: |'s '| 'P' | 0 |
+ ------- +
8: | 2 | 0 | 0 | 0 |
+ ------- +
12: | 0 | 0 | 0 | 0 |
+ ------- +
16: | message Len | 0 | 0 |
+ ------- +
20: | 0x01 | 0x82 | 0 | 0 |
+ ------- +
24: |
+ Server nonce |
28: |
+ ------- +
32: | 0 | 0 | 0 | 0 |
+ ------- +
36: | 0 | 0 | 0 | 0 |
+ ------- +
It contains the server nounce value, which is challenge. We need
Type-3 message is constructed based on the 8-byte random number.
}

In NTLM, this is the "first-hand" (type1 message) of the three-way handshake, in order for the client to tell the server two things:
Hoststring: the host name of the client (for example, David Turing)
Domainstring: the name of the client in the domain (for example, David turing.mydomain.com)

The proxy-authorization information structure is as follows:
0 1 2 3
+ ------- +
0: | 'n' | 'T' | 'l' | 'M' |
+ ------- +
4: |'s '| 'P' | 0 |
+ ------- +
8: | 1 | 0 | 0 | 0 |
+ ------- +
12: | 0x03 | 0xb2 | 0 | 0 |
+ ------- +
16: | Domain length |
+ ------- +
20: | Domain offset | 0 | 0 |
+ ------- +
24: | host length |
+ ------- +
28: | host offset | 0 | 0 |
+ ------- +
32: | host string |
++
..
..
++ ----------------- +
| Domain string |
+ ------------- ++
..
..
[If the Data graph is too ugly, refer:
Http://www.innovation.ch/java/ntlm.html
]
Because the intercepted information is base64 processed, you cannot determine the Host Name and host domain name from the proxy-Authorization value :)
}

Test environment:
Domain: mydomain.com
Domain host: David turing.mydomain.com
Domain user: davidturing@mydomain.com
Proxy Server: proxyserver.mydomain.com

1) log on to the Windows domain (mydomain.com) with the username "David Turing"
2) Open the IE window. url = http://www.matrix.org.cn/blog/cas/. the company uses proxyserverto allow workers to access the Internet through proxyserver.
Therefore, the IE client requests the proxyserver to access the matrix blog.
3) NTLM is used for proxy authentication to authenticate ie client.
Therefore, ie (client) and proxyserver (server) perform the following three-way handshake authentication process.

1: c --> S get...

2: C <-- s 401 unauthorized
WWW-Authenticate: NTLM

3: c --> S get...
Authorization: NTLM

4: C <-- s 401 unauthorized
WWW-Authenticate: NTLM

5: c --> S get...
Authorization: NTLM

6: C <-- S 200 OK

It should be noted that NTLM is only one of the two Windows authentication methods, and Kerberos is another one, and more famous. I will write another blog for Kerberos Authentication :)

4) I sniffer the handshake process as follows:
/******************
Client-> proxyserver:
******************/
Get http://www.matrix.org.cn/blog/cas HTTP/1.0
Accept: image/GIF, image/X-xbitmap, image/JPEG, image/pjpeg, application/vnd. MS-Excel, application/vnd. MS-PowerPoint, application/MSWord, application/X-Shockwave-flash ,*/*
Accept-language: ZH-CN, en; q = 0.8, ZH; q = 0.5, ZH-tw; q = 0.3
COOKIE: user = CAS % 3A % 3aaq3htcasqnlhy % 3A % 3a1; matrix_user_cookie = y2fzfdgzmzm4mureltk17ustmuu4ms05otjdltjerdm4rergnkuyrg =
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon;. Net CLR 2.0.50215)
HOST: www.matrix.org.cn
Proxy-connection: keep-alive