evengard / cntlm Goto Github PK

How can I build this under Windows 7?

Hello!
I've configured yum on a CentOS 6.7 to use a CNTLM proxy but it fails. If I set Firefox to use that proxy it works but not yum. Here is the output when I do a yum update.

******* Round 1 C: 5, S: 6 *******!
Reading headers...
HEAD: GET http://mirrorlist.centos.org/?release=6&arch=i386&repo=os&infra=stock HTTP/1.1
User-Agent                     => urlgrabber/3.9.1 yum/3.2.29
Host                           => mirrorlist.centos.org
Accept                         => */*
Proxy-Connection               => Keep-Alive
NTLM Request:
           Domain: XXXXXX
         Hostname: vagrant
            Flags: 0xA208B205

Sending auth request...
User-Agent                     => urlgrabber/3.9.1 yum/3.2.29
Host                           => mirrorlist.centos.org
Accept                         => */*
Proxy-Connection               => Keep-Alive
Connection                     => Keep-Alive
Proxy-Authorization            => NTLM XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Reading auth response...
HEAD: HTTP/1.1 401 Unauthorized
Cache-Control                  => no-cache
Pragma                         => no-cache
WWW-Authenticate               => NTLM
Content-Type                   => text/html; charset=utf-8
Proxy-Connection               => close
Set-Cookie                     => BCSI-CS-9999999999999999=2; Path=/
Connection                     => close
Content-Length                 => 4259
Got 4259 too many bytes.
Proxy signals it's closing the connection.
Proxy closed connection (i=1, closed=1, so_closed=1). Reconnecting...
Sending headers...
User-Agent                     => urlgrabber/3.9.1 yum/3.2.29
Host                           => mirrorlist.centos.org
Accept                         => */*
Proxy-Connection               => Keep-Alive
Connection                     => Keep-Alive
No body.

******* Round 2 C: 5, S: 6 *******!
Reading headers...
HEAD: HTTP/1.1 401 Unauthorized
Cache-Control                  => no-cache
Pragma                         => no-cache
WWW-Authenticate               => NEGOTIATE
WWW-Authenticate               => NTLM
Content-Type                   => text/html; charset=utf-8
Proxy-Connection               => close
Set-Cookie                     => BCSI-CS-9999999999999999=2; Path=/
Connection                     => close
Content-Length                 => 4259
Sending headers...
Body included. Lenght: 4259
data_send: read 2048 of 2048 / 2048 of 4259 (errno = ok)
data_send: fds 5:6 warning -999 (connection closed)
Could not send whole body

Thread finished.
Joining thread 3077966704; rc: 0

This is my cntlm.ini

Username    xxxxxxxx
Domain      xxxxxx
PassLM          XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
PassNT          XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
PassNTLMv2      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Proxy       myproxy.internal:80
NoProxy     localhost, 127.0.0.*
Listen      127.0.0.1:3128
Gateway yes

This is what I put in my /etc/yum.cfg

.....
proxy=http://127.0.0.1:3128

And this is the output of yum update

yum update
Loaded plugins: fastestmirror
Setting up Update Process
Loading mirror speeds from cached hostfile
Could not retrieve mirrorlist http://mirrorlist.centos.org/?release=6&arch=i386&repo=os&infra=stock error was
14: PYCURL ERROR 22 - "The requested URL returned error: 401 Unauthorized"
Error: Cannot find a valid baseurl for repo: base

What am I doing wrong? Thank you!

On newer Linux distributions, /var/run links to /run which is a tmpfs directory cleared on each restart. This means that the /var/run/cntlm is deleted on reboot.

When the machine restarts, CNTLM first changes to the cntlm user, and then tries to create the pid file in this directory. Since the directory no longer exists, and /run is only writable by root, this fails.

The simplest solution would be for the daemon to write the pid-file as root, before changing to the non-privileged account.

A workaround is to modify /etc/sysconfig/cntlmd to point PIDFILE to a different location (e.g. PIDFILE="/tmp/cntlmd.pid").

in my configuration, the parent proxy is a http/https proxy, and I configured SOCKS5Proxy in the /etc/cntlm.conf. now I want to use this socks5 proxy for git client to clone codes from github.com, is this possible?

user_@DESKTOP-4K2H1C1 ~/cntlm

$ ./configure

./configure: line 12: $'\r': command not found
./configure: line 14: $'\r': command not found
./configure: line 18: syntax error near unexpected token $'do\r'' '/configure: line 18: for c in $CCS; do

I have tried installing MingW+Msys, but this is not sufficient.
Any other user has tried building cntlm on windows?

it seems cntlm use the window-server ntlm dns not the host that running cntlm app.
I run the cntlm in ubuntu server and change the /etc/hosts file to make some server get the right ip. but it seems failed.

Not able to add auth headers using CNTLM

Hello!

I'm working in the environment with smartcard logon and ntlmv2/Kerberos enforced. Cntlm with NTLMSSPI is not an option (probally need NTLMv2 SSPI which is not implemented at this moment) so I'm trying to "bypass" a corporate proxy with cntlm and NTLM hash of the password which I eventually know :)

I've noticed that cntlm -H results are different from the "standard" password hashes.
As far as I understand, NTLM hash is an MD4(unicode(Password)). For example, NTLM hash of "password" is 8846F7EAEE8FB117AD06BDD830B7586C. However, cntlm -H returns PassNT 77B9081511704EE852F94227CF48A793 for the same "password".

PassNTLMv2 value that is produced by cntlm -H is also different from "standard" HMACMD5(NTLMhash, uppercase username + domain).

I've found an appropriate portions of code in ntlm.c but unfortunately can not understand why hash functions are working this way.

char *ntlm_hash_nt_password(char *password) { char *u16, *keys; int len;

keys = new(21 + 1);
len = unicode(&u16, password);
md4_buffer(u16, len, keys);

memset(keys+16, 0, 5);
memset(u16, 0, len);
free(u16);

return keys;

}

char *ntlm2_hash_password(char *username, char *domain, char *password) { char *tmp, *buf, *passnt, *passnt2; int len;

passnt = ntlm_hash_nt_password(password);

buf = new(strlen(username)+strlen(domain) + 1);
strcat(buf, username);
strcat(buf, domain);
uppercase(buf);
len = unicode(&tmp, buf);

passnt2 = new(16 + 1);
hmac_md5(passnt, 16, tmp, len, passnt2);

free(passnt);
free(tmp);
free(buf);

return passnt2;

}`

The main question is:

Is it possible to implement "pass-the-hash"-like functionality in cntlm (calculate PassNTLMv2 from username, domain and NTLM password hash)?

Any chance of adding support for NTLMv2 authentication over SSPI (smartcard, passwordless authentication)? Plain NTLM over SSPI doesn't work for me.

Ta,
Boris

I've been working on a patch to integrate cntlm with PAM. It uses shared memory for process communication and checks user's uid in /proc/net/tcp (and, eventually, /proc/net/tcp6) for authenticity (only works in Linux).

It's very simple: first user logs in, then my pam module generates all ntlm's hashes (using cntlm's functions) and saves it in the shared memory; second: cntlm is started (with a new flag: -Z) and looks for user's uid in /proc/net/tcp (through client tcp port), then copy it's credentials from shared memory and voila'!!!

Limitations: only works with Linux and cntlm runs in localhost (127.0.0.1).

PS1: I've already implemented this patch in a previous release (0.35), please check iu out in http://pamcntlm.sf.net
PS2: As far as I known, Firefox only works with a 'hack': is necessary set a Windows user-agent in cntlm.conf :(
Example:
Header User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36

Tested using websense and Windows 2012 domain.
cntlm-0.92.3-pam_cntlm.patch.zip

Same as the Sourceforge, CNTLM project seems dead. Newer OS's are starting have an array of issues.

Hello, could you please provide a pre-compiled release for this project? My team is very interested in this, however I can't seem to stand up an environment that can build this without errors. We are looking to deploy pre-configured packages to windows and mac computers.

Thank you in advance!