search

erebe / wstunnel

Tunnel all your traffic over Websocket or HTTP2 - Bypass firewalls/DPI - Static binary available
Other
3.16k stars 287 forks source link

proxy authentication ntlm #215

Closed SadarSSI closed 3 months ago

SadarSSI commented 3 months ago

Hello,

It's me again with my proxy stories ;-//.

The company I'm working with has changed its proxy authentication rules.

Authentication with the parameters "--http-proxy=proxy.entdom.loc:3128 --http-proxy-login=entdom.loc\MyName --http-proxy-password=MyPasswd" is no longer working.

Since I haven't been able to get any output from the exchanges between wstunnel and the proxy, I've been testing with curl. Here's what happens with the curl command that worked last week:

curl -viL https://www.monip.org/ --proxy entdom.loc\MyName:MyPasswd@proxy.entdom.loc:3128 or curl -viL https://www.monip.org/ --proxy-user entdom.loc\MyName:MyPasswd --proxy proxy.entdom.loc:3129

error HTTP/1.1 407 Proxy Authentication Required

detailed log :

curl -viL https://www.monip.org/ --proxy-user entdom.loc\myName:myPasswd --proxy http://proxy.entdom.loc:3129
*   Trying 172.24.2.1:3129...
* Connected to proxy.entdom.loc (172.24.2.1) port 3129 (#0)
* allocate connect buffer
* Establish HTTP proxy tunnel to www.monip.org:443
* Proxy auth using Basic with user 'entdom.loc\myName'
> CONNECT www.monip.org:443 HTTP/1.1
> Host: www.monip.org:443
> Proxy-Authorization: Basic xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> User-Agent: curl/8.0.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 407 Proxy Authentication Required
HTTP/1.1 407 Proxy Authentication Required
< Server: squid/4.13
Server: squid/4.13
< Mime-Version: 1.0
Mime-Version: 1.0
< Date: Wed, 17 Jan 2024 11:52:11 GMT
Date: Wed, 17 Jan 2024 11:52:11 GMT
< Content-Type: text/html;charset=utf-8
Content-Type: text/html;charset=utf-8
< Content-Length: 3613
Content-Length: 3613
< X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
< Vary: Accept-Language
Vary: Accept-Language
< Content-Language: en
Content-Language: en
< Proxy-Authenticate: Negotiate
Proxy-Authenticate: Negotiate
< Proxy-Authenticate: NTLM
Proxy-Authenticate: NTLM
< X-Cache: MISS from OLFEO-SQUID-69416651
X-Cache: MISS from OLFEO-SQUID-69416651
< X-Cache-Lookup: NONE from OLFEO-SQUID-69416651:3127
X-Cache-Lookup: NONE from OLFEO-SQUID-69416651:3127
< Connection: close
Connection: close
<

* Ignore 3613 bytes of response-body
* CONNECT tunnel failed, response 407
* Closing connection 0
curl: (56) CONNECT tunnel failed, response 407

Now, I'm required to specify the type of authentication implicitly with "--proxy-ntlm":

curl -viL https://www.monip.org/ --proxy-ntlm --proxy-user entdom.loc\myName:MyPasswd --proxy http://proxy.entdom.loc:3129
*   Trying 172.24.2.1:3129...
* Connected to proxy.entdom.loc (172.24.2.1) port 3129 (#0)
* allocate connect buffer
* Establish HTTP proxy tunnel to www.monip.org:443
* Proxy auth using NTLM with user 'entdom.loc\myName'
> CONNECT www.monip.org:443 HTTP/1.1
> Host: www.monip.org:443
> Proxy-Authorization: NTLM xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKAAAADw==
> User-Agent: curl/8.0.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 407 Proxy Authentication Required
HTTP/1.1 407 Proxy Authentication Required
< Server: squid/4.13
Server: squid/4.13
< Mime-Version: 1.0
Mime-Version: 1.0
< Date: Wed, 17 Jan 2024 13:29:44 GMT
Date: Wed, 17 Jan 2024 13:29:44 GMT
< Content-Type: text/html;charset=utf-8
Content-Type: text/html;charset=utf-8
< Content-Length: 3691
Content-Length: 3691
< X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
< Vary: Accept-Language
Vary: Accept-Language
< Content-Language: en
Content-Language: en
< Proxy-Authenticate: NTLM yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyySdoBAAAAAA==
Proxy-Authenticate: NTLM yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyySdoBAAAAAA==
< X-Cache: MISS from OLFEO-SQUID-69416651
X-Cache: MISS from OLFEO-SQUID-69416651
< X-Cache-Lookup: NONE from OLFEO-SQUID-69416651:3127
X-Cache-Lookup: NONE from OLFEO-SQUID-69416651:3127
< Connection: keep-alive
Connection: keep-alive
<

* Ignore 3691 bytes of response-body
* Establish HTTP proxy tunnel to www.monip.org:443
* Proxy auth using NTLM with user 'entdom.loc\myName'
> CONNECT www.monip.org:443 HTTP/1.1
> Host: www.monip.org:443
> Proxy-Authorization: NTLM zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzjAAAAAAAAAAAA
> User-Agent: curl/8.0.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
HTTP/1.1 200 Connection established
<

* CONNECT phase completed
* CONNECT tunnel established, response 200
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.1
> GET / HTTP/1.1
> Host: www.monip.org
> User-Agent: curl/8.0.1
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Wed, 17 Jan 2024 13:29:45 GMT
Date: Wed, 17 Jan 2024 13:29:45 GMT
< Server: Apache/2.4.56 (Debian)
Server: Apache/2.4.56 (Debian)
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Content-Length: 374
Content-Length: 374
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8

<
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>

<head>
    <title>MonIP.org v1.0</title>
    <META http-equiv="Content-type" content="text/html; charset=UTF-8">
</head>
<P ALIGN="center"><FONT size=8><BR>IP : xx.xx.xx.xx<br></font><font size=3><i>xx.xx.xx</i><br></font><font size=1><br><br>Pas de proxy détecté - No Proxy detected</font></html>* Connection #0 to host proxy.entdom.loc left intact

This is a known behavior with NTLM authentication: it needs to be specified explicitly, otherwise it won't work.

I therefore tried to set an HTTP header with --http-headers "Proxy-Authenticate: NTLM" but it didn't work either.

I wasn't able to get a debug mode working in cmd.exe with "set RUST_LOG=debug" and "wstunnel client --log-lvl DEBUG xxxx" but I didn't get any output to stdout/output screen, but I must be doing something wrong

Thanks for your help

erebe commented 3 months ago

Hello,

I need to take a look of how to support NTLM, but in the meantime you can use your own local proxy to pass requet to the NTLM proxy. https://jfrog.com/help/r/jfrog-platform-administration-documentation/configure-an-ntlm-proxy https://hub.docker.com/r/robertdebock/docker-cntlm/ https://cntlm.sourceforge.net/

SadarSSI commented 3 months ago

ok, I suggest you put this on standby for the moment because the ntlm implementation seems almost obsolete due to security issues.

It should be possible to workaround by using a squid proxy locally with cygwin. Proxy that would forward to the corporate proxy using ntlm (...) The configuration seems quite simple:

#/etc/squid/squid.conf
cache_peer other-proxy.example.com parent 3128 0 no-query default login=user:password
never_direct allow all`

If it works, there will be no need to do this implementation

I come back to you as soon as possible

SadarSSI commented 3 months ago

Hello,

I have bypassed the issue of the proxy requiring NTLM authentication with a Python package called px_proxy.

This package allows you to run a local proxy that forwards to the corporate proxy using NTLM authentication. The stacking of layers is not ideal, but in my case for doing SSH tunneling to SSH or RDP, it works correctly.

I leave it to you to see the opportunity for implementing NTLM authentication in wstunnel.

Thanks

erebe commented 3 months ago

Thank for letting me know. I am, closing the issue, as NTLM seems cumbersome to support, so if i can avoid it :)