Re: [twsocket] How secure is the NTLM authentication?

[Maurizio Lotauro]

On 06-May-05 08:54:32 Marcello Vezzelli wrote:

Maurizio Lotauro wrote:

 Hello,

 I made some authentication test with the THttpCli component. I use
 Ethereal to see what the component send and receive. With my big
 surprise, when the component made an authentication using NTLM,
 Ethereal show me the credential as clear text!!!
 At this point the question is: the NTLM is secure as Basic?

There is something wrong in your test.

Not in my test but in my eyes. WHat will be showed are user and host
name :-)
Sorry for false allarm...

[...]

 P.S. A little question to the Ethereal users. Someone know if it is
 possible to monitoring the local tcp traffic?

You mean loopback capture on local interfaces?

Exactly.

I think this is not possibile due to a limitation of Windows IP stack.

:-(


Bye, Maurizio.


-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://www.elists.org/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Re: [twsocket] How secure is the NTLM authentication?

[Marcello Vezzelli]

Maurizio Lotauro wrote:
Hello,
I made some authentication test with the THttpCli component. I use
Ethereal to see what the component send and receive. With my big
surprise, when the component made an authentication using NTLM,
Ethereal show me the credential as clear text!!!
At this point the question is: the NTLM is secure as Basic?
There is something wrong in your test.
Give a look at this trace. I'm accessing google via ISA proxy with NTLM 
auth using Firefox browser.

GET http://www.google.it/ HTTP/1.1
Host: www.google.it
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.7.6) 
Gecko/20050318 Firefox/1.0.2
Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: it,it-it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cookie: 
PREF=ID=14b8e3b92271573e:LD=it:TM=1101140627:LM=1101140629:S=n9UsGUmI-I7Ub2Eb

HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires 
authorization to fulfill the request. Access to the Web Proxy service is 
denied.  )
Via: 1.1 ISATEST
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Kerberos
Proxy-Authenticate: NTLM
Proxy-Authenticate: Digest 
qop=auth,algorithm=MD5-sess,nonce=a06234931252c501489c22b28ec04ccd70b868114600b40fe903b4674aff5653a72e0ac7b8d83e8a,opaque=f2dfc1e7794d3937edfd69ad407eca4e,charset=utf-8,realm=E-WORKS
Proxy-Authenticate: Basic realm=isatest.
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 4090

!DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN
[..]
/HTML
GET http://www.google.it/ HTTP/1.1
Host: www.google.it
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.7.6) 
Gecko/20050318 Firefox/1.0.2
Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: it,it-it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cookie: 
PREF=ID=14b8e3b92271573e:LD=it:TM=1101140627:LM=1101140629:S=n9UsGUmI-I7Ub2Eb
Proxy-Authorization: NTLM 
TlRMTVNDUAABB7IIoAcABwDkBAAEACBWRVpaRS1XT1JLUw==

HTTP/1.1 407 Proxy Authentication Required ( Access is denied.  )
Via: 1.1 ISATEST
Proxy-Authenticate: NTLM 
TlRMTVNTUAACDgAOADgFgomiodYVvVBRS94AADoAOgBGBQLODgA9FAC0AVwBPAFIASwSTAAIADgBFAC0AVwBPAFIAAwBTAAEADgBJAFMAQQBUAEUAUwBUAAMADgBpAHMAYQB0AGUAcwB0AAA=
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 0

GET http://www.google.it/ HTTP/1.1
Host: www.google.it
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.7.6) 
Gecko/20050318 Firefox/1.0.2
Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: it,it-it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cookie: 
PREF=ID=14b8e3b92271573e:LD=it:TM=1101140627:LM=1101140629:S=n9UsGUmI-I7Ub2Eb
Proxy-Authorization: NTLM 
TlRMTVNTUAADGAAYAGYYABgAfg4ADgBAEAAQAE4IAAgAXgCWBYKIoEUALQBXAE8AUgBWAFMATQBhAAIAYwBlAGwAbABvAFYARQBaAFoALwtv7CEX+D8AxtB3ZA6A2cblXkuvt/w6NB4WhDBm9wV8

HTTP/1.1 200 OK
Via: 1.1 ISATEST
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Transfer-Encoding: chunked
Date: Fri, 06 May 2005 07:49:12 GMT
Content-Type: text/html
Server: GWS/2.1
Cache-Control: private
a22
htmlheadmeta http-equiv=content-type content=text/html; 
charset=UTF-8titleGoogle/titlestyle!--
[..]
/html
0


P.S. A little question to the Ethereal users. Someone know if it is
possible to monitoring the local tcp traffic?
You mean loopback capture on local interfaces?
I think this is not possibile due to a limitation of Windows IP stack.
Regards
--
Marcello Vezzelli
CTO
Software Development Department
E-Works s.r.l.
tel. +39 059 2929081
fax +39 059 2925035
Direzionale 70 - Via Giardini 456/c
41100 Modena - Italy
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://www.elists.org/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be