[squid-users] ntlm_auth defaulting to succeed

Amos Jeffries squid3 at treenet.co.nz
Sun Dec 6 23:37:41 UTC 2015


On 7/12/2015 9:54 a.m., Noel Kelly wrote:
> Thanks for this Francesco.  I have been experimenting with the various
> authenticators without much success.
> 
> I have compiled squid-3.5.11 from source and ntlm_fake_auth doesn't
> appear to work.  I have scoured the docs and the forums but I can't find
> anyone saying it doesn't work.

It works if your clients accept a downgrade attack to NTLMv1.


> 
> I have it set up like this in my squid.conf:
> 
> auth_param ntlm program /usr/local/squid/libexec/ntlm_fake_auth -d -v -S
> 
> but I just get denied access whilst sending ADS 2008R2 domain
> authentication via Firefox:
> 
> ==> /usr/local/squid/var/logs/access.log <==
> 1449434911.652      0 192.168.5.35 TCP_DENIED/407 4473 GET
> http://www.bbc.co.uk/ - HIER_NONE/- text/html
> 
> ==> /usr/local/squid/var/logs/cache.log <==
> ntlm_fake_auth.cc(163): pid=30933 :Got 'YR' from Squid with data:
> [0000]   4E 54 4C 4D 53 53 50 00   01 00 00 00 07 82 08 A2 NTLMSSP.
> ........
> [0010]   00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00 ........
> ........
> [0020]   06 01 B1 1D 00 00 00 0F   00 00 ........ ..
> ntlm_fake_auth.cc(185): pid=30933 :sending 'TT' to squid with data:
> [0000]   4E 54 4C 4D 53 53 50 00   02 00 00 00 09 00 09 00 NTLMSSP.
> ........
> [0010]   AE AA AA AA 07 82 08 A2   E4 9D FA 04 45 14 D1 A5 ........
> ....E...
> [0020]   00 00 00 00 00 00 3A 00   57 4F 52 4B 47 52 4F 55 ........
> WORKGROU
> [0030]   50                                                  P
> 

That shows the first 407 out of the NTLM handshake being prepared by the
helper. Where is the second?


> ==> /usr/local/squid/var/logs/access.log <==
> 1449434911.660      0 192.168.5.35 TCP_DENIED/407 4640 GET
> http://www.bbc.co.uk/ - HIER_NONE/- text/html
> 1449434911.706      0 192.168.5.35 TCP_IMS_HIT/304 249 GET
> http://tex.uk.plc:8080/squid-internal-static/icons/SN.png - HIER_NONE/-
> image/png
> 1449434913.266      0 192.168.5.35 TCP_DENIED/407 4473 GET
> http://www.bbc.co.uk/ - HIER_NONE/- text/html

Either the client is not working correctly, or there are some missing
log lines earlier from the client. Note that NTLM auth may take many
seconds.

NTLM requires two 407 messages to perform its handshake. That cache.log
section is showing only the first step where the type-1 token (YR) is
being processed and type-2 (TT) generated for delivery to the UA.

The access.log is showing what appears to be only the final step, where
Squid is rejecting type-3 (KK) token and the UA is displaying the
auth-required error page message to the user.
 If that UA is displaying errors based on the TT token, then it is flat
out broken.

> 
> I have tried ntlm_fake_auth.pl.in and ntlm_smb_lm_auth without success
> too.


SMB LM helper requires a NTLM downgrade attack all the way to plain-text
LM auth so Squids' simple helper can decrypt on the fly. It is
thankfully getting kind of rare to encounter software which supports LM.

Amos



More information about the squid-users mailing list