问题
I have configured CNTLM Proxy Authorization on Windows with configuration file looking like,
Auth NTLM
PassNT XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
PassLM YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
PassNTLMv2 ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
Proxy proxy.xxxx.com:8080
Listen 3130
And I use localhost:3130
as proxy in LAN Settings, hit any URL on browser and it is asking for the password again!. If I enter the same password with which I generated the hash, it works. Simply the purpose of Cntlm is beaten. Has anybody faced this? How does this work? Is there any way to get around this problem?
回答1:
<EDIT> If you are using Windows then I strongly recommend px over Cntlm since it doesn't need any handsake mechanism.
Notes on px:
It is primarily designed to run on Windows systems and authenticates on behalf of the application using the currently logged in Windows user account
</EDIT>
1) Install CNTLM to default directory (on Windows, C:\Program Files (x86)\cntlm\ ).
2) Run cmd.exe
3) Type : cd "C:\Program Files (x86)\cntlm\"
4) Type : cntlm.exe -H -d your_domain -u your_username
It will ask your password. Enter your password and cntlm will give you some hashes. Something like this:
c:\Program Files (x86)\Cntlm>cntlm -H -d your_domain -u your_username
Password:
PassLM 4E9C185900C7CF0B6FFCB2044F81920C
PassNT 6E9F120B83EEA0E875CE8E6F9730EC9A
PassNTLMv2 2A0B7C2457FB7DD8DA4EB737C4FA224F
Now you have password hashed. Save them to a text editor.
5) Type : cntlm -M http://www.google.com
Again enter your password. It will give you something like this:
c:\Program Files (x86)\Cntlm>cntlm -M http://www.google.com
Password:
Config profile 1/4... Credentials rejected
Config profile 2/4... OK (HTTP code: 302)
----------------------------[ Profile 1 ]------
Auth NTLM
PassNT 6E9F120B83EEA0E875CE8E6F9730EC9A
PassLM 4E9C185900C7CF0B6FFCB2044F81920C
------------------------------------------------
Now you see that profile 2 is successful. Because it says OK for profile 2. It may be different on your system.
The trick is,
- if the Auth is NT, then you must use only PassNT
- if the Auth is LM, then you must use only PassLM
- if the Auth is NTLM, then you must use both PassNT and PassLM
- if the Auth is NTLMv2, then you must use only PassNTLMv2
Now we got all we want. For my configuration, Auth says NTLM so I will use both PassNT and PassLM in the cntlm.ini configuration file.
This is an example configuration file NTLM (not NTLMv2!):
#
# Cntlm Authentication Proxy Configuration File
#
Username yourusername
Domain yourdomain
Auth NTLM
PassNT 6E9F120B83EEA0E875CE8E6F9730EC9A
PassLM 4E9C185900C7CF0B6FFCB2044F81920C
Workstation yourhostname.yourdomain
# Most probably proxy.yourdomain:8080
Proxy yourProxyIP:yourProxyPort
NoProxy localhost, 127.0.0.*, 10.*, 192.168.*
Listen 3132
Gateway yes
6) To test your configuration, type: cntlm -c cntlm.ini -I -M http://www.google.com
7) To start cntlm, type: net start cntlm
Now you can use your computer's IP address and port 3132 as a proxy.
You can get the latest Cntlm binaries here: http://cntlm.sourceforge.net/
来源:https://stackoverflow.com/questions/19401468/why-is-cntlm-asking-for-password