This is Microsoft's NT/LanManager connection oriented authentication protocol - sometimes referred to as NT Challenge/Response (NTCR). This protocol is commonly encountered on networks that use Microsoft products for firewalls, intranet servers and web proxy servers. This is also the authentication protocol used for SMB connections, which is what Windows and Samba use for file and printer sharing.
The basis of the scheme is a challenge-response protocol where the client sends the server a request that contains information about the NT domain and the client hostname. The server then replies with a random nonce value and the client then creates an authentication response using the user name, user's password and the nonce value. This is similar to the HTTP Digest authentication scheme in that the password is not sent across the network, but the client can demonstrate to the server that it knows the user's password.
Well - that's the theory. In fact there are a number of weaknesses in the NTLM protocol. In fact the password is used twice to generate an NT password hash and a LM password hash. The LM hash takes the user's password, capitalises it, and sets the length to 14 characters by padding with nul characters. This value is then used as a DES key to encrypt a magic value ("\x4b\x47\x53\x21\x40\x23\x24\x25") thus providing a 16-byte value to be sent to the server.
The NT password hash uses the MD4 message-digest (RFC 1320) to hash the Unicode version of the user's password.
Pat Thoyts is currently working on supporting this scheme within Tcl as part of the autoproxy package. MD4 hashing is now part of tcllib, as is DES.
CAU wrote - There's a simple way to get around NTLM using basic authentication with Jos Decoster's http::geturl modification at HTTPS (Note: check for repeated lines in the code!) and a python-based authentication hack - ntlmaps[L1 ].
A big advantage of ntlmaps for me, is it can make http requests behave like they were issued from a web-browser, which is an unexpected bonus when trying to tunnel through firewalls!
If anyone knows of a pure Tcl NTLM hack, I'd be very interested.
PT 29-Apr-2005: There is NTLM client code in the SASL module in tcllib now.
[ Category Internet ] yihoe