As a Linux System Administrator you might have noticed that Linux and NTLM proxies aren’t very good friends. When a company uses a Windows NTLM compliant proxy, you might have issues connecting to the outside world. In fact, it’s not because you run Linux, it’s because your software package doesn’t know how to work with NTLM. Most of the 3th party software developers don’t bother to implement NTLM in their software. And you know what, I personally think that they are right.
Cntlm is an NTLM / NTLM Session Response / NTLMv2 authenticating HTTP proxy, intended to help you break free from the chains of Microsoft proprietary world. Once you’re locked behind a corporate proxy server that requires NTLM authentication, and you don’t use a tool like this, you’re done…..
NTLM stands for NT Lan Manager, it belongs to the Microsoft Security Protocols suite. You can find more information on this wiki page.
How does it work?
Cntlm is a little program that runs without Administrator rights, meaning that every user could start this program. The program will start a “local” proxy on a port higher then 1024 (this is required to run without Administrator rights). Next, your software can use this proxy (http, socks, etc.). The proxy will authenticate the traffic and forward it to the parent proxy.
Debian, Centos, Red Hat, or …. Windows?
The procedure should be the same for any Linux distribution or Windows operating system. You can download the right package for you over here. For this tutorial I’m using the cntlm_0.92.3_amd64.deb package.
dpkg -i cntlm_0.92.3_amd64.deb or rpm -i cntlm-0.92.3-1.x86_64.rpm will install the package on either Debian / Ubuntu / Centos / Red Hat / Fedora or any other Linux distribution that supports .deb or .rpm. For Windows, I advice you to use the cntlm-0.92.3-win32.zip package. You can unzip this and there is no need to install it.
OK, now that you downloaded the package and you installed / unzipped it, it is time to start the program. Now you can follow the Linux guide or the Windows guide, or both if you like my post ^^. Between you and me, the Windows guide refers to the Linux guide.
Linux
The installation will show you something like this:
The man page of CNTLM gives us the following information:
NAME
cntlm – authenticating HTTP(S) proxy with TCP/IP tunneling and acceleration
You can find the configuration file under /etc/cntlm.conf. I suggest you open this with vim, vi or nano.
The following lines are probably the most important one’s.
Username testuser
Domain corp-uk
Password password
note: if you setup your password in this file, it will be in plain text. This might create a security risk. I suggest that you either use a hash or that you enter the password manually every time.
It’s fairly easy to create a hash, just run cntlm -v -H -c /etc/cntlm.conf
My personal config file looks like this:
This is a very basic configuration file, you can do a lot more then I do with this config file. For more information, read the man pages. You can start the proxy with the following command.
cntlm -v -c /etc/cntlm.conf
-v Print debugging information. Automatically enables (-f).
-f Run in console as a foreground job, do not fork into background. In this mode, all syslog messages will be echoed to the console (on platforms which
support syslog LOG_PERROR option). Though cntlm is primarily designed as a classic UNIX daemon with syslogd logging, it provides detailed verbose
mode without detaching from the controlling terminal; see -v. In any case, all error and diagnostic messages are always sent to the system logger.-c
Configuration file. Command-line options, if used, override its single options or are added at the top of the list for multi options (tunnels, parent
proxies, etc) with the exception of ACLs, which are completely overriden. Use /dev/null to disable any config file.
If you get an error that you can’t start the proxy because the port is in use, make sure that the program isn’t already started, you can stop it with /etc/init.d/cntlm stop. If you don’t want it to automatically start on the next boot, remove it from the run levels.
For Debian based distributions run the following command as root :
update-rc.d -f servicename remove
For CentOS and RedHat run the following command as root :
chkconfig servicename off
Windows
Look at the Linux configuration file. (Yes it’s more or less the same). I’m only going to explain how to start your cntlm manually. If you want to run it as a service, please search the official wiki.
Navigate to the folder where you unzipped the CNTLM. Now open a command prompt in this directory. (I think this is shift + right mouse click or crtl + right mouse click). Next, type cntlm.exe -v -c cntlm.ini.
-v Print debugging information. Automatically enables (-f).
-f Run in console as a foreground job, do not fork into background. In this mode, all syslog messages will be echoed to the console (on platforms which
support syslog LOG_PERROR option). Though cntlm is primarily designed as a classic UNIX daemon with syslogd logging, it provides detailed verbose
mode without detaching from the controlling terminal; see -v. In any case, all error and diagnostic messages are always sent to the system logger.-c
Configuration file. Command-line options, if used, override its single options or are added at the top of the list for multi options (tunnels, parent
proxies, etc) with the exception of ACLs, which are completely overriden. Use /dev/null to disable any config file.
You proxy should start.
If you don’t like to configure your configuration file with your username and domain name, you could always run the command manually.
cntlm -fvI -u user@domain -c cntlm.ini
This will start CNTLM and prompt you for a password.
OK Now what?
You have configured and started your proxy. Now you can start any program that knows how to work with a proxy. Let’s say for example that we are going to use Firefox, you must configure the proxy settings from Firefox.
Go to: tools -> options -> advanced -> network -> settings
A window should open, allowing you to configure your proxy settings. If you used (more or less) the same configuration file as I did, your proxy should be running on localhost:3128. Configure this as the HTTP proxy, apply it for all the protocols and press OK.
Close all the other windows and try to browse to a website. You should be able to surf. If you started the cntlm as I told you (not automatically) you can now view to your prompt. Lot’s of text is flying over the screen.
If you can’t connect or you can’t load any pages, start to read the output from the console, you might be using a wrong password or wrong NTLM type.
Remember that you can use ANY program that understands proxy settings. You could start putty and / or other programs. For example, you could configure your proxy in Linux (yum or apt) in order to update your system. I will add this information pretty soon.
This short tutorial was just the top of the iceberg of what you can do with Cntlm. I suggest that you either read the man page or the official wiki.
If you have any questions regarding the cntlm, feel free to comment.
Kr.
Hello,
Thank you for this brief help! For some reason, I get this error when trying to access a site in Internet Explorer 10 on Windows 8:
cntlm: PID : Proxy returning invalid challenge!
I am staring ctntlm using this command line:
C:\Program Files (x86)\Cntlm>cntlm.exe -v
Requesting hashes for all supported authentication protocols worked fine:
C:\Program Files (x86)\Cntlm>cntlm.exe -u -H -I -v
I’ve got 3 hashes which I put into INI file. I’ve chosen NTLMv2, PassNT, PassLM (one at a single time of course; I commented out other two).
Also, requesting hash for the best-guessed authentication also worked fine:
C:\Program Files (x86)\Cntlm>cntlm.exe -u -H -I -v
That returned a response with:
HEAD: HTTP/1.1 302 Found
OK (HTTP code: 302)
—————————-[ Profile 0 ]——
Auth NTLMv2
PassNTLMv2 HASHGOESHERE
————————————————
Have you any thoughts on why connecting through cntlm configured with specified hashes returns
cntlm: PID : Proxy returning invalid challenge!
Thank you.
Hi,
First of all thank you! My apologies that it took a while to approve your comment. I was migrating the server to an other location, again xD.
So, to answer your question.
Do you have the same question if you start it manually? Could you perhaps start it with the debug flag and provide some debug information? This might help to troubleshoot the problem.
I haven’t seen this problem before, nor did I test it on Windows 8 of Internet Explorer 10. Could you tell me which settings you set in IE10? Could you also verify that you have the same problem with FireFox/Chrome?
Thanks!
Hi, Yorkim!
Thank you for your response!
It feels like the problem was with installation procedure. I started configuring cntlm right after installing it, and I did NOT restart my PC after I had ctlm installed. I don’t know if this is it or no, but simple restarting of PC helped. Next time I started cntlm with the same options I was able to route my Internet Explorer via this local proxy and work with it upstreaming requests to our corporate parent proxy.
By the way, do you know if it is possible to configure cntlm to route traffic directly to the default subnet gateway? I mostly want my connection be proxified but I don’t want them go via our corporate proxy. Is this possible?
Thank you for your help!
I had a problem with proxy some kind of error”407 Authentication fail “.
Your post was very usefull thanks…………
This is working perperctly
very helpfull for people that need to use proxy with auth at work and the default proxy configurator is bugged or incomplete (mint). ty
Hi,
just to help others. I have had the error “Proxy returning invalid challenge!” and tried many things to solve. I am using an ubuntu linux 12.04 and trying to authenticate in a ISA server with NTLMv2 with the hash given by the “cntlm -M” command. The thing just worked when I forced the header in the configuration file with the option that already came with it, but was commented: “Header User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)”. After removing the comment character “#” it worked.
Cheers, Cartola.
hi
I am trying to start cntlm on my RaspberryPi, but I have some problems with installing it: after the package is beeing configured and systems starts to start it it says “Starting CNTLM Authentication Proxy: failed”… so I understant my Raspbian is not able to run it.. but no message why… any ideas?
Hi!
I have not yet tried this before. Could you give some more details and log?
Cheers
what I do is:
1. sudo dpkg -G -i cntlm_0.92.3-1_armhf.deb
Rasp answer:
(reading database ..
preparing for replacement of cntlm
Stopping CNTLM Authentication Proxy: cntlm…
Configuring cntlm (0.92.3-1)
Starting CNTLM Authentication Proxy: failed!
Precessing triger for package man-db
The point is that I can’t find any logs – neither /var/log deamon.log nor messages dosen’t have any lines connected with the cntlm; the dpkg.log states “status installed cntlm:armhf 0.92.3-1″ and “status installed man-db:armhf 2.6.2-1″
hi… does anybody has any suggestion why that starting is failing? I would appreciate.. I try to reach the internet through different programs but there is always something..
Do you have some extra logs?