NTLM authentication base

64 views
Skip to first unread message

Paul J

unread,
Mar 31, 2017, 10:39:05 AM3/31/17
to OWASP ZAP User Group

Hi all,


I described issue as below;


I couldn't start security scan on NTLM authentication base web site on Windows Server

<What steps will reproduce the problem?>
0. Include in Context: \Qhttp://d-webapp1\E.*

  1. Configure Authentication property as follows
    Authentication Method : HTTP/NTLM Authentication
    Add webserver URL (d-webapp1) to "Hostname", specify "80" to Port
    Realm: Empty here (also tried Domain, Domain\gjing)
    Regex pattern of Logged: \QGuanhua Jing\E
  2. Configure Users property as follows;
    UserName : jing
    Enabled : Yes
    Username : Domain\gjing (also tried gjing)
    Password : password
  3. Configure Forced User as follows;
    Specify : jing
  4. Configure Session management as follows;
    Session Manegement Method : Http Authentication Session Management
  5. Forced user mode enabled
  6. Start Spider Scan
  7. Code 401, Reason Unauthorized will be appeared

<What is the expected output? What do you see instead?>
Expected Result : code 200, reason OK
Actual Result : code 401, reason Unauthorized

<What version of the product are you using? On what operating system?>
OWASP ZAP Version 2.5.0, OS Windows 7 and Server: Microsoft-IIS/8.5
Language : en

<zap.log>
Zap.log

5574898 [pool-64-thread-1] DEBUG httpclient.wire.header - >> "GET /CRIM/part.aspx?id=3 HTTP/1.1[\r][\n]"
5574898 [pool-64-thread-1] DEBUG org.apache.commons.httpclient.HttpMethodBase - Adding Host request header
5574898 [pool-64-thread-1] DEBUG httpclient.wire.header - >> "User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0)
Gecko/20100101 Firefox/39.0[\r][\n]"
5574898 [pool-64-thread-1] DEBUG httpclient.wire.header - >> "Pragma: no-cache[\r][\n]"
5574898 [pool-64-thread-1] DEBUG httpclient.wire.header - >> "Cache-Control: no-cache[\r][\n]"
5574898 [pool-64-thread-1] DEBUG httpclient.wire.header - >> "Content-Length: 0[\r][\n]"
5574898 [pool-64-thread-1] DEBUG httpclient.wire.header - >> "Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEgAAADUANQAYAAA
BIAEgA0AQAAGgAaAEYBAAAWABYAYAEAAAAAAAB2AQAABYKIogUBKAoAAAAPu61x1s8PzUZbGqD1PG8EPy5ZpqLLaCrXYC+tbnQj+yO5S5L4RzueugEBAAAA
AAA4JhXssOo0gFf+H2iTpCOqAAAAAACAA4ASQBDAEEATwBOAEUAVAABABIARAAtAFcARQBCAEEAUABQADEABAAeAGkAYwBhAG8AaABxAC4AaQBjAGEAbwAu
GwAYQBuAAMAMgBEAC0AVwBlAGIAQQBwAHAAMQAuAGkAYwBhAG8AaABxAC4AaQBjAGEAbwAuAGwAYQBuAAUAEABpAGMAYQBvAC4AbABhAG4ABwAIAL60aLLD
NIBAAAAAAAAAABEAC0AVwBFAEIAQQBQAFAAMQBJAEMAQQBPAE4ARQBUAFwAZwBqAGkAbgBnAFcAUwA3AC0AMQAxAFAAVABDAEgAMgA=[\r][\n]"
5574899 [pool-64-thread-1] DEBUG httpclient.wire.header - >> "Host: d-webapp1[\r][\n]"
5574899 [pool-64-thread-1] DEBUG httpclient.wire.header - >> "[\r][\n]"
5574901 [pool-64-thread-1] DEBUG httpclient.wire.header - << "HTTP/1.1 401 Unauthorized[\r][\n]"
5574901 [pool-64-thread-1] DEBUG httpclient.wire.header - << "Content-Type: text/html[\r][\n]"
5574901 [pool-64-thread-1] DEBUG httpclient.wire.header - << "Server: Microsoft-IIS/8.5[\r][\n]"
5574901 [pool-64-thread-1] DEBUG httpclient.wire.header - << "WWW-Authenticate: NTLM[\r][\n]"
5574902 [pool-64-thread-1] DEBUG httpclient.wire.header - << "WWW-Authenticate: Negotiate[\r][\n]"
5574902 [pool-64-thread-1] DEBUG httpclient.wire.header - << "X-Powered-By: ASP.NET[\r][\n]"
5574902 [pool-64-thread-1] DEBUG httpclient.wire.header - << "Date: Wed, 29 Mar 2017 19:36:00 GMT[\r][\n]"
5574902 [pool-64-thread-1] DEBUG httpclient.wire.header - << "Content-Length: 1293[\r][\n]"
5574902 [pool-64-thread-1] DEBUG httpclient.wire.header - << "[\r][\n]"
5574902 [pool-64-thread-1] DEBUG org.apache.commons.httpclient.HttpMethodDirector - Authorization required
5574902 [pool-64-thread-1] DEBUG org.apache.commons.httpclient.auth.AuthChallengeProcessor - Using authentication sche
e: ntlm
5574902 [pool-64-thread-1] DEBUG org.apache.commons.httpclient.auth.AuthChallengeProcessor - Authorization challenge p
ocessed
5574902 [pool-64-thread-1] DEBUG org.apache.commons.httpclient.HttpMethodDirector - Authentication scope: NTLM @d-webapp1:80
5574903 [pool-64-thread-1] DEBUG org.apache.commons.httpclient.HttpMethodDirector - Credentials required
5574903 [pool-64-thread-1] DEBUG org.apache.commons.httpclient.HttpMethodDirector - Credentials provider not available

5574903 [pool-64-thread-1] INFO org.apache.commons.httpclient.HttpMethodDirector - Failure authenticating with NTLM @d-webapp1:80
5574903 [pool-64-thread-1] DEBUG org.apache.commons.httpclient.HttpMethodBase - Buffering response body
5574903 [pool-64-thread-1] DEBUG org.apache.commons.httpclient.HttpMethodBase - Resorting to protocol version default
lose connection policy
5574903 [pool-64-thread-1] DEBUG org.apache.commons.httpclient.HttpMethodBase - Should NOT close connection, using HTT
/1.1
5574903 [pool-64-thread-1] DEBUG org.apache.commons.httpclient.HttpConnection - Releasing connection back to connectio
manager.
5574904 [pool-64-thread-1] DEBUG org.apache.commons.httpclient.MultiThreadedHttpConnectionManager - Freeing connection
hostConfig=HostConfiguration[host=http://d-webapp1]
5574904 [pool-64-thread-1] DEBUG org.apache.commons.httpclient.util.IdleConnectionHandler - Adding connection at: 1490
16161184
5574904 [pool-64-thread-1] DEBUG org.apache.commons.httpclient.MultiThreadedHttpConnectionManager - Notifying no-one,
here are no waiting threads
5574904 [pool-64-thread-1] INFO org.zaproxy.zap.spider.Spider - Spidering process is complete. Shutting down...
5574905 [Thread-1545] INFO org.zaproxy.zap.extension.spider.SpiderThread - Spider scanning complete: true

Reply all
Reply to author
Forward
0 new messages