1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Author" content="Dmitry Rozmanov"><title>NTLM Authorization Proxy Server</title></head>
<body text="#000000" bgcolor="#ffffff" link="#0000ff" vlink="#800080" alink="#0000ff">
<center>
<h2>
NTLM Authorization Proxy Server
</h2>
</center>
<center>
<h6>
Last updated on 18 May 2002.<br>
2001-02 (C) Dmitry Rozmanov
</h6>
</center>
<hr>
[<a href="http://sourceforge.net/projects/ntlmaps/">Home</a>]
[<a href="http://ntlmaps.sourceforge.net/ntlm.html">NTLM info</a>]
<p>
<font size="-2">This file is taken from the
<a href="http://ntlmaps.sourceforge.net/">NTLMAPS Sourceforge
description page</a></font>
</p>
<hr>
<b>News:</b>
<hr>
<p>
18 May 2002. New version 0.9.8.
</p>
<hr>
<b>WHAT IS 'NTLM Authorization Proxy Server'?</b> <br>
<hr>
'NTLM Authorization Proxy Server' (APS) is a proxy software
that allows you to authenticate via an MS Proxy Server using
the proprietary NTLM protocol. Since version 0.9.5 APS has an
ability to behave as a standalone proxy server and
authenticate http clients at web servers using NTLM method.
It can change arbitrary values in your client's request
header so that those requests will look like they were
created by MS IE. It is written in <a href="http://www.python.org/">Python</a> v1.5.2 language.
<p>
Main features:
</p>
<ul>
<li>
supports NTLM authentication via parent proxy server
(Error 407 Proxy Authentication Required);
</li>
<li>
supports NTLM authentication at web servers (Error 401
Access Denied/Unauthorized);
</li>
<li>
supports translation of NTLM scheme to standard "Basic"
authentication scheme;
</li>
<li>
supports the HTTPS 'CONNECT' method for transparent
tunnelling through parent proxy server;
</li>
<li>
has ability to change arbitrary values in client's
request headers;
</li>
<li>
supports unlimited number of client connections;
</li>
<li>
supports connections from external hosts;
</li>
<li>
supports HTTP 1.1 persistent connections;
</li>
<li>
stores user's credentials in config file or requests
password from a console during the start time;
</li>
</ul>
<p>
View ReadMe <a href="http://ntlmaps.sourceforge.net/readme.txt">here</a>.
</p>
<p>
View CHANGELOG <a href="http://ntlmaps.sourceforge.net/changelog.txt">here</a>.
</p>
<hr>
The server had been written for <a href="http://www.gnu.org/software/wget/wget.html">wget</a> that
could not pass through MS Proxy set up in our LAN. But then
it turned out that even browsers can use it, so I spend some
time to get it more RFC friendly and now it looks like it
works with most software that can use http/https proxies.
<p>
Even distributed <a href="http://members.ud.com/vypc/cancer/">Intel-United Devices
Cancer Research Project</a> can be used with APS. Just use
HTTPS proxy in "proxy settings" of the United Devices'
software and point to your local NTLMAPS, like server -
"localhost" and port - "8080" or something that you set in
<i>server.cfg</i>.
</p>
<hr>
<b>Licensing and Pricing:</b>
<p>
'NTLM Authorization Proxy Server' is distributed under the
<a href="http://www.gnu.org/">GNU</a> <a href="http://www.gnu.org/copyleft/gpl.html">General Public
License</a> which is included in this archive (see file
COPYING).<br>
The above mean that 'NTLM Authorization Proxy Server' is
pretty much free. You have to pay nothing for it.
</p>
<hr>
<b>System requirements:</b>
<p>
Python language interpreter version 1.5.2 or higher. See <a href="http://www.python.org/">www.python.org</a>.
</p>
<hr>
<b>Old stable version:</b> <i>0.9.7</i>
<p>
Current experimental version: <i>0.9.8</i>
</p>
<p>
There is no binary files in the distribution. Thus you can
use the software on any system that has <a href="http://www.python.org/">Python</a>, with minimal
modifications.
</p>
<p>
NTLMAPS uses only statndard modules from <a href="http://www.python.org/">Python</a> distribution.
</p>
<hr>
<b>Download:</b>
<p>
I recommend you to take experimental version. It should be
stable enough.
</p>
<p>
<a href="http://sourceforge.net/project/showfiles.php?group_id=69259">
SourceForge Downloads Page</a> contains both .zip and .tar.gz formats
</p>
<hr>
<b>What's new in 0.9.8:</b><br>
<ul>
<li>
internal redesign
</li>
<li>
config file redesign
</li>
<li>
fixed bug during HTTPS CONNECT authentication.
</li>
<li>
fixed bug with UNICODE string conversion in NTLM msg3
creation code.
</li>
<li>
no need in proxy port when proxy is not used
</li>
<li>
fixed minor bug with an exception that was raised if
there was no http header in server's response.
</li>
<li>
MSN Messenger and clients alike work again. It had been
broken since APS 0.9.5
</li>
<li>
minor bug in header remake (Proxy Connection ->
Connection)
</li>
<li>
fixed bug when client sends its header slowly and clients
thread exits before doing anything useful. This was
broken since version 0.9.7
</li>
<li>
new optional value in config file NT_HOSTNAME (see
comment in server.cfg).
</li>
<li>
DOMAIN value in config is now NT_DOMAIN, to make it clear
what domain name has to be used.
</li>
<li>
implemented NTLM to BASIC translation.
</li>
</ul>
<hr>
<b>Known issues:</b><br>
<ul>
<li>
With NTLM to Basic translation you have only one try to
enter right credentials. If you fail then restart your
browser.
</li>
<li>
There is an issue with APS working as a standalone proxy.
It serves requests from an http-client one by one and
allows persistent connections, then it may receive
several requests in very short time to one thread, and
one of them may be to an almost dead banner site, then
all the requests made after that one will be waiting till
that "bad" connection will be closed due to timeout. So I
suggest switching off HTTP/1.1 presistent connections in
your browser when you are using APS for web (not proxy)
authentication and surfing banner rich evironment.
</li>
</ul>
<hr>
<b>To Do:</b><br>
<ul>
<li>
There are several requests to have a list of servers to
which APS will connect directly in proxy mode. This would
be useful for LAN behind MS Proxy and number of intranet
web servers with NTLM authorization.
</li>
</ul>
<hr>
<b>Troubleshooting:</b>
<p>
There are two options in <i>server.cfg</i> <b>DEBUG</b> and
<b>BIN_DEBUG</b>, if you have toubles with the server so
set these options to <b>DEBUG:1</b> and <b>BIN_DEBUG:1</b>
just before requesting a problem page (or resource). You
have to restart proxy server to reread <i>server.cfg</i>.
This will give you 3 log files per http request (per
connection to be exact), like <i>127.0.0.1-1048</i>,
<i>127.0.0.1-1048.bin.client</i> and
<i>127.0.0.1-1048.bin.rserver</i>. In the first one there
is an info on what APS did, two others contain raw traffic
from client and from proxy.
</p>
<p>
Pack them with zip or gzip and send them to me if you want
me to help you.
</p>
<hr>
<b>Useful Links:</b>
<ul>
<li>
<a href="http://www.innovation.ch/java/ntlm.html">NTLM
Authentication Scheme for HTTP</a> is the most valuable
information source on NTLM that allowed APS to be
created. The copy of this page is included in APS'
distribution archive.
</li>
<li>
<a href="http://cqs.dyndns.org/socks">Socks via HTTP</a>
is a program converting SOCKS requests into HTTP requests
and tunnelling them through HTTP proxies if needed. It
may be used with APS if you sit behind HTTP only MS
Proxy. It is writen in Java so it works on any system
that have Java.
</li>
</ul>
<hr>
<i>Dmitry Rozmanov / 18 May 2002 / <a href="mailto:dima@xenon.spb.ru">dima@xenon.spb.ru</a></i>
<hr>
</body></html>
|
