Menu
I am wondering if we are using NTLM (Windows) authentication - how server determines if user is already logged on or not. So when I first time access the site - the server tells me he want to authenticate me via NTLM:
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Then client and server exchanging few requests - actually challenge/response phase happens here, particularly server generates and sends challenge to client, client calculates response based on it and sends back, and then server contact Domain Controller to verify it. Ok, we're done.
But when I am authenticated and go to any page, there are no any authentication headers anymore. How does server know that I'm already authenticated?
P.S. I thought IIS ties client by MAC or IP but indeed that's not true. NTLM works for single browser. Also no NTLM specific cookies were found.
347
NTLM over plain HTTP is insecure. Attackers that passively sniff traffic or who perform a man-in-the-middle attack can use various methods to steal or abuse credentials.
NT LAN Manager (NTLM) authentication is a challenge-response scheme that is a securer variation of Digest authentication. NTLM uses Windows credentials to transform the challenge data instead of the unencoded user name and password. NTLM authentication requires multiple exchanges between the client and server.
NTLM uses an encrypted challenge/response protocol to authenticate a user without sending the user's password over the wire. Instead, the system requesting authentication must perform a calculation that proves it has access to the secured NTLM credentials.
The relatively simplistic form of password hashing makes NTLM systems vulnerable to several modes of attacks, including pass-the-hash and brute-force attacks. Outdated cryptography. NTLM does not leverage the latest advances in algorithmic thinking or encryption to make passwords more secure.
NTLM over http is using HTTP persistent connection or http keep-alive.
A single connection is created and then kept open for the rest of the session.
If using the same authenticated connection, it is not necessary to send the authentication headers anymore.
This is also the reason why NTLM doesn't work with certain proxy servers that don't support keep-alive connections.
93
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
