Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

NTLM authentication over HTTP

Tags:

authentication

windows

iis

active-directory

ntlm

I am wondering if we are using NTLM (Windows) authentication - how server determines if user is already logged on or not. So when I first time access the site - the server tells me he want to authenticate me via NTLM:

WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM

Then client and server exchanging few requests - actually challenge/response phase happens here, particularly server generates and sends challenge to client, client calculates response based on it and sends back, and then server contact Domain Controller to verify it. Ok, we're done.

But when I am authenticated and go to any page, there are no any authentication headers anymore. How does server know that I'm already authenticated?

P.S. I thought IIS ties client by MAC or IP but indeed that's not true. NTLM works for single browser. Also no NTLM specific cookies were found.

like image 347
seeker Avatar asked Oct 06 '16 09:10

seeker

People also ask

Is NTLM over HTTP Secure?

NTLM over plain HTTP is insecure. Attackers that passively sniff traffic or who perform a man-in-the-middle attack can use various methods to steal or abuse credentials.

What is http NTLM authentication?

NT LAN Manager (NTLM) authentication is a challenge-response scheme that is a securer variation of Digest authentication. NTLM uses Windows credentials to transform the challenge data instead of the unencoded user name and password. NTLM authentication requires multiple exchanges between the client and server.

What authentication method does NTLM use?

NTLM uses an encrypted challenge/response protocol to authenticate a user without sending the user's password over the wire. Instead, the system requesting authentication must perform a calculation that proves it has access to the secured NTLM credentials.

What is the weakness of the NTLM authentication protocol?

The relatively simplistic form of password hashing makes NTLM systems vulnerable to several modes of attacks, including pass-the-hash and brute-force attacks. Outdated cryptography. NTLM does not leverage the latest advances in algorithmic thinking or encryption to make passwords more secure.

Video Answer

1 Answers

NTLM over http is using HTTP persistent connection or http keep-alive.

A single connection is created and then kept open for the rest of the session.

If using the same authenticated connection, it is not necessary to send the authentication headers anymore.

This is also the reason why NTLM doesn't work with certain proxy servers that don't support keep-alive connections.

like image 93
Peter Hahndorf Avatar answered Oct 12 '22 23:10

Peter Hahndorf
Sign in to Comment

Related questions

using `%*` after `shift`
Shortcuts with name "Uninstall <Program Name>" are not displayed in Windows 8/8.1/10
Measure-Command: measure python script execution time
How to create a self signed cerficate using command prompt?
Windows scancodes for F11 and F12 are different. Why?
Is it possible to pipe a script to WScript?
Is it possible to run linux docker image on windows
In Windows, what actually is the clipboard?
How can I renew Kerberos Ticket in Windows?
Unzip password protected zip files in R
Remove window from taskbar on Windows 10
How to make GIT treat directory junctions as regular folders on Windows?
node.js on Windows frequently fails with 'EMFILE: too many open files'
Multiple files generated by script, only last one readable
Linking a .lib file on Windows 7
Setting a PHP script as a Windows Service
How to setup and clone a remote git repo on Windows?
How does one run git-p4 in Windows?
Programmatically select multiple files in windows explorer
C++ Compiler for Windows without IDE? [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!