Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

NTLM Replay

JoYo Jul 23, 2018 03:22PM UTC

Currently if I want to browse some website through Burp with an NTLM authentication I need to provide to Burp the credentials.
Since by design NTLM is prone to re(p)lay attack, why can't Burp just replay the challenges and responses withoout needing the credentials?

Thank you

Joel


Paul Johnston Jul 24, 2018 07:44AM UTC Support Center agent

Hi Joel,

If a proxy relays the exchange unchanged then authentication does not work. The protocol includes the destination host and having a proxy in the middle causes a mismatch.

However, you make a really good point. It would be possible to exploit the weak protocol, tamper with some messages and forward NTLM. This would be a cool feature – although it’s probably not a priority for us at the moment. However, if you wanted to submit an extension that did this, I think it would be well received.


Post Your public answer

Your name
Your email address
Answer