Currently if I want to browse some website through Burp with an NTLM authentication I need to provide to Burp the credentials.
Since by design NTLM is prone to re(p)lay attack, why can't Burp just replay the challenges and responses withoout needing the credentials?
If a proxy relays the exchange unchanged then authentication does not work. The protocol includes the destination host and having a proxy in the middle causes a mismatch.
However, you make a really good point. It would be possible to exploit the weak protocol, tamper with some messages and forward NTLM. This would be a cool feature – although it’s probably not a priority for us at the moment. However, if you wanted to submit an extension that did this, I think it would be well received.