发表新帖
发表新帖

get username from NTLM auth header?

后端 未结
关注
1 1444
死守一世寂寞
死守一世寂寞 2020-12-10 21:20

Is there any way to work out what a user\'s name is just by sniffing the NTLM header?

I have an app, that accesses a NTLM auth\'d site, and so an Auth prompt opens f

相关标签:
1条回答
  • 故里飘歌
    2020-12-10 22:01

    sure, you can do this even with a simple JSP file... (this only works with NTLMv1, not v2, I'm still looking for that..)

    So the code for the JSP is (I've tried it on Apache Tomcat 6)

    <%@ page import="sun.misc.BASE64Encoder" %>
<%
String auth = request.getHeader("Authorization");
String s = "";

//no auth, request NTLM
if (auth == null) {
        response.setStatus(response.SC_UNAUTHORIZED);
        response.setHeader("WWW-Authenticate", "NTLM");
        return;
}
//check what client sent
if (auth.startsWith("NTLM ")) { 
        out.println(auth);

        byte[] msg = 
           new sun.misc.BASE64Decoder().decodeBuffer(auth.substring(5));
        int off = 0, length, offset;
        out.println("<br>"+msg);
        out.println("<br>"+msg[1]+" "+msg[2]+" "+msg[3]+" "+msg[4]+" "+msg[5]+" "+msg[6]+" "+msg[7]+" "+msg[8]+" "+msg[9]+" "+msg[10]+"<br>");

        if (msg[8] == 1) { 
            off = 18;

            byte z = 0;
            byte[] msg1 =
                {(byte)'N', (byte)'T', (byte)'L', (byte)'M', (byte)'S',(byte)'S', (byte)'P', 
                z,(byte)2, z, z, z, z, z, z, z,
                (byte)40, z, z, z, (byte)1, (byte)130, z, z,
                z, (byte)2, (byte)2, (byte)2, z, z, z, z, // 
                z, z, z, z, z, z, z, z};
            // send ntlm type2 msg

            response.setStatus(response.SC_UNAUTHORIZED);
            response.setHeader("WWW-Authenticate", "NTLM " 
               + new sun.misc.BASE64Encoder().encodeBuffer(msg1).trim());

               return;
        } 
        else if (msg[8] == 3) { 
                off = 30;
                length = msg[off+17]*256 + msg[off+16];
                offset = msg[off+19]*256 + msg[off+8];
                s = new String(msg, offset, length);
                // print computer name // out.println(s + " ");
        } 
        else
        return;

        length = msg[off+1]*256 + msg[off];
        offset = msg[off+3]*256 + msg[off+2];
        s = new String(msg, offset, length);
        //domain//out.println(s + " ");
        length = msg[off+9]*256 + msg[off+8];
        offset = msg[off+11]*256 + msg[off+10];

        s = new String(msg, offset, length);
        out.println("Hello  <span style='position:relative; width:190;" 
            + " height:10;filter:glow(Color=#009966,Strength=1)'>");
        out.println(s + "</SPAN>");
}
%>
    0 讨论(0)
 看不清?
提交回复
热议问题