NAME
Authen::NTLM::HTTP - Perl extension for NTLM-over-HTTP related computations
Background
NTLM-over-HTTP Handshake
Stage 1: Client requests a web page.
1: C --> S GET ...Stage 2: Server responds and says the client needs to authenticate in NTLM manner.
2: C <-- S 401 Unauthorized
WWW-Authenticate: NTLMStage 3: Client responds with NTLM negotiate message that contains the identity and the domain of the client.
3: C --> S GET ...
Authorization: NTLM <base64-encoded type-1-message>Stage 4: Server challenges the client with a 8-bytes random number in the NTLM challenge message.
4: C <-- S 401 Unauthorized
WWW-Authenticate: NTLM <base64-encoded type-2-message>Stage 5: Client responds with a reply that uses its password to encrypt the 8-bytes random number.
5: C --> S GET ...
Authorization: NTLM <base64-encoded type-3-message>Stage 6: Authentication success. Server replies with the web page.
6: C <-- S 200 OkSYNOPSIS
use Authen::NTLM (nt_hash lm_hash); use Authen::NTLM::HTTP;
$my_pass = "mypassword";
# Note: To instantiate a client talking to a proxy, do
# $client = new_client Authen::NTLM::HTTP(lm_hash($my_pass), nt_hash($my_pass), Authen::NTLM::HTTP::NTLMSSP_HTTP_PROXY);
$client = new_client Authen::NTLM::HTTP(lm_hash($my_pass), nt_hash($my_pass));# Stage 3 scenario: creates NTLM negotiate message and then # append $negotiate_msg to one of the tag lines in your HTTP # request header
# To compose a NTLM Negotiate Packet $flags = Authen::NTLM::NTLMSSP_NEGOTIATE_ALWAYS_SIGN | Authen::NTLM::NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED | Authen::NTLM::NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED | Authen::NTLM::NTLMSSP_NEGOTIATE_NTLM | Authen::NTLM::NTLMSSP_NEGOTIATE_UNICODE | Authen::NTLM::NTLMSSP_NEGOTIATE_OEM $negotiate_msg = $client->http_negotiate($flags);
# Stage 4 scenario: extract the line contains "Authorization: NTLM " # in the HTTP header. # Parses NTLM negotiate message and then generates # the NTLM challenge message.
# To instantiate a server to parse a NTLM negotiation # and compose a NTLM challenge # Note: To instantiate a proxy, do # $server = new_server Authen::NTLM::HTTP(Authen::NTLM::HTTP::NTLMSSP_HTTP_PROXY); $server = new_server Authen::NTLM::HTTP;
($flags, $domain, $machine) =
$server->http_parse_negotiate($negotiate_msg);
$flags = Authen::NTLM::NTLMSSP_NEGOTIATE_ALWAYS_SIGN
| Authen::NTLM::NTLMSSP_NEGOTIATE_NTLM
| Authen::NTLM::NTLMSSP_NEGOTIATE_UNICODE;
$challenge_msg = $server->http_challenge($flags);# Stage 5 Scenario: Client receives NTLM challenge message # Extract the line that contains "WWW-Authenticate: NTLM " # Pass it to http_parse_challenge to obtain the nonce # Then use nonce to compose reply with http_auth
# client parse NTLM challenge ($domain, $flags, $nonce, $ctx_upper, $ctx_lower) = $client->http_parse_challenge($challenge_msg);
# To compose a NTLM Response Packet $flags = Authen::NTLM::NTLMSSP_NEGOTIATE_ALWAYS_SIGN | Authen::NTLM::NTLMSSP_NEGOTIATE_NTLM | Authen::NTLM::NTLMSSP_NEGOTIATE_UNICODE | Authen::NTLM::NTLMSSP_REQUEST_TARGET; $auth_msg = $client->http_auth($nonce, $flags);
# Stage 6 Scenario: Finally the server parses the reply # verify the authentication credentials.
# To parse a NTLM Response Packet ($flags, $lm_resp, $nt_resp, $user_domain, $username, $machine) = $server->http_parse_auth($auth_msg);
SEE ALSO
Authen::NTLM(3), MIME::Base64(3), perl(1), m4(1).
AUTHOR
This implementation was written by Yee Man Chan (ymc@yahoo.com). Copyright (c) 2002 Yee Man Chan. Some rights reserved.
LICENSE
This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.