HTTP NTLM Authentication
Ne0nd0g opened this issue · 3 comments
Prerequisite
Environment Data
- Merlin Agent Version:
2.3.0 - Merlin Agent Build:
nonRelease - Operating System:
Windows
Actual Behavior
HTTP endpoint returns a 401 Unauthorized or 403 Forbidden status.
Expected Behavior
Expected Merlin to identify HTTP authentication scheme and successfully authenticate.
Steps to Reproduce Behavior
Connect through a proxy that requires NTLM authentication or an HTTP endpoint that requires it.
I noticed sliver uses a custom version of https://github.com/rapid7/go-get-proxied, which seems to support detection of system proxy settings on Windows, MacOS, and Linux.
Hope that helps
Also,
NTLM/Kerberos Proxy Authentication
You can use [advanced options](https://sliver.sh/docs?name=C2-Advanced-Options) to enable the use of the wininet HTTP library, which supports NTLM/Kerberos authentication (Windows only). Using this library tends to be a little less stable (we have to covert Go calls to native DLL calls) and is generally more susceptible to introspection by security products as these functions are well-known and easy to hook. However, if you need NTLM/Kerberos authentication you don't have much of a choice.
I created this winhttp package and I am currently testing it out in the https://github.com/Ne0nd0g/merlin-agent/tree/http-ntlm-auth branch. Set the following command line argument to use the winhttp library: -http-client winhttp. This will the WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY with the winhttp!WinHttpOpen call that:
Uses system and per-user proxy settings (including the Internet Explorer proxy configuration) to determine which proxy/proxies to use. Automatically attempts to handle failover between multiple proxies, different proxy configurations per interface, and authentication. Supported in Windows 8.1 and newer.