0

this is a question related to how to use express-ntlm to get windows user name without authentication using NODE.js?

I am trying to find a way to grab visitor windows user name without going through real ntlm authentication, and I just want to extract the user name from browser http response using express-ntlm.

My understanding about the process is:

  1. browser sends a request to node.js without authorization header
  2. express-ntlm makes a 401 reply
  3. browser sends a request to node.js with authorization header
  4. express-ntlm makes a 401 reply with a challenge
  5. browser shall send a reply containing user name information

I am stuck at step 4) above. I just installed Fiddler to log down the communication trace of the page loading.

1st handshake:

GET http://localhost:3000/search HTTP/1.1
Host: localhost:3000
Connection: keep-alive
Cache-Control: max-age=0
Accept:     
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,    
like Gecko) Chrome/40.0.2214.115 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4
If-None-Match: "1085683586"

==== response ====
HTTP/1.1 401 Unauthorized
X-Powered-By: Express
WWW-Authenticate: NTLM
Date: Wed, 04 Mar 2015 01:48:10 GMT
Connection: keep-alive
Proxy-Support: Session-Based-Authentication
Content-Length: 0

2nd handshake:

GET http://localhost:3000/search HTTP/1.1
Host: localhost:3000
Connection: keep-alive
Cache-Control: max-age=0
Authorization: NTLM    
TlRMTVNTUAABAAAAB7IIogQABAA0AAAADAAMACgAAAAGAbEdAAAAD1hBUEVOR0xJQU4zMFhMTlg=
Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,   
like Gecko) Chrome/40.0.2214.115 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4
If-None-Match: "1085683586"

=== response ====
HTTP/1.1 401 Unauthorized
X-Powered-By: Express
WWW-Authenticate: NTLM  
TlRMTVNTUAACAAAAAAAAAAAoAAABggAAASNFZ4mrze8AAAAAAAAAAA==
Date: Wed, 04 Mar 2015 01:48:10 GMT
Connection: keep-alive
Proxy-Support: Session-Based-Authentication
Content-Length: 0

is there anything I need to pay attention in the fiddler trace?

I am using win7 + chrome. ( I also tried IE and firefox, but with no luck).

thanks.

Community
  • 1
  • 1
sqr
  • 365
  • 2
  • 12
  • 29
  • 1
    Can you extract the HTTP headers in a text format? Your description of the NTLM handshake is correct, but it's hard to see the actual problem in the screenshot. Note that you need to add your site in the list of trusted destinations to allow NTLM (for most browsers). – RomanK Mar 03 '15 at 06:57
  • oops, my apology, the screen shot is too blur to see. I will put down the text instead. thanks. – sqr Mar 04 '15 at 01:37
  • i put "localhost" and "*.domainName.com" in "Local intranet" list. is this correct? – sqr Mar 04 '15 at 02:06
  • for custom level of 'Local Intranet", i selected "automatic logon with current user name and password". – sqr Mar 04 '15 at 02:10
  • Anyone using fiddler? – sqr Mar 09 '15 at 06:18
  • Sorry, did not get notified on your previous responses. From the capture, it seems like the browser initiates NTLM, so you've set up Local Intranet correctly. Yes, a Fiddler or a client-side PCAP is a good next step. – RomanK Mar 09 '15 at 06:49
  • Hi, Romank, what could be the possible cause for NTLM to malfunction? Network policy or chrome related, thanks – sqr Mar 09 '15 at 06:52
  • It might be something about the NTLM Type 2 challenge message that your server sends; if the browser starts the handshake and sends Type 1, it's unlikely to be unique to Chrome. Maybe it's not logged in to domain, or it might be that some of the handshake parameters is incompatible. With a pcap capture, wireshark would decode the NTLM parameters, and that should take us further. – RomanK Mar 09 '15 at 06:54
  • What's your policy set to? (See http://superuser.com/questions/483958/windows-8-security-policy-lan-manager-authentication-level) – Fabio Poloni Mar 18 '15 at 14:20

1 Answers1

2

It is a good thing you use Fiddler to follow the Ntlm challenge/response flow. On the Inspectors tab there is an Auth section with extensive information. You will find the username there on the Ntlm type 3 request when it is send by the client. It is encoded but Fiddler will decode it for you.

Bram Roelofs
  • 41
  • 3