Burp Suite User Forum

Create new post

NTLM Replay

Joel | Last updated: Jul 23, 2018 03:22PM UTC

Currently if I want to browse some website through Burp with an NTLM authentication I need to provide to Burp the credentials. Since by design NTLM is prone to re(p)lay attack, why can't Burp just replay the challenges and responses withoout needing the credentials? Thank you Joel

PortSwigger Agent | Last updated: Jul 24, 2018 07:29AM UTC

Hi Joel, If a proxy relays the exchange unchanged then authentication does not work. The protocol includes the destination host and having a proxy in the middle causes a mismatch. However, you make a really good point. It would be possible to exploit the weak protocol, tamper with some messages and forward NTLM. This would be a cool feature - although it's probably not a priority for us at the moment. However, if you wanted to submit an extension that did this, I think it would be well received.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.