Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Use NTLMv2 platform authentication with the Scanner?

Max | Last updated: Aug 25, 2020 10:44AM UTC

Hi, I am targetting a website that uses NTLMv2. I have successfully configured the authentication in the project options (have also tried user options) and can browse the website fine - as well as use the repeater for example. However, it appears that the Scanner does not make use of the platform authentication as all requests it makes fail. How do I set up the scanner or the platform authentication for it to work as expected?

Michelle, PortSwigger Agent | Last updated: Aug 25, 2020 11:18AM UTC

Hi Can you confirm the version of Burp you are using, please? Is this a site you have previously been able to scan or a new one? Also, can you let us know which scan configuration are you using? Are you using the embedded browser?

Max | Last updated: Aug 25, 2020 12:05PM UTC

Hi Michelle, I am using v2020.8.1 and the embedded browser. This is a new site and I tried using the 'Maximum' scan configuration.

Michelle, PortSwigger Agent | Last updated: Aug 25, 2020 12:15PM UTC

Thanks for the information. Do you see the same issues if you disable the embedded browser or if you use an earlier version of Burp? This will help us to determine if there are any recent changes in behavior that could be causing the issue.

Max | Last updated: Aug 25, 2020 12:31PM UTC

Hi Michelle, Happy to - any chance you could point to two or three versions you'd like me to try out specifically? Could you also tell me how not using the embedded browser would help, as platform authentication works within it. Only the Scanner does not use send the NTLM auth.

Michelle, PortSwigger Agent | Last updated: Aug 25, 2020 01:11PM UTC

Thank you! Just to explain my thinking, the reason I suggested testing without using the embedded browser is that one of the changes with 2020.8.1 is that the embedded browser is now used by default by the Scanner (previously this was in experimental mode and had to be explicitly chosen), although I don't necessarily expect this to have changed the functionality. If you have earlier versions available, then let's try 2020.6. If you don't have that one installed already then feel free to use the one you have installed. Again, there haven't been any recent changes to necessarily affect this but it will help to build a bigger picture.

Max | Last updated: Aug 25, 2020 02:00PM UTC

Hi Michelle, It seems like I have the same issue in 2020.6 (I knew leaving all the successive installers in my Downloads directory would come in handy one day). Looking a bit deeper in Wireshark (for 2020.6), it seems like Burp is in fact detecting the need for NTLM and even sending the requests properly authenticated, but is ignoring the responses. For instance, I can see the NTLMSSP_NEGOTIATE going out, the server responds with an NTLMSSP_CHALLENGE and Burp sends out the request with the correct NTLMSSP_AUTH, to which the server responds with the webpage. However, looking in Logger++, the requests never receive a response (despite the response being clearly received when looking at wireshark). The only difference between 2020.6 and 2020.8.1 I can see immediately is the latter says the request error'd out, whereas 2020.6 doesn't, only stating the server didn't send an NTLM challenge (which is wrong).

Max | Last updated: Aug 25, 2020 02:01PM UTC

Just checking however, where does one explicitly tell Burp to use the embedded browser? As I want to make sure I am not for the purpose of the tests with 2020.6.

Michelle, PortSwigger Agent | Last updated: Aug 25, 2020 02:22PM UTC

Thanks for checking that for me, I'll have a look into this based on what we know and will probably be in touch with some more questions. The setting to determine whether the embedded browser is used by the Scanner is specified in the Crawl Configuration - New -> Crawling -> Miscellaneous.

Max | Last updated: Aug 26, 2020 02:31PM UTC

Hi, Thought it would be worth letting you know that the Scanner works with the platform authentication in version v2.1.07 - others were not tested other than 2020.8.1 and 2020.6 as discussed).

Michelle, PortSwigger Agent | Last updated: Aug 27, 2020 08:40AM UTC

Thanks for the update and for testing the other version, I'm reviewing this case with our developers. If we need some more information to progress the investigations I'll let you know.

Michelle, PortSwigger Agent | Last updated: Aug 27, 2020 10:36AM UTC

Hi I know we talked about this earlier in the thread, but can I double-check what results you got using 2020.8.1 with the following setting in the crawl configuration? Crawling -> Miscellaneous -> Embedded Browser Options -> Use embedded browser for Cawl and Audit -> No I just want to be sure I've got the full set of test results to go through with the developers.

Michelle, PortSwigger Agent | Last updated: Aug 28, 2020 07:51AM UTC

Hi If you have time, can I also ask you to check if you see this issue using version 2020.5.1? Thank you!

Gale | Last updated: Nov 09, 2020 06:05PM UTC

Hi, I wanted to confirm I'm having the exact same issue and this appears to be a bug with the newer Burp Suite Professional versions. Trying to run an active scan on a ASP .NET site using NTLMv2 has stopped working, but I can use the repeater/intruder/etc. I do not have version 2020.5.1, but I was able to confirm the scan works fine on version 2020.4

Michelle, PortSwigger Agent | Last updated: Nov 10, 2020 08:39AM UTC

Thanks for the feedback. This issue has been raised with our developers and we will post back here when there is a fix.

patedepato | Last updated: Nov 12, 2020 10:11AM UTC

Hello everyone, I just wanted to confirm the scenario that Max and Gale are experiencing. For some reason, every request sent from the Scanner gets timed out when using NTLMv2 auth, but picking that exact request (from Logger++ in my case) and sending it to Repeater works flawlessly. Using 2020.11 Pro. Really appreciate your feedback, Michelle!

Baha'a | Last updated: Nov 28, 2021 10:39AM UTC

Dears Kindly any update ?!

Michelle, PortSwigger Agent | Last updated: Nov 29, 2021 11:57AM UTC

Thanks for your message. We haven't forgotten about this one. So that we can be sure your issue matches the one that has been raised can you tell us a bit more about the behavior you are seeing, please? Do you see any error messages in Burp? Are you able to send requests successfully via the Repeater Tool but just not during a scan? Which version of Burp are you currently using?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.