While a lot of applications allow you to configure proxy settings, quite a few do not support NTLM authentication. Unfortunately, a lot of corporate proxies use NTLM to authenticate their users. To get around this, we can use a free utility called Cntlm to connect these applications to the corporate network. For this example, we will be using Dropbox (referral link) andTrillian, but once configured it should work with any application that allows you to set proxy settings manually. These instructions are for Windows, but Linux builds are available on their Sourceforge page and Mac users can use Authoxy.
NOTE: If the port number used by the application is blocked on the proxy, Cntlm won’t be able to get around this. You may also not be able to do this if your account is locked down to prevent installations – see the end of this post for one way around this.
What You’ll Need
- Cntlm, a utility which stands between your applications and the corporate proxy, adding NTLM authentication on-the-fly.
- Windows XP or newer: Linux builds of Cntlm are available on their Sourceforge page and Mac users can use Authoxy, but I will not be showing you how to configure these.
- At least one application to test the configuration. I’m going to use Dropbox and Trillian, but you can also try it with whichever application you are attempting to run.
Step One: Installing Cntlm
Download the latest version of Cntlm (0.92.3 at the time of writing). Run through the installer clickingNext, making sure to accept the license agreement and to note down the installation folder. Once the installer has completed, navigate to the installation folder.
Step Two: Configuring Cntlm
Before doing anything else, make a backup of cntlm.ini – if anything goes wrong we can simply revert to this backup and start again.
Configure the proxy address
Now look for the following section:
# List of parent proxies to use. More proxies can be defined
# one per line in format <proxy_ip>:<proxy_port>
#
Proxy 10.0.0.41:8080
Proxy 10.0.0.42:8080Remove the second Proxy line, then replace the IP address and port with your proxy settings (you can usually find these by opening Internet Explorer, then clicking Tools –> Internet Options –>Connections –> LAN Settings.
Configure the username and domain
Now we have the proxy address configured, we can configure the username and password. Look for the following section:
Username testuser
Domain corp-uk
Password password
# NOTE: Use plaintext password only at your own risk
# Use hashes instead. You can use a "cntlm -M" and "cntlm -H"
# command sequence to get the right config for your environment.
# See cntlm man page
# Example secure config shown below.
# PassLM 1AD35398BE6565DDB5C4EF70C0593492
# PassNT 77B9081511704EE852F94227CF48A793
### Only for user 'testuser', domain 'corp-uk'
# PassNTLMv2 D5826E9C665C37C80B53397D5C07BBCBFirst, we replace the username and domain with your login credentials. In most companies, this will be the same as your login details for the computer. For example, to login, you may have to enterDJS\StormPooper. In this example, DJS is the domain and StormPooper is the username. If you do not enter your login details like this, then when you are next logging into a work computer, the domain name will be shown on the logon screen as Log on to (you may have to click Advanced to see this). Once you have done this, save your changes, but keep the file open.
Configure the password
Now we need to store your password. As the comment in the configuration file suggests, storing your password as plain text (just typing it in) is a terrible idea, as anyone with access to the system can see your password. To store the password securely, we have to generate a hash of the password. Luckily, Cntlm includes tools to do this. Open a command line (Start –> Run –> cmd) and navigate to the installation directory (on my system, for example, I enter cd "C:\Program Files (x86)\Cntlm"since I’m running a 64-bit version of Windows).
Now we need to generate the hash. Enter this in the command line:
cntlm –c cntlm.ini –H
You should see 3 hashes as per the screenshot above. Copy these and paste them into cntlm.ini, uncommenting the 3 Pass lines and making sure you comment out the Password field. The final results should look like this:
Username StormPooper
Domain DJS
# Password password
# NOTE: Use plaintext password only at your own risk
# Use hashes instead. You can use a "cntlm -M" and "cntlm -H"
# command sequence to get the right config for your environment.
# See cntlm man page
# Example secure config shown below.
PassLM 1AD35398BE6565DDB5C4EF70C0593492
PassNT 77B9081511704EE852F94227CF48A793
### Only for user 'StormPooper', domain 'DJS'
PassNTLMv2 D5826E9C665C37C80B53397D5C07BBCBOnce you have entered your hashes, save your changes. Then in the command line, enter the following command to determine if the settings work:
cntlm –c cntlm.ini –I –M http://www.google.co.uk
If you see something similar to above, you have successfully configured Cntlm. If not, double-check your hashes are correct and your proxy settings.
Starting the service
Now that the configuration file is complete, we have to start Cntlm’s proxy service. Click on Start –> All Programs –> Cntlm –> Start Cntlm Authentication Proxy to start the service.
If you ever need to change the configuration, click Stop Cntlm Authentication Proxy before making any changes, then restart the service to test your changes.
Step Three: Using the proxy with applications
Now to test your configuration. Note that each application is different with regards to proxy settings, but the settings you need to enter will be the same for all of them. Basically, we have to manually configure the proxy to use HTTP and point it to 127.0.0.1, with the port number 3128 (you can change this port number in the configuration file if needed). If there is a place to, enter your username and password in the same way as before – see the two screenshots below for examples.
Once you apply these settings, you should be able to connect using the applications in question.
Conclusion and Advanced Configuration
Now you should be able to run most applications that need to going through the proxy. If you have any difficulties, you should restore the backup you made and start again from step two. If you need to use advanced features such as SOCKS5, you can also configure these using the configuration file – more information about advanced configuration can be found on the Cntlm Wiki or their Help Forums. If you are unable to install Cntlm, you can download the zip file version and create a service using the following command (note the spaces between = and “), though this will still need permissions to create a service:
sc.exe create cntlm binPath= "C:\Program Files (x86)\Cntlm\cygrunsrv.exe" DisplayName= "Cntlm Authentication Proxy"
If you click Start –> Run –> services.msc and double-click the service settings, they will be similar to below (note that Log on As is on the next tab).
If the application you are attempting to run does not let you specify a proxy manually, the likelihood is that it is automatically reading Internet Explorer’s proxy configuration. To bypass this, you can point Internet Explorer to Cntlm in the LAN Settings. Note that on most corporate machines, proxy settings are automatically configured, so your changes may be erased – configuring each application manually avoids this issue.
If all of this manual configuration makes you want to stab your computer in the throat, you can buyProxifier – it comes with a 31 day trial, so see if this works for you. Alternatively, leave a comment below or use the contact form and I will happily try and work through any issues you may be having.
分类: LINUX
浏览器上网就不用说了,直接打开浏览器的首选项,设置代理上网就可以了
当想用终端install个软件时就痛苦了,此时可以用ntlmaps代理
1.到网站下一个ntlmaps的包(这里是一个下载ntlmaps包的网站http://download.chinaunix.net/download.php?id=15159&ResourceID=7502),并解压。
2.设置server.cfg
LISTEN_PORT:9003 //设置监听端口,换句话说本机从这个端口获得数据,当然不一定是9003,只要不冲突就行
PARENT_PROXY:x.x.x.x //公司isa服务器地址和端口,用ntlmaps从哪里获取数据
PARENT_PROXY_PORT:x
PARENT_PROXY_TIMEOUT:15 //公司服务器不响应时你的等待时间,一般默认值
ALLOW_EXTERNAL_CLIENTS:0 //是否允许其他主机通过你的代理联网,呵呵此时我们就相当于公司的服务器了,一般默认值
FRIENDLY_IPS: //限制登录ntlmaps的网段,一般默认值
NT_HOSTNAME: //公司服务器主机名,可以不用填写
NT_DOMAIN //域名,通过IP可以ubuntu自带的tracetoute工具获得
USER //登录所需的用户名和密码
PASSWORD
3.别忘了设置系统-》首选项-》网络代理,如图
4.route add default gw x.x.x.x 增加路由
5.export http_proxy="http://127.0.0.1:9003"
6.启动main.py
7.apt-get 检验是否连接成功
60
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
