Fiddler: NTLM authentication when Burp Suite fails

Recently, we tested a Web application with NTLM authentication. The authentication works correctly with any browser, but failed when inserting Burp Suite in the middle (with NTLM suitably configured).

Sniffing with WireShark, we found the following situation (the picture is from our test lab):

Comparison Firefox and BurpIn the authentication performed by Burp Suite, some NTLM headers are missing and some other options are different, as shown in the picture.

Trying to find a workaround in order to execute the pentest we found Fiddler, a HTTP proxy well-integrated with Microsoft authentication protocols. Sniffing with Wireshark we can see that the authentication performed by Fiddler, the headers are similar to the ones sent directly by the browser without Burp Suite:

Comparison Firefox and Fiddler

By default, Fiddler listen on 8888 port and offer some functionalities equivalent to Burp Interceptor and Repeater, but is far to be like Burp Suite from a penetration testing perspective. So, we put Fiddler in chain with Burp Suite in this way:

Flow

And here there are the tools configurations.

In Firefox we set Burp Suite as HTTP Proxy.

In Burp Suite, we must set Fiddler as an upstream proxy (User Options -> Connections -> Upstream Proxy Server) and remove NTLM authentication (for that we use Fiddler). Furthermore, we must deselect “Set Connection close on incoming requests” option from Proxy -> Options -> Miscellaneous because NTLM authenticates every TCP connection with this option the server will close the connection after the first NTLM request (of three) needed for the authentication.

In Fiddler, we have to configure the NTLM authentication. Flag “Automatically Authenticate” in “Rules” menu and then select” Customize Rules” from the same menu. In the configuration file that pops-up add to the section “OnPeekAtResponseHeaders” the following text (with the proper NTLM credentials):

And that’s all! With this configuration in Burp Suite we can see only the authenticated requests and in Fiddler we have also requests used for NTLM authentication. This is an example of a correct NTLM authentication flow (made up of three requests) in Fiddler:

Fiddler can also be used with Kerberos authentication, that actually is not supported by Burp Suite. If you are testing an application with this type of authentication you can try also Berserko, a Burp Suite plugin released by NCC Group Plc. The links to Fiddler configuration and  Berserko plugin can be found in the references.

We reported the issue on the NTLM headers to PortSwigger team, but we don’t know when the issue will be addressed. In the meantime, Fiddler is a great workaround!

Happy testing!

References:

  • http://blog.opensecurityresearch.com/2012/03/fiddler-and-ntlm-authentication.html
  • https://blogs.msdn.microsoft.com/fiddler/2011/09/04/fiddler-and-channel-binding-tokens-revisited/
  • http://stackoverflow.com/questions/26499875/kerberos-authentication-with-burp-proxy
  • https://github.com/nccgroup/Berserko
  • http://www.telerik.com/fiddler