Forum Discussion
hooleylist
May 18, 2009Cirrostratus
Hi Jackson,
HTTP::username will return the parsed and base64 decoded username from a basic auth request. It will not parse the username or domain from an NTLM authentication session.
Here is a handy site from a guy who helped reverse engineer the NTLM "protocol". He describes the different types of messages used in an NTLM authentication handshake (http://www.innovation.ch/personal/ronald/ntlm.html Click here). There are three different types of messages you would potentially need to handle. Though, I guess you could just handle the first type and prevent anyone from getting past that point to the type 2 (server response) or type 3 (second client request) steps.
The format for the NTLM Authorization header is: "NTLM ". So you can use HTTP::header value Authorization to get the full value of the header. You can check if it starts with NTLM before trying to parse it:
when HTTP_REQUEST {
Check for Authorization header value starting with NTLM before trying to parse the request.
if {[string tolower [HTTP::header Authorization]] starts_with "ntlm"}{
...
Once you've verified it looks like an NTLM auth header, you can try to base64 decode it and then check to see if it contains the domain you want to block. For type 1 messages, the domain name is listed normally. For type 3 messages, there is a null character between each character in the domain (why, I have no idea).
if {[string match -nocase "*domain2*" [b64decode [getfield [HTTP::header Authorization] " " 2]]]}{
Request was using a domain2 account
[HTTP::header Authorization] returns the raw header value "NTLM TlRMTVNTUAABAAAAA7IAAAoACgApAAAACQAJACAAAABMSUdIVENJVFlVUlNBLU1JTk9S"
[getfield [HTTP::header Authorization] " " 2] returns the base64 encoded token "TlRMTVNTUAABAAAAA7IAAAoACgApAAAACQAJACAAAABMSUdIVENJVFlVUlNBLU1JTk9S"
b64decode decodes the encoded token and returns the binary content.
If you need to check the type of NTLM message you can use binary scan:
Parse the type code (01, 02, 03) in order to determine the message type and corresponding domain name check
http://www.innovation.ch/personal/ronald/ntlm.html
binary scan [b64decode [getfield [HTTP::header Authorization] " " 2]] H16H2H* unused1 type_code unused2
log local0. "Type: $type_code"
Aaron