About Cntlm proxy
- Donate. Thanks to SF.net's broken donations, we haven't received a single dollar in years, except from a couple of dedicated users, who recently took the extra steps of letting us know about this issue and donated manually Paypal to Paypal.
- Because of the current financial/time constraint difficulties of the Cntlm project, I have now installed a direct Paypal Donate button on top of this page, which you can use to support Cntlm's developers for our usual services:
- handling of new feature requests and bug fixes (donors receive preferential treatment)
- personalized analyses & consultations regarding your particular enviroment
- expert networking analyses from packet captures and related modifications to Cntlm
- security assessments and systems-integration advice for Cntlm & other solutions
- Get involved. "Private" beta releases for the upcoming 0.93 stable can be downloaded directly from the development server via the following URL. They're the latest SVN code compiled after some of the release-delaying bugs have been fixed. Your help with testing of these binaries and feedback when appropriate will be much appreciated. They're the last rounds before the first stable after 0.35.1 is released:
- http://ftp.awk.cz/pub (0.93beta5)
- Beta5 is the latest version compiled for all platforms from SVN. There is a big compatiblity enhancement with difficult proxies, like NetCache in certain configurations, etc. Please do test these versions if you can. Send your emails to cntlm(at)awk(dot)cz.
- Being a truly free software, your generosity is the only means we have to support the ongoing existence of Cntlm as-is.
- Paypal payments may also be used to request a specific new feature with top priority, however such cases must be agreed upon in advance.
- Allow empty domain, username, password
- Updated NTLM autodetection mode
- Standalone proxy. Cntlm has been reworked in a way that allows you either to use it like before, with a parent proxy, or as an independent proxy altogether (think Squid, Tinyproxy, etc). The most common configuration, however, will probably be a combination of the two. Use the new NoProxy option to specify which URL's should go through the parent proxy and which URL's should Cntlm process directly, via direct ("intranet") connections. This allows you to set Cntlm permanently in your applications and use it for all links within your company and on the Internet.
- WWW authentication. Another important feature is support for NTLM web server authentication. This for example means you'll be able to access even those protected sites you had to use Windows + IE for in the past. This is probably the most useful outcome of the rewrite. Before then, I was occassionally forced to use a virtualized IE to access some parts of the intranet. Not any more. Everything works transparently on my Linux notebook with plain Firefox.
- Windows installer. The new version sports a brand new automated installer based on InnoSetup software - Start Menu integration, uninstaller and on-line resource links are among the most noticeable new features. Starting and stopping is much easier now for the regular guy.
- Source compilation. Regular people just don't need to know the particularities of all the different packaging systems out there. Users can use simple "
make deb", "
make rpm" or "
make win" to build a complete installation package for their system.
- GFI WebMonitor / ISA scanner Plugin. Updated scanner module to work with the latest version.
- Builtin SOCKS5 proxy server, which allows almost any TCP/IP application to use a proxy and not be aware of it. You can use tsocks(1) wrapper for this, just make it connect to Cntlm's SOCKS port. DNS and IPv4 based connections are supported. If you don't have external DNS access, your application will have to resolve via SOCKS remotely or use IP addresses. The former can be forced on some applications (Firefox hasnetwork.proxy.socks_remote_dns configuration key accessible via "about:config" URI). This allows proxy- and auth-unaware apps to work, but the policy of your proxy is still the limiting factor here, there's no magical proxy-hacking going on. You will be granted connects only to CONNECT-able (or "SSL") ports. The SOCKS5 proxy can be setup open to everyone or to require authentication. Several accounts (username:password combinations) can be defined.
- Implementation of the the rest of NTLM authentications, tested against both Windows/ISA and Samba/Squid: full featured NTLMv2 with its new strong password hash and NTLM2 Session Response (NTLMv1.5) offering better network security than NTLM/LM in non-NTLMv2 environments. With these two new algorithms, Cntlm is THE ultimate auth proxy :) supporting every NTLM flavour invented. If you use Cntlm's autodetection, your password is probably better protected than it would be with native Windows. :o)
- Magic NTLM autodetection mode. It tries all algorithms with known working presets and tells you how to setup Cntlm to use best available security (you can copy&paste the result).
- Configuration using password hashes in place of the actual password (plus hash-and-print mode -H)
- Interactive password prompt to eliminate any form of password storage
- Plaintext password (if used) is hashed at startup and its traces are removed from the process memory to prevent dumping it (useful in untrusted environment)
- Complete control over NTLM auth (preset+manual Flags option, allowing exotic settings for weird/old proxies)
- Trans-isa-scan: a plugin for automatic and transparent handling of GFI WebMonitor for ISA Server, which breaks all automatic downloaders and system updates - in the true spirit of Microsoft-like ignorance, it returns a dynamic HTML page showing downloading and scanning progress instead of the requested file. When a button appears, it has to be clicked to get the actual file from ISA's cache. Cntlm can now do this transparently for you, depending on the size of the download or application's User-Agent header. This allows e.g. Apt, Wget or Yum to do their job, while having the scanner page displayed in the browser.
- Workstation name autodetection
- "Access denied" page for ACL rejects
- Detailed debug logging with NTLM dumps, tracefile creation
- Easier compilation, autoconf-like feature test macros
- RedHat and SuSE rpm packaging support
- Windows installer doesn't overwrite old INI file
- Username - your domain/proxy account name
- Domain - the actual domain name
- Workstation - NetBIOS name of your workstation; Cntlm tries to autodetect it, but you might want to set it explicitly should dialect detection fail (see below)
- Proxy - IP address (or ping-able hostname) of your proxy; if you use several alternative proxies or know of backup ones, use this option multiple times; if one stops working, Cntlm will move on to the next
- Listen - local port number which Cntlm should bind to; the default is OK, but remember you can't have more than one application per port; you can use netstat to list used up ports (lines with LISTEN)
$ cntlm -I -M http://test.com Config profile 1/11... OK (HTTP code: 200) Config profile 2/11... OK (HTTP code: 200) Config profile 3/11... OK (HTTP code: 200) Config profile 4/11... OK (HTTP code: 200) Config profile 5/11... OK (HTTP code: 200) Config profile 6/11... Credentials rejected Config profile 7/11... Credentials rejected Config profile 8/11... OK (HTTP code: 200) Config profile 9/11... OK (HTTP code: 200) Config profile 10/11... OK (HTTP code: 200) Config profile 11/11... OK (HTTP code: 200) ----------------------------[ Profile 0 ]------ Auth NTLMv2 PassNTLMv2 4AC6525378DF8C69CF6B6234532943AC ------------------------------------------------
Feedback and suggestions
Official / development packages [FTP/HTTP]: http://ftp.awk.cz/cntlm/
Subversion access: Cntlm source code HOWTO