Pen Testing against an NTLM target using OWASP ZAP

I came across an interesting problem. We needed to test a website with tools that we already had. And OWASP Zap was our standard test tool.

Problem: The site used NTLM authentication and OWASP ZAP wasn’t working at all with the automated attack.

Chain proxies! Yup.. you can use BurpSuite to proxy and authenticate requests coming from OWASP ZAP!

How To:

1) Fire up Burp Suite (Free Edition)

2) (optional) Change the proxy port Burp Suite is listening on

  • Click on Proxy
  • Turn INTERCEPT off
  • Click on Options
  • Highlight proxy and hit edit<
  • Change proxy port (I used 8081) and click OK
  • click “Running” checkbox to start

3) Enable Authentication

  • Click on Options
  • Check “Do platform authentication”
  • Check “Prompt for credentials on platform authentication failure”

4) Test using a browser

  • Point to browser to Burp Suite Proxy
  • Browse to protected site
  • Switch BACK to Burp Suite
  • Fill in Authentication Credentials, and hit ok
  • Switch BACK to Browser, and you should be authenticated

NOTE: You can also test with curl by:
export http_proxy=”localhost:8081″
export https_proxy=$http_proxy
curl -v

and it should work.

Now for OWASP ZAP:
1) Start it up
2) Go into TOOLS -> Options (CTRL + ALT + O)
3) Click Connection

  • check “Use an outgoing proxy server”
  • Fill in Address/Domain Name: localhost
  • Fill in port: 8081

4) Press OK

And you should be good… you can do a quickstart scan, or use it as you normally would, and pick a site, and right click and “attack”

Hope this helps someone!

One thought on “Pen Testing against an NTLM target using OWASP ZAP

  1. Thanks for the Post..It is very useful.
    I tried all the steps you have mentioned, it exactly does what u have mentioned for Burpsuite. But i am getting Connection refused message in Owasp ZAP tool, when i click Attack button.
    I didi exactly as you have written in your steps..

    Is their any thing else which i should be doing?

Leave a Reply

Your email address will not be published. Required fields are marked *