Pen Testing against an NTLM target using OWASP ZAP

I came across an interesting problem. We needed to test a website with tools that we already had. And OWASP Zap was our standard test tool.

Problem: The site used NTLM authentication and OWASP ZAP wasn’t working at all with the automated attack.

Solution:
Chain proxies! Yup.. you can use BurpSuite to proxy and authenticate requests coming from OWASP ZAP!

How To:

1) Fire up Burp Suite (Free Edition)

2) (optional) Change the proxy port Burp Suite is listening on

  • Click on Proxy
  • Turn INTERCEPT off
  • Click on Options
  • Highlight proxy and hit edit<
  • Change proxy port (I used 8081) and click OK
  • click “Running” checkbox to start

3) Enable Authentication

  • Click on Options
  • Check “Do platform authentication”
  • Check “Prompt for credentials on platform authentication failure”

4) Test using a browser

  • Point to browser to Burp Suite Proxy
  • Browse to protected site
  • Switch BACK to Burp Suite
  • Fill in Authentication Credentials, and hit ok
  • Switch BACK to Browser, and you should be authenticated

NOTE: You can also test with curl by:
export http_proxy=”localhost:8081″
export https_proxy=$http_proxy
curl -v http://www.ntlm_protected_site.com

and it should work.

Now for OWASP ZAP:
1) Start it up
2) Go into TOOLS -> Options (CTRL + ALT + O)
3) Click Connection

  • check “Use an outgoing proxy server”
  • Fill in Address/Domain Name: localhost
  • Fill in port: 8081

4) Press OK

And you should be good… you can do a quickstart scan, or use it as you normally would, and pick a site, and right click and “attack”

Hope this helps someone!

One thought on “Pen Testing against an NTLM target using OWASP ZAP

  1. Thanks for the Post..It is very useful.
    I tried all the steps you have mentioned, it exactly does what u have mentioned for Burpsuite. But i am getting Connection refused message in Owasp ZAP tool, when i click Attack button.
    I didi exactly as you have written in your steps..

    Is their any thing else which i should be doing?

Leave a Reply to Digvijay Bisht Cancel reply

Your email address will not be published. Required fields are marked *