an ntlm upstream addon for http \ https (#5100)
* an ntlm upstream addon for http \ https Ntlm upstream proxy for http https all http methods * fix filename * lint! Co-authored-by: Maximilian Hils <git@maximilianhils.com>
This commit is contained in:
parent
3d5f6da048
commit
cba67aa94c
|
@ -0,0 +1,185 @@
|
|||
import base64
|
||||
import binascii
|
||||
import socket
|
||||
import typing
|
||||
|
||||
from mitmproxy import ctx
|
||||
from mitmproxy import http, addonmanager
|
||||
from mitmproxy.net.http import http1
|
||||
from mitmproxy.proxy import layer, commands
|
||||
from mitmproxy.proxy.context import Context
|
||||
from mitmproxy.proxy.layers.http import HttpConnectUpstreamHook, HttpLayer, HttpStream
|
||||
from mitmproxy.proxy.layers.http._upstream_proxy import HttpUpstreamProxy
|
||||
from ntlm_auth import gss_channel_bindings, ntlm
|
||||
|
||||
|
||||
class NTLMUpstreamAuth:
|
||||
"""
|
||||
This addon handles authentication to systems upstream from us for the
|
||||
upstream proxy and reverse proxy mode. There are 3 cases:
|
||||
- Upstream proxy CONNECT requests should have authentication added, and
|
||||
subsequent already connected requests should not.
|
||||
- Upstream proxy regular requests
|
||||
- Reverse proxy regular requests (CONNECT is invalid in this mode)
|
||||
"""
|
||||
|
||||
def load(self, loader: addonmanager.Loader) -> None:
|
||||
ctx.log.info("NTLMUpstreamAuth loader")
|
||||
loader.add_option(
|
||||
name="upstream_ntlm_auth",
|
||||
typespec=typing.Optional[str],
|
||||
default=None,
|
||||
help="""
|
||||
Add HTTP NTLM authentication to upstream proxy requests.
|
||||
Format: username:password.
|
||||
"""
|
||||
)
|
||||
loader.add_option(
|
||||
name="upstream_ntlm_domain",
|
||||
typespec=typing.Optional[str],
|
||||
default=None,
|
||||
help="""
|
||||
Add HTTP NTLM domain for authentication to upstream proxy requests.
|
||||
"""
|
||||
)
|
||||
loader.add_option(
|
||||
name="upstream_proxy_address",
|
||||
typespec=typing.Optional[str],
|
||||
default=None,
|
||||
help="""
|
||||
upstream poxy address.
|
||||
"""
|
||||
)
|
||||
loader.add_option(
|
||||
name="upstream_ntlm_compatibility",
|
||||
typespec=int,
|
||||
default=3,
|
||||
help="""
|
||||
Add HTTP NTLM compatibility for authentication to upstream proxy requests.
|
||||
Valid values are 0-5 (Default: 3)
|
||||
"""
|
||||
)
|
||||
ctx.log.debug("AddOn: NTLM Upstream Authentication - Loaded")
|
||||
|
||||
def running(self):
|
||||
def extract_flow_from_context(context: Context) -> http.HTTPFlow:
|
||||
if context and context.layers:
|
||||
for l in context.layers:
|
||||
if isinstance(l, HttpLayer):
|
||||
for _, stream in l.streams.items():
|
||||
return stream.flow if isinstance(stream, HttpStream) else None
|
||||
|
||||
def build_connect_flow(context: Context, connect_header: typing.Tuple) -> http.HTTPFlow:
|
||||
flow = extract_flow_from_context(context)
|
||||
if not flow:
|
||||
ctx.log.error("failed to build connect flow")
|
||||
raise
|
||||
flow.request.content = b"" # we should send empty content for handshake
|
||||
header_name, header_value = connect_header
|
||||
flow.request.headers.add(header_name, header_value)
|
||||
return flow
|
||||
|
||||
def patched_start_handshake(self) -> layer.CommandGenerator[None]:
|
||||
assert self.conn.address
|
||||
self.ntlm_context = CustomNTLMContext(ctx)
|
||||
proxy_authorization = self.ntlm_context.get_ntlm_start_negotiate_message()
|
||||
self.flow = build_connect_flow(self.context, ("Proxy-Authorization", proxy_authorization))
|
||||
yield HttpConnectUpstreamHook(self.flow)
|
||||
raw = http1.assemble_request(self.flow.request)
|
||||
yield commands.SendData(self.tunnel_connection, raw)
|
||||
|
||||
def extract_proxy_authenticate_msg(response_head: list) -> str:
|
||||
for header in response_head:
|
||||
if b'Proxy-Authenticate' in header:
|
||||
challenge_message = str(bytes(header).decode('utf-8'))
|
||||
try:
|
||||
token = challenge_message.split(': ')[1]
|
||||
except IndexError:
|
||||
ctx.log.error("Failed to extract challenge_message")
|
||||
raise
|
||||
return token
|
||||
|
||||
def patched_receive_handshake_data(self, data) -> layer.CommandGenerator[typing.Tuple[bool, typing.Optional[str]]]:
|
||||
self.buf += data
|
||||
response_head = self.buf.maybe_extract_lines()
|
||||
if response_head:
|
||||
response_head = [bytes(x) for x in response_head]
|
||||
try:
|
||||
response = http1.read_response_head(response_head)
|
||||
except ValueError:
|
||||
return True, None
|
||||
challenge_message = extract_proxy_authenticate_msg(response_head)
|
||||
if 200 <= response.status_code < 300:
|
||||
if self.buf:
|
||||
yield from self.receive_data(data)
|
||||
del self.buf
|
||||
return True, None
|
||||
else:
|
||||
if not challenge_message:
|
||||
return True, None
|
||||
proxy_authorization = self.ntlm_context.get_ntlm_challenge_response_message(challenge_message)
|
||||
self.flow = build_connect_flow(self.context, ("Proxy-Authorization", proxy_authorization))
|
||||
raw = http1.assemble_request(self.flow.request)
|
||||
yield commands.SendData(self.tunnel_connection, raw)
|
||||
return False, None
|
||||
else:
|
||||
return False, None
|
||||
|
||||
HttpUpstreamProxy.start_handshake = patched_start_handshake
|
||||
HttpUpstreamProxy.receive_handshake_data = patched_receive_handshake_data
|
||||
|
||||
def done(self):
|
||||
ctx.log.info('close ntlm session')
|
||||
|
||||
|
||||
addons = [
|
||||
NTLMUpstreamAuth()
|
||||
]
|
||||
|
||||
|
||||
class CustomNTLMContext:
|
||||
def __init__(self,
|
||||
ctx,
|
||||
preferred_type: str = 'NTLM',
|
||||
cbt_data: gss_channel_bindings.GssChannelBindingsStruct = None):
|
||||
# TODO:// take care the cbt_data
|
||||
auth: str = ctx.options.upstream_ntlm_auth
|
||||
domain: str = str(ctx.options.upstream_ntlm_domain).upper()
|
||||
ntlm_compatibility: int = ctx.options.upstream_ntlm_compatibility
|
||||
username, password = tuple(auth.split(":"))
|
||||
workstation = socket.gethostname().upper()
|
||||
ctx.log.debug('\nntlm context with the details: "{}\\{}", *****'.format(domain, username))
|
||||
self.ctx_log = ctx.log
|
||||
self.preferred_type = preferred_type
|
||||
self.ntlm_context = ntlm.NtlmContext(
|
||||
username=username,
|
||||
password=password,
|
||||
domain=domain,
|
||||
workstation=workstation,
|
||||
ntlm_compatibility=ntlm_compatibility,
|
||||
cbt_data=cbt_data)
|
||||
|
||||
def get_ntlm_start_negotiate_message(self) -> str:
|
||||
negotiate_message = self.ntlm_context.step()
|
||||
negotiate_message_base_64_in_bytes = base64.b64encode(negotiate_message)
|
||||
negotiate_message_base_64_ascii = negotiate_message_base_64_in_bytes.decode("ascii")
|
||||
negotiate_message_base_64_final = u'%s %s' % (self.preferred_type, negotiate_message_base_64_ascii)
|
||||
self.ctx_log.debug(
|
||||
f'{self.preferred_type} Authentication, negotiate message: {negotiate_message_base_64_final}'
|
||||
)
|
||||
return negotiate_message_base_64_final
|
||||
|
||||
def get_ntlm_challenge_response_message(self, challenge_message: str) -> typing.Any:
|
||||
challenge_message = challenge_message.replace(self.preferred_type + " ", "", 1)
|
||||
try:
|
||||
challenge_message_ascii_bytes = base64.b64decode(challenge_message, validate=True)
|
||||
except binascii.Error as err:
|
||||
self.ctx_log.debug('{} Authentication fail with error {}'.format(self.preferred_type, err.__str__()))
|
||||
return False
|
||||
authenticate_message = self.ntlm_context.step(challenge_message_ascii_bytes)
|
||||
negotiate_message_base_64 = u'%s %s' % (self.preferred_type,
|
||||
base64.b64encode(authenticate_message).decode('ascii'))
|
||||
self.ctx_log.debug(
|
||||
f'{self.preferred_type} Authentication, response to challenge message: {negotiate_message_base_64}'
|
||||
)
|
||||
return negotiate_message_base_64
|
Loading…
Reference in New Issue