Page 1 of 1

Problem with connection to NTLM Authenticated page

Posted: Sat Oct 22, 2005 12:08 am
by Sema
I need to open a connection to a NTLM Authenticated page from a php script... The problem is getting the second call through, it hangs on the first call when i am getting the file content from fgets()... her is the code so far...

Code: Select all

<?php

$url = 'skolenet.ats.dk';
$get = '/protect/ugeplan/?fn=16';


if ($fp = fsockopen($url, 80, $errno, $errstr, 30)) {

	$out = "GET $get HTTP/1.1\r\n";
	$out .= "Host: $url\r\n";
	$out .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; da-DK; rv:1.7.12) Gecko/20050919 Firefox/1.0.7\r\n";
	$out .= "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n";
	$out .= "Accept-Language: en-us,en;q=0.5\r\n";
	$out .= "Accept-Encoding: gzip,deflate\r\n";
	$out .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
	$out .= "Keep-Alive: 300\r\n";
	$out .= "Connection: keep-alive\r\n";
	$out .= "Referer: http://skolenet.ats.dk/\r\n";
	$out .= "Authorization: xxx\r\n";
	$out .= "\r\n";

	$out2 = "GET $get HTTP/1.1\r\n";
	$out2 .= "Host: $url\r\n";
	$out2 .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; da-DK; rv:1.7.12) Gecko/20050919 Firefox/1.0.7\r\n";
	$out2 .= "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5'\r\n";
	$out2 .= "Accept-Language: en-us,en;q=0.5\r\n";
	$out2 .= "Accept-Encoding: gzip,deflate";
	$out2 .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
	$out2 .= "Keep-Alive: 300\r\n";
	$out2 .= "Connection: keep-alive\r\n";
	$out2 .= "xxx\r\n";
	$out2 .= "\r\n";
	
	//step 1
	echo "\n\n STEP 1 \n\n";
	
    fwrite($fp, $out);
    
    while (!feof($fp)) {
    	echo fgets($fp, 1024);
    }
    fclose($fp);
    
    $fp = fsockopen($url, 80, $errno, $errstr, 30);
    
    //step 2
    echo "\n\n STEP 2 \n\n";
    
    fwrite($fp, $out2);
    
    while (!feof($fp)) {
    	echo fgets($fp, 1024);
    }
    
} else {
	echo 'Error connection to host';
	exit();
}

fclose($fp);
?>

At the moment i have removed the authentication hashes with xxx, i have recorded the hashes from a real login from firefox, but when i run the script it gets the info from the first call (step1) and hangs in the first while loop, the only way i can get it to go to step 2 is to set the connection to close, and not do a "keep-alive" connection. But if what i have read about the NTLM authentication it needs to be a keep-alive connection. ? any ideas...

Posted: Sat Oct 22, 2005 8:48 am
by sweatje
You have to provide the hash appropriate to the request you made of the server (in other words, you are trying--unsucessfully--to perform a man in the middle attack). To really pull this off, you need to be able to repliacte the NTLM authentication yourself in PHP. Here is an example of that authentication process reverse engineered.

Isn't there a way you can offload this authentication back to the client where it belongs?

Posted: Sat Oct 22, 2005 9:27 am
by Sema
I need the connection to connect to a protected web-page containing a table of times for the different classes at my school, we all got users and passwords to enter the page, but we are forced to use the web-page to See this info. But i need it for offline use in a PDA, and therefore need to find a way to connect to the page, and parse it to a XML file... (so other people at my school could find a good use of it to)

I have read that page with the NTLM authentication, but that isn't the problem right now. The problem is the script stops after the first headers is sent, i get the right headers back (code 401) when i echo the return out, but the script stops responding right after the last part of the output is echoed (it never echo "Step 2"), this only happens if i use the keep-alive connection, but the authentication demands a "keep-alive" connection, and not a closed connection...

Posted: Sat Oct 22, 2005 1:29 pm
by Sema
found the problem, is seems that there isn't sent a endOfFile marker if the connection is set to "keep-alive", so the feof() function in the while sentence would never return true, and the while would keep on running. Therefor just getting the headers and then terminating the while is fixing the problem... :)