cntlm 是一個(gè)HTTP二級(jí)代理軟件宇弛。 它主要的作用鸡典，是在能代理上網(wǎng)的前提下，給這個(gè)代理再做一個(gè)代理枪芒，提供給更多的下級(jí)用戶彻况。 下級(jí)用戶不需要、也不可能知道代理的賬戶密碼舅踪，這樣既保障了安全疗垛、又實(shí)現(xiàn)了方便。

背景介紹

公司內(nèi)部提供代理上網(wǎng)硫朦，但需要登錄贷腕。考慮到y(tǒng)um咬展、http_proxy等方式使用時(shí)會(huì)存在密碼泄露風(fēng)險(xiǎn)泽裳，故采用 cntlm 做一個(gè)二級(jí)代理，方便使用破婆。cntlm 具有以下優(yōu)勢：

• 密碼密文
• 可以設(shè)置黑白名單
• 輕量級(jí)涮总、安裝配置簡單

安裝方式：編譯安裝

下載地址:

• Cntlm Authentication Proxy - Browse /cntlm at SourceForge.net

配置文件樣例

#
# Cntlm Authentication Proxy Configuration
#
# NOTE: all values are parsed literally, do NOT escape spaces,
# do not quote. Use 0600 perms if you use plaintext password.
#

Username        xxxx
Domain          xxxx
#Password       xxxxx
# NOTE: Use plaintext password only at your own risk
# Use hashes instead. You can use a "cntlm -M" and "cntlm -H"
# command sequence to get the right config for your environment.
# See cntlm man page
# Example secure config shown below.
# PassLM          1AD35398BE6565DDB5C4EF70C0593492
# PassNT          77B9081511704EE852F94227CF48A793
### Only for user 'testuser', domain 'corp-uk'
# PassNTLMv2      D5826E9C665C37C80B53397D5C07BBCB

# Specify the netbios hostname cntlm will send to the parent
# proxies. Normally the value is auto-guessed.
#
# Workstation   netbios_hostname

# List of parent proxies to use. More proxies can be defined
# one per line in format <proxy_ip>:<proxy_port>
#
#Proxy          10.0.0.41:8080
Proxy           proxy.xxx.com:8080

# List addresses you do not want to pass to parent proxies
# * and ? wildcards can be used
#
NoProxy         localhost, 127.0.0.*, 10.*, 192.168.*

# Specify the port cntlm will listen on
# You can bind cntlm to specific interface by specifying
# the appropriate IP address also in format <local_ip>:<local_port>
# Cntlm listens on 127.0.0.1:3128 by default
#
Listen          50000

# If you wish to use the SOCKS5 proxy feature as well, uncomment
# the following option. It can be used several times
# to have SOCKS5 on more than one port or on different network
# interfaces (specify explicit source address for that).
#
# WARNING: The service accepts all requests, unless you use
# SOCKS5User and make authentication mandatory. SOCKS5User
# can be used repeatedly for a whole bunch of individual accounts.
#
#SOCKS5Proxy    8010
#SOCKS5User     dave:password

# Use -M first to detect the best NTLM settings for your proxy.
# Default is to use the only secure hash, NTLMv2, but it is not
# as available as the older stuff.
#
# This example is the most universal setup known to man, but it
# uses the weakest hash ever. I won't have it's usage on my
# conscience. :) Really, try -M first.
#
Auth            NTLM
#Flags          0x06820000

# Enable to allow access from other computers
#
Gateway yes

# Useful in Gateway mode to allow/restrict certain IPs
# Specifiy individual IPs or subnets one rule per line.
#
Allow           127.0.0.1
Allow           192.168.3.0/24
Allow           10.10.4.0/24
Deny            0/0

# GFI WebMonitor-handling plugin parameters, disabled by default

#ISAScannerSize     1024
#ISAScannerAgent    Wget/
#ISAScannerAgent    APT-HTTP/
#ISAScannerAgent    Yum/

# Headers which should be replaced if present in the request
#
#Header         User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)

# Tunnels mapping local port to a machine behind the proxy.
# The format is <local_port>:<remote_host>:<remote_port>
#
#Tunnel         11443:remote.com:443

NTLM xxxxxxxxxxxxxxxxxxx

啟動(dòng)方式

cntlm -c /etc/cntlm.conf

檢測配置是否正確

cntlm -c /etc/cntlm.conf -v

生成NTLM密碼

提取以下內(nèi)容：
Proxy-Authorization => NTLM TlRMTVNTUAABAAAABbIIogsACwAsAAAADAAMACAAAABZVU5ZSVlVQU4tREJORVVTT0ZULkNPTQ==

cntlm -vc /etc/cntlm.conf -M http://baidu.com