System Servicesntlmproxyauthenticationtunnelingacl

Cntlm

Cntlm is a fast NTLM authentication proxy that supports TCP/IP tunneling and authenticated connection caching. It provides up to ten times faster responses than similar proxies while using significantly less RAM and CPU.

Description

Cntlm serves as an efficient NTLM proxy designed for authenticating HTTP(S) connections through corporate proxies. It includes features like ACLs, proper daemon logging, and TCP/IP tunneling, making it suitable for environments requiring NTLM authentication acceleration. The tool is particularly useful for users behind restrictive proxies, offering a local proxy interface that handles NTLM handshakes transparently.

Use cases include bypassing NTLM-authenticated proxies for web access, creating secure tunnels for remote services, and enabling SOCKS5 proxying with authorization. It supports configuration files for persistent settings and can run in foreground or daemon mode, with options for debugging and logging to aid troubleshooting.

Cntlm's lightweight nature and performance optimizations make it ideal for resource-constrained systems, while its compatibility with various NTLM dialects ensures broad proxy support.

How It Works

Cntlm operates as a local NTLM proxy that authenticates against upstream NTLM-enabled proxies using configurable credentials and authentication types (NTLM, NT, LM). It caches authenticated connections to accelerate subsequent requests, supports TCP/IP tunneling via port forwarding rules, and applies ACLs for access control. Additional features include header substitution, User-Agent filtering, and SOCKS5 proxying, with optional SSPI support on Windows and PAC file parsing for proxy autodetection.

Installation

bash

sudo apt install cntlm

Flags

-A <address>[/<net>]ACL allow rule. IP or hostname, net must be a number (CIDR notation)

-a ntlm | nt | lmAuthentication type - combined NTLM, just LM, or just NT. Default NTLM.

-BEnable NTLM-to-basic authentication.

-c <config_file>Configuration file. Other arguments can be used as well, overriding config file settings.

-D <address>[/<net>]ACL deny rule. Syntax same as -A.

-d <domain>Domain/workgroup can be set separately.

-F <flags>NTLM authentication flags.

-fRun in foreground, do not fork into daemon mode.

-G <pattern>User-Agent matching for the trans-isa-scan plugin.

-gGateway mode - listen on all interfaces, not only loopback.

-HPrint password hashes for use in config file (NTLMv2 needs -u and -d).

-hPrint this help info along with version number.

-IPrompt for the password interactively.

-L [<saddr>:]<lport>:<rhost>:<rport>Forwarding/tunneling a la OpenSSH.

-l [<saddr>:]<lport>Main listening port for the NTLM proxy.

-M <testurl>Magic autodetection of proxy's NTLM dialect.

-N "<hostname_wildcard1>[, <hostname_wildcardN>List of URL's to serve directly as stand-alone proxy (e.g. '*.local')

-O [<saddr>:]<lport>Enable SOCKS5 proxy on port lport (binding to address saddr)

-P <pidfile>Create a PID file upon successful start.

-p <password>Account password. Will not be visible in "ps", /proc, etc.

-qSets the Syslog logging level to DEBUG (default level is INFO).

-R <username>:<password>Enable authorization for SOCKS5 proxy, when enabled.

-r "HeaderName: value"Add a header substitution. All such headers will be added/replaced in the client's requests.

-S <size_in_kb>Enable automation of GFI WebMonitor ISA scanner for files < size_in_kb.

-sDo not use threads, serialize all requests - for debugging only.

-T <file.log>Redirect all debug information into a trace file for support upload. MUST be the first argument on the command line, implies -v.

-U <uid>Run as uid. It is an important security measure not to run as root.

-u <user>[@<domain]User specification

-vPrint debugging information.

-w <workstation>Some proxies require correct NetBIOS hostname.

-x <PAC_file>Specify a PAC file to load.

-X <sspi_handle_type>Use SSPI with specified handle type. Works only under Windows.

Examples

Print this help info along with version number

cntlm -h

Print password hashes for use in config file (NTLMv2 needs -u and -d)

cntlm -H -u user -d domain

Prompt for the password interactively

cntlm -I

Magic autodetection of proxy's NTLM dialect

cntlm -M <testurl>

Forwarding/tunneling a la OpenSSH. Listen on lport and forward all connections through the proxy to rhost:rport

cntlm -L [<saddr>:]<lport>:<rhost>:<rport>

Main listening port for the NTLM proxy

cntlm -l [<saddr>:]<lport>

Enable SOCKS5 proxy on port lport (binding to address saddr)

cntlm -O [<saddr>:]<lport>

Updated 2026-04-16kali.org ↗