The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,481 other followers

How to fill proxy information in cntlm config file (via: Stack Overflow)

Posted by jpluimers on 2015/04/10

This is an elaboration of How to fill proxy information in cntlm config file – Stack Overflow.

When digging around how to get authentication stuff going, I want as much information, so this was the command-line I used:

cntlm.exe -v -c cntlm.ini -I -M

The -v is important: it shows you why things fail, and where: It also shows you the NTLM headers sent back/forth over the wire.

These are the switches used:

  • -v verbose
  • -c configuration file
  • -I interactive (prompt for password)
  • -M magically detect the NTLM level used by the proxy

Since it is unsafe to store plain text passwords in configuration files, cntlm allows you to store the hashes.

Storing hashes not passwords locally is safer, but not much safer. See for instance Still Passing the Hash 15 Years Later: Guest Post: Let’s talk about Pass-the-Hash by Scriptjunkie the video How to own a Windows Domain or search for Mark Russinovich video windows hash ntlm hack.

Anyway: you can generate the password hashes using either    

cntlm.exe -v -c cntlm.ini -I -H


cntlm -u username -d DOMAIN -H

Both will prompt you for a password, and generate the hash. The former gets the username/domain from the cntlm.ini file, the latter from the command-line parameters.

After they print the hashes, copy them and put in the cntlm.ini file for these keys:

  • PassLM
  • PassNT
  • PassNTLMv2

Then run this on the console to start cntlm in verbose mode:

cntlm -v

Then try these urls through telnet:



If you get this error message:

cntlm: PID 5176: No target info block. Cannot do NTLMv2!

Then remove the PassNTLMv2 line from your cntlm.ini file and add this line:

Auth            NTLM

Then retry.

If success, then either run cntlm through Fiddler proxy to see what goes over the wire:


Or point it to your regular proxy (download your proxy.pac file to view which proxy server is used for that).

Finally try something more complex like

The same technique also works for using with cntlm.


PS: Proxy basic authentication is much easier over telnet, but those days are over (:

PS2: Inbetween writing this blog entry, and it getting published, a few people asked about Git/Mercurial and proxy settings. This is very easy to setup, just edit their INI files like below.

Mercurial and Git configuration

Note that these configuration files use UNIX (LF) line ending, so Notepad has difficulty editing them.

Mercuaial configuration

The global Mercurial configuration file can be in these places:

  • "%ProgramFiles%\Mercurial\Mercurial.ini"
  • "%ProgramFiles(x86)%\Mercurial\Mercurial.ini"
  • "%LOCALAPPDATA%\Atlassian\SourceTree\hg_local\Mercurial.ini"
  • "%USERPROFILE%\mercurial.ini"
  • *\.hg\hgrc

Note the case differences between Mercurial.ini and mercurial.ini, and there is also hgrc:

  1. The “Mercurial.ini” is the system wide one. If it is in, but in “%ProgramFiles%” or “%ProgramFiles(x86)%” (depending on running in x86 or x64 mode) you need to edited it as an administrator.
  2. The “mercurial.ini” is the user specific one and the recommended file to change.

    Note that due to a bug, some SourceTree versions will overwrite the proxy settings in “%USERPROFILE%\mercurial.ini” once every while.

  3. the hgrc file is per Mercurial repository. Technically you can set it there, but only *after* you ave a clone of the repository. See the catch-22/chicken-and-egg there?

Editing the Mercurial config files can be done with the following commands:

  • global:
    hg config -e --global
  • user:
    hg config -e
  • local:
    hg config -e --local

Add these lines in the Mercurial config file (or even set it using from the console):

# using CNTLM.
host = localhost:3128

You can test this value by executing this command:

hg config -u http_proxy

It should give you this result:

Now test by getting the Mercurial repository from the console or from within SourceTree:

hg clone

Git configuration

Even though Git supports NTLM out of the box, it requires plaintext password in the configurtion. CNTLM requires the hash, which I don’t like either, but feels less insecure.

The user specific Git configuration on Windows is a bit hidden. Usually, Git on Windows means MSysGit, for which getting at the Git config file is a two step process as MSysGit is based on Git bash where Git bash includes bash, and bash uses a profile.

So the first step is getting the profile, which – like Mercurial.ini – can be in a few places:

  • "%ProgramFiles%\Git\etc\profile"
  • "%ProgramFiles(x86)%\Git\etc\profile"
  • "%LOCALAPPDATA%\Atlassian\SourceTree\git_local\etc\profile"

This file usually has two lines that try to define the HOME path:


Which means your user specific Git profile is in either these two files:

  1. "%HOMEDRIVE%%HOMEPATH%\.gitconfig"
  2. "%USERPROFILE%\.gitconfig"

It takes the first one that exists, so try these both places, then see what changes when you setup the global proxy settings below.

The easiest to set the Git global config proxy settings is like this:

git config --global http.proxy localhost:3128

If all went fine, it will add these lines to your global Git config file:

    proxy = localhost:3128

Now verify that the global config was actually set by issuing this command:

git config --global --get http.proxy

which should get you this result:


Now test by getting the Git repository from the console or from within SourceTree:

git clone

Note that similarly the bug where some SourceTree versions will overwrite the proxy settings in “%USERPROFILE%\mercurial.ini” once every while, it will also clear the .gitconfig http proxy settings.

As a final note, there can also global be Git config files named >gitconfig (for all users on the machine), but it is not wise to add the http proxy settings there.

For completeness, here is where the global files can be:

  • "%ProgramFiles%\Git\etc\gitconfig"
  • "%ProgramFiles(x86)%\Git\etc\gitconfig"
  • "%LOCALAPPDATA%\Atlassian\SourceTree\git_local\etc\gitconfig"


I’ve left SVN support out of this list on purpose (:

One Response to “How to fill proxy information in cntlm config file (via: Stack Overflow)”

  1. […] How to fill proxy information in cntlm config file (via: Stack Overflow) […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: