NTLM

NTLM (NT LAN Manager) is a challenge-response authentication protocol used in Windows networks. While more secure than LM (LAN Manager), it has known vulnerabilities and has largely been replaced by Kerberos in Active Directory environments. However, NTLM is still used in some scenarios (e.g., standalone systems, legacy apps).

How NTLM Hashing Works

1. Password to NTLM Hash Conversion

The user’s password is converted into an NTLM hash (also called NTLMv1 hash or NT hash).
The hash is stored in the SAM database (local users) or NTDS.dit (Active Directory).

NTLM Hash Generation Steps:

Convert password to UTF-16LE (Unicode).
- Example: Password123 → P\0a\0s\0s\0w\0o\0r\0d\0 1\02\03\0
Compute MD4 hash of the Unicode password.
- MD4(UTF-16LE("Password123")) → 8846F7EAEE8FB117AD06BDD830B7586C (example)

Result:

A 16-byte (128-bit) NTLM hash (stored as NTLM hash or NT hash).

NTLM Authentication Process (Challenge-Response)

When a user logs in, Windows uses NTLM in a three-step handshake:

1. Negotiation (Type 1 Message)

The client sends a request to the server indicating it supports NTLM authentication.

2. Challenge (Type 2 Message)

The server sends an 8-byte random challenge (nonce) to the client.

3. Authentication (Type 3 Message)

The client computes a response using either:
- NTLMv1:
  - Encrypts the server’s challenge with the NTLM hash (DES-based).
- NTLMv2:
  - Uses HMAC-MD5 with additional security (salt, timestamp, etc.).

Security Issues with NTLM

No salting → Same password = same NTLM hash (vulnerable to rainbow tables).
Weak encryption in NTLMv1 → Uses DES, which is crackable.
Vulnerable to Pass-the-Hash (PtH) → Attackers can reuse hashes without cracking.
Relay attacks → Attackers can forward NTLM auth to another machine (e.g., via Responder).

NTLM vs. NTLMv2 vs. Kerberos

Feature

NTLMv1

NTLMv2

Kerberos

Hash Algorithm

MD4 → DES

HMAC-MD5

AES / RC4

Security

Weak

Better than NTLMv1

Strongest

Used in

Legacy systems

Modern Windows (fallback)

Active Directory (default)

Vulnerable to PtH?

Yes

Yes (but harder)

No (uses tickets)

Relay Attack Risk

High

Medium

Low

How Attackers Exploit NTLM Hashes

Extracting NTLM Hashes
- From LSASS memory (Mimikatz, Sekurlsa).
- From SAM (local) or NTDS.dit (Domain Controllers).
- Tools: secretsdump.py, Mimikatz, pwdump.
Pass-the-Hash (PtH) Attacks
- Use NTLM hash directly to authenticate without knowing the password.
- Example:
  crackmapexec smb 192.168.1.100 -u Administrator -H 8846F7EAEE8FB117AD06BDD830B7586C
Cracking NTLM Hashes
- Brute-force (Hashcat mode 1000):
  hashcat -m 1000 ntlm_hash.txt rockyou.txt
- Rainbow tables (for weak passwords).

How to Secure NTLM Authentication

Disable NTLMv1 (only allow NTLMv2).
Enforce Kerberos (preferred over NTLM).
Enable SMB Signing (prevents relay attacks).
Use LAPS (Local Admin Password Solution) to randomize local admin passwords.
Monitor for NTLM usage (Windows Event Logs: Event ID 4624 with NTLM).

Disabling NTLM via Group Policy:

Computer Configuration → Windows Settings → Security Settings →  
Local Policies → Security Options →  
"Network security: Restrict NTLM" → **Deny all**

References

PreviousKerberos key points NextTechnologies

Last updated 8 months ago

hashtagHow NTLM Hashing Works

hashtag1. Password to NTLM Hash Conversion

hashtagNTLM Authentication Process (Challenge-Response)

hashtag1. Negotiation (Type 1 Message)

hashtag2. Challenge (Type 2 Message)

hashtag3. Authentication (Type 3 Message)

hashtagSecurity Issues with NTLM

hashtagNTLM vs. NTLMv2 vs. Kerberos

hashtagHow Attackers Exploit NTLM Hashes

hashtagHow to Secure NTLM Authentication

hashtagReferences