NTLM Authentication
Status: Scaffold — content in progress
NTLM (NT LAN Manager) is a legacy challenge-response authentication protocol used by Windows. Despite being superseded by Kerberos, NTLM remains active in most environments because it is used as a fallback when Kerberos fails, and for local accounts and workgroup scenarios.
Protocol Flow
Client Server
│── NEGOTIATE_MESSAGE ────────>│
│<─ CHALLENGE_MESSAGE ─────────│ (8-byte random challenge)
│── AUTHENTICATE_MESSAGE ─────>│ (hash of password applied to challenge)
The server either validates the response locally (local account) or forwards it to a DC for validation (domain account).
NTLMv1 vs NTLMv2
| NTLMv1 | NTLMv2 | |
|---|---|---|
| Challenge | Server 8-byte challenge only | Server + client challenge |
| Hash | DES-based, weak | HMAC-MD5 over full challenge + timestamp |
| Crackability | Very easy | Hard but possible |
| Default since | NT | Windows Vista / Server 2008 |
NTLMv1 should never be enabled. Its hashes can be cracked in seconds or directly exploited.
Key Attack Primitives
| Attack | How | Requirement |
|---|---|---|
| Pass-the-Hash | Authenticate using just the NTLM hash — no plaintext needed | Have the target user's NT hash |
| NTLM Relay | Capture and forward NTLM auth to a different target | No signing, or signing not enforced |
| Credential capture | Poison LLMNR/NBT-NS responses to make clients authenticate to attacker | Responder on same network segment |
| Offline cracking | Capture Net-NTLMv2 hash, crack offline | Hashcat with wordlist |
Why NTLM Persists
- IP address authentication (Kerberos requires hostname)
- Local account authentication
- Non-domain-joined machines
- Legacy applications hardcoded to NTLM
- Cross-forest scenarios without trust
Hardening
- Disable NTLMv1 and LM via GPO (
Network security: LAN Manager authentication level→ NTLMv2 only) - Enable SMB signing (breaks relay attacks)
- Restrict NTLM for specific servers only (not global block — can break things)
- Audit NTLM authentication: Event 4776 on DCs
Telemetry
| Event ID | Location | Description |
|---|---|---|
| 4776 | DC | NTLM authentication attempt (success/fail + source) |
| 4624 / 4625 | Target machine | Logon success/fail (check LogonType 3 + NTLM) |
Cross-Links
| Topic | Link |
|---|---|
| Pass-the-Hash | pass-the-hash |
| AD Overview | ad-overview |