9.9. NTLM Authentication

9.9.1. NTLM authentication

NTLM is an acronym for NT LAN Manager, and NTLM is a challenge/response based authentication protocol, a standard security protocol in earlier versions of Windows NT.

9.9.1.1. Basic Process

  • The client encrypts the current user’s password locally and becomes a password hash

  • The client sends the account in plaintext to the server

  • The server generates a 16-bit random number and sends it to the client as a challenge

  • The client encrypts the challenge with the encrypted password hash and returns it to the server as the response

  • The server sends the username, challenge, and response to the domain controller

  • The domain controller uses this username to find the user’s password hash in the SAM password management repository, and then uses this password hash to encrypt the challenge

  • The domain controller compares the two encrypted challenges. If they are the same, the authentication succeeds. Otherwise, the authentication fails.

9.9.1.2. Net-NTLMv1

The basic flow of the Net-NTLMv1 protocol is as follows:

  • The client sends a request to the server

  • After the server receives the request, it generates an 8-bit Challenge and sends it back to the client

  • After the client receives the Challenge, it encrypts the Challenge with the password hash of the logged-in user and sends it to the server as a response

  • server check response

The calculation method of Net-NTLMv1 response is:

  • The user’s NTLM hash is zero-padded to 21 bytes into three groups of 7-byte data

  • The three sets of data are used as the three sets of keys of the 3DES encryption algorithm to encrypt the Challenge sent by the Server.

This method is relatively fragile and can be cracked based on packet capture tools and rainbow table blasting tools.

9.9.1.3. Net-NTLMv2

Since Windows Vista, Microsoft uses the Net-NTLMv2 protocol by default. The basic process is as follows:

  • The client sends a request to the server

  • After the server receives the request, it generates a 16-bit Challenge and sends it back to the client

  • After the client receives the Challenge, it encrypts the Challenge with the password hash of the logged-in user and sends it to the server as a response

  • server check response

9.9.2. Hash

9.9.2.1. LM Hash

LM Hash (LAN Manager Hash) is the earliest encryption algorithm used by Windows, designed by IBM. LM Hash uses DES with hardcoded keys and is flawed. Earlier Windows systems such as XP and Server 2003 used LM Hash, and later systems disabled LM Hash by default and used NTLM Hash.

LM Hash is calculated as:

  • Convert user’s password to uppercase, truncated to 14 bytes

  • If it is less than 14 bytes, you need to add 0×00 to make up

  • Divide 14 bytes into two 7-byte passwords

  • Use KGS!@#$% as the key to encrypt these two sets of data to get a 16-byte hash with DES

  • After splicing, the final LM Hash is obtained。

As an early algorithm, LM Hash has many problems:

  • Password length will not exceed 14 characters and is not case sensitive

  • If the length of the password is less than 7 digits, the value of the latter group of hashes is determined,determine the length whether less than 7 digits through end with aad3b435b51404ee .

  • Block encryption greatly reduces the complexity of the cipher

  • DES algorithm has low strength

9.9.2.2. NTLM Hash

In order to solve the security problem of LM Hash, Microsoft introduced the NTLM protocol in Windows NT 3.1 in 1993.

Windows 2000/XP/2003 uses LM Hash before passwords exceed 14 digits and NTLM Hash after passwords exceed 14 digits. And later versions starting from Vista use NTLM Hash.

The calculation method of NTLM Hash is:

  • Convert the password to hexadecimal and encode it in Unicode

  • Calculate hash value based on MD4

9.9.3. Attacks

9.9.3.1. Pass The Hash

Pass The Hash (PtH) is a way for an attacker to reuse the credential Hash to attack after capturing the account login credentials.

Microsoft released a defense guide against Pass The Hash attacks in December 2012. The article mentioned some defense methods and explained why it did not provide updated patches for Pass The Hash.

9.9.3.2. Pass The Key

In environments where NTLM is disabled, the password can be obtained directly with tools such as mimikatz.

9.9.3.3. NTLM Relay

When an attacker can control the client network to a certain extent, he can use a man-in-the-middle attack to gain authority. It pretends to be an authentication server to the client, and pretends to be a client that needs authentication to the server.