NTLM Explained

NTLM Explained

NTLM (Network LAN Manager) is a set of Microsoft safety conventions for validating user credentials and protecting data security. Using a three-message challenge-response mechanism to validate identities.

The server verifies the response by comparing it with stored credentials on its system, however this protocol remains vulnerable to cyber attacks like relay and pass-the-hash attacks.

NTLM is the default authentication protocol on Windows systems and can be vulnerable to numerous attacks, including NTLM relay which allows hostile actors to position themselves between servers and clients, relaying valid login requests back through NTLM relay.

Even though password authentication remains vulnerable to cyberattacks, its use persists due to incompatible applications that rely on older authentication protocols. You can avoid risk and protect against cyberattacks by switching over to modern authentication protocols.

What Is NTLM Used For?

NTLM is used for network logons on Windows systems and non-Windows systems that do not offer Kerberos authentication services, as well as local authentication on standalone machines and non-domain joined computers. As its sole means of authentication is user password-based authentication, NTLM has become a frequent target of attackers looking for access to network resources.

Clients send a Type 1 message to the server which indicates its supported options using NTLM flags. These include options such as Negotiate Sign and Negotiate Seal which support signing and sealing operations respectively.

The server then sends back a Type 2 message that contains a security buffer with an LM or NTLM hash of their password encoded as an OEM string and null-padded to 14 bytes, signed using both client unweakened master key and HMAC-MD5 message authentication code algorithm and signed using 16-byte Server Sealing Key value, then used to compare against their password hash value to determine validity.

How Does the NTLM Protocol Work?

NTLM uses a challenge-response mechanism to authenticate users. When entering credentials on either a Windows workstation or server, an authentication ticket containing their machine ID and an NT hash of their password is created; when sent back to the server it compares this against their LM hash and grants access.

This method is secure because it doesn’t send unencrypted passwords across a network that could be intercepted by hackers; rather, it transmits hashed values nearly identical to actual passwords which can only be decrypted with knowledge of a shared secret key.

NTLM also allows local authentication on standalone machines and non-domain joined computers, making it useful for remote environments. In certain instances, it can even handle nonexistent Service Principal Names (SPNs), making NTLM one of the more flexible Microsoft authentication protocols; however, its greater versatility comes at the cost of security as NTLM has some significant vulnerabilities which make it vulnerable to attack.

Difference Between NTLM and Kerberos

Although NTLM has been superseded by Kerberos on Windows systems, it still serves as an emergency backup to older machines and may allow attackers to exploit hard-coded NTLM instances to authenticate through compromised endpoints and gain access to network resources.

NTLM utilizes a challenge-response authentication model, requiring users to answer a challenge sent from the server in order to be verified as identity holders. Once done, the server compares their response against their password to determine whether access should be granted or denied.

Kerberos is an extremely secure protocol, as it authenticates users through tickets containing information such as their machine ID and an NT hash of their password. Unfortunately, however, Kerberos is susceptible to offline brute force attacks if an attacker gains access to an encrypted ticket issued by the Ticket Granting Service (TGS)–though strong password policies and monitoring unauthorized login attempts can mitigate this threat. Furthermore, its deployment and maintenance requires accurate time synchronization across servers which may prove challenging in larger networks with distributed servers.

Kerberos Protocol

Kerberos uses symmetric encryption technology to generate authentication tickets only known to trusted third-parties. These tickets use both users’ password hashes and unique identifiers (such as usernames) in creating tickets that enable authentication.

The server sends an 8-byte challenge to the client computer; upon receiving this challenge, the client computes one or both LM and NTLM hashes and submits 24-byte results back to the server; which then verifies them against its own database to determine if a password-equivalent exists that corresponds with its attempt at authentication.

Kerberos remains a widely used and robust security protocol that’s widely utilized by organizations; however, it remains vulnerable to attacks using “pass-the-ticket.” This hack allows attackers to relay login requests between clients and servers, giving them unauthorized access to network services. However, even with these vulnerabilities present, intrusion detection and prevention systems that monitor for these types of hacks can provide organizations with protection from these and other cyberattacks.

NTLM Benefits and Challenges

The NTLM protocol is an incredibly popular choice across networks, offering users a simple method for authenticating themselves without sending their passwords over the Internet. Instead, its hashed values provide equivalent password values; however, these hashed values can easily be cracked by attackers.

NTLM suffers from being built upon outdated cryptography that relies solely on password authentication for authentication, making it easy for hackers to steal credentials and exploit any weaknesses present within NTLM.

Furthermore, NTLM doesn’t authenticate its communications partners; thus making it vulnerable to man-in-the-middle attacks where an attacker masquerades as the server.

Though IT teams recognize its significant flaws, IT departments may be reluctant to fully disable NTLM due to legacy system functionality issues. Luckily, you can limit NTLM by configuring Group Policy editor network security: LAN Manager authentication level policies which specify authentication and session security protocols the client can negotiate with the server. Enabling Logon Success Auditing on domain controllers also creates event log entries indicating what version of NTLM each endpoint is currently using.

1. Single authentication

Networks typically feature security protocols designed to prevent unauthenticated users from accessing shared data and services, thus requiring clients and servers to conduct mutual authentication of each other.

Microsoft originally developed the NTLM protocol in 1993 as an authentication protocol that is used by various Windows computers to verify whether or not a valid password was entered before granting access.

As part of its authentication process, clients typically send a Type 1 message to the server indicating the authentication methods supported (LM and NTLMv2) as well as providing information about who has been authenticated on a workstation.

The server creates a challenge and then requests that clients respond with an NT hash from either their SAM database or by creating one based on information provided in a Type 2 response. The Domain Controller then validates this hash against its database; once validated by the Domain Controller it is sent back out for validation by another Domain Controller. Unfortunately the NTLM protocol can be vulnerable to several attacks including man-in-the-middle attacks where hackers sit between clients and servers relaying validated NTLM requests back out as part of a man-in-the-middle attack that relay validated NTLM requests back out the door for validation by bypassing Domain Controller validation checks.

2. Security vulnerabilities

NTLM authentication protocols are vulnerable to numerous security attacks, with relay attacks being one of the more popular techniques used against them. One such attack, known as an NTLM relay attack, involves attackers positioning themselves between clients and servers to send authenticated logon challenges and gain access to network services. Furthermore, because passwords are hashed rather than encrypted with this protocol, brute force attacks may be possible since hackers can quickly scan through them until they find an exact match for any common passwords precalculated into rainbow tables in advance.

It also lacks the capability of authenticating servers, making it vulnerable to man-in-the-middle attacks where attackers impersonate servers. Microsoft released NTLMv2, with Windows NT 4.0 SP4, using HMAC-MD5 cryptography which mitigates such vulnerabilities.

Even with its vulnerabilities, NTLM remains popularly used in certain circumstances. For example, it is used for local authentication on standalone machines and non-domain joined computers due to its ability to handle non-existent Service Principal Names (SPNs). For optimal performance on these systems it would be prudent to switch over to Kerberos.

3. Outdated cryptography

Microsoft has already replaced NTLM with Kerberos as an authentication protocol, yet some networks continue to utilize NTLM due to older applications that don’t update to utilize Kerberos.

NTLM dates back to the 1980s when network security was not as advanced. Back then, computer networks were mostly small and local; most used primarily for file sharing or limited client-server applications.

As time passed, cryptographic algorithms were updated with stronger protections; however, older ones remained in place, leaving them open to attacks and cryptanalysis. It is common for old encryption algorithms to become rendered ineffective as new methods of attack emerge or hardware processing power increases; often rendering them no longer efficient.

NTLMv1 and NTLMv2 both utilize an obsolete hashing algorithm called MD4, which was cracked by a team of hackers in early 2015. Attackers could easily obtain password hashes with just minimal effort using brute force techniques; similarly DES was originally developed in 1977 but is no longer effective due to technological developments since that time.

Kerberos Authentication

Kerberos is an immensely popular network authentication protocol with powerful encryption and mutual authentication features, offering centralized authentication and authorization capabilities – making it ideal for protecting large-scale networks.

Kerberous uses symmetric encryption, meaning the keys used to encrypt and sign tickets are known only to those trusted third parties issuing them. It has been implemented across numerous Unix-like operating systems such as FreeBSD, Apple macOS, Red Hat Enterprise Linux and Oracle Solaris as well as IBM z/OS and HP-UX; Microsoft Windows Server also features support for this protocol.

Once a client computer has been authenticated, it can request access to services on other computers using its ticket containing user identity and privilege information. This prevents impersonation attacks as well as man-in-the-middle attacks from taking place.

When clients want to access services, they submit their TGTs to the service server (SS), typically located on the same host as KDC. Once received by TGS for decryption, secret key authentication creates a service ticket containing network address, identification, timestamp, lifetime information. TGS sends this ticket back out with their request so clients can use it authenticate with the SS.

How Can You Protect Your Network Using NTLM?

Due to NTLM’s simple password hashing and outdated cryptography, it is easily exploited through techniques like pass-the-hash or brute force attacks. Furthermore, its weaknesses enable attackers to hijack authentication sessions and gain unauthorized access to systems and data.

However, many networks continue to employ NTLM due to compatibility issues between older legacy systems and applications and it. Therefore, it is vitally important to identify all processes utilizing NTLM and take necessary measures to minimize security risks.

One way of accomplishing this goal is by activating Logon Success Auditing on domain controllers, which will record what version of NTLM an endpoint is currently using in its operational event log.

Additionally, it is wise to disable NTLMv1 and NTLMv2 on all computers, as these versions use the DES block cipher and MD4 hash that are vulnerable to attacks like pass-the-hash and man-in-the-middle. Furthermore, these versions are less secure than NTLMv3, which uses AES encryption with stronger hashing algorithms; password researchers use tools such as rainbow tables to break NTLM hashes quickly with minimal effort needed by attackers; there are ways to mitigate risks without disrupting production systems – however.

What Are the Drawbacks of NTLM?

NTLM stands for New Technology LAN Manager and is an updated version of its predecessor LAN Manager (LM). As a combination of security protocols, it has numerous benefits but its complexity and lack of optimal security measures leave it susceptible to attacks of all sorts. Therefore, having a firm understanding of NTLM operations and how they function is vital in terms of both usage and risk mitigation.

To initiate NTLM authentication, the client sends a Type-1 message to the server that reveals their capabilities – including highest supported NTLM version and domain information as well as any additional data.

The server issues a challenge to the client and verifies their response; if these match, the server grants access. To do this, it can use either an NT hash of their password for verification, or alternatively use their NTLMv2 Session as another means.

Due to NTLM’s weak cryptography, it is vulnerable to attack – such as password hash cracking and pass-the-hash vulnerabilities – making it vulnerable against password hash cracking and pass-the-hash vulnerability. Furthermore, its interoperability with other security protocols limits its usefulness as an authentication solution. Therefore, organizations should consider moving towards more modern authentication protocols with enhanced security measures.

1. Easy hash extraction

NTLM is an authentication protocol that uses a challenge-response model to determine whether a user is the person they claim they are. First introduced in 1993 (a long time in IT years!), this protocol stores password hashes on clients using either LM or NTLMv2 protocols to keep actual passwords from being sent across networks.

Hash values are then compared against the challenge that the server presents; if they match, then the server assumes that the user is who they claim they are and grants access. Therefore it’s essential to create an elaborate password which cannot be easily cracked by others.

While NTLM may be straightforward and user-friendly, its vulnerabilities make it simple for attackers to breach. These include its lack of salting or modern cryptographic methods like MD4 hash function which leaves it open for attack; also its lack of multifactor authentication makes it an inviting target. Furthermore, because its hashes are stored in memory by default it’s easy for malicious actors to retrieve them using free tools like Mimikatz.

2. Weak hash algorithm

NTLM is an older authentication protocol that is no longer considered secure by modern standards. While still used in legacy systems and VPN scenarios, modern protocols like Kerberos should generally be preferred as they offer more protection from various attacks such as relay and man-in-the-middle attacks; weak hash functions don’t support salting so NTLM leaves itself open to brute force attacks.

Under NTLM, passwords are hashed before being transmitted from client to server in plaintext format. Hashes generated by both clients and servers/domain controllers are then compared in order to verify whether or not the password is correct; one type (LM hash) may be stored on client devices while NT hashes are held on both.

This method is known as the challenge-response model. When John logs onto his computer, the system generates a hash from his password entry and sends it along with it to the server where John wants to access. Once received, they compare it against their own hash for comparison; if it matches, access is granted. Attackers can exploit this weakness by positioning themselves between user computer and server exchange, and stealing hashes on either end of exchange.

3. Pass-the-hash vulnerability

Once an attacker obtains an NTLM hash of a user, they can use that hash to authenticate with any host using pass-the-hash (PtH) attacks – one of the most recurring and damaging cyberthreats.

Operating systems never send or save passwords in plaintext; rather, they use encrypted NTLM hashes instead. When you enter a password to log in, the server encrypts your challenge response using their copy of your NT hash before checking its accuracy against its original challenge.

Cybercriminals may gain access to an individual’s NTLM hash by taking it from a compromised device, through phishing attacks, password stealing software or other social engineering tactics. Once they possess it, cybercriminals can use it to move laterally across networks by switching accounts in search of higher level credentials and permissions.

This is made possible due to how NTLM handles grouping. When an NTLM hash is used, its client automatically adds any groups the user belongs to when checking against an incoming challenge. If a user belongs to multiple groups, an attacker could exploit this by sending multiple challenges for one challenge and seeing which has the right NT hash value.

Final Thoughts

NTLM is an outdated and insecure protocol that should no longer be utilized in today’s security environment. It does not support multifactor authentication, has a known hash algorithm without salting, and can be exploited with tools like HashCat to perform offline cracking attacks using data leakage leakage or rainbow tables compiled from sources.

Microsoft deprecated LM and NTLMv1 due to their flaws, and replaced them with Kerberos in Windows 2000. However, legacy systems continue to utilize NTLM for local logon, network logon for workgroups, HTTP servers compatibility reasons or legacy purposes.

As soon as John logs onto his workstation, his system sends an authentication request to his Key Distribution Center (KDC) in his domain. Once at KDC, John’s request is verified by comparing client challenge hash sent by John with server challenge hash and password supplied by KDC.

But since the NTLM_AUTHENTICATE response does not provide any details of its target, an attacker can intercept and submit that message directly back to that target – known as an “NTLM relay attack”, as one of the primary means by which they gain access to an Active Directory environment. Unfortunately, though it’s relatively straightforward to stop this type of attack with a patch from Microsoft.

Sam is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.