NTLM - Knowledge (XXG)

193:, and an HMAC-MD5 hash of the user's password and other identifying information. The two responses differ in the format of the client challenge. The shorter response uses an 8-byte random value for this challenge. In order to verify the response, the server must receive as part of the response the client challenge. For this shorter response, the 8-byte client challenge appended to the 16-byte response makes a 24-byte package which is consistent with the 24-byte response format of the previous NTLMv1 protocol. In certain non-official documentation (e.g. DCE/RPC Over SMB, Leighton) this response is termed LMv2. 4453: 2696: 1877: 4464: 2686: 2676: 1887: 466:, the capability to store both is there, but one is turned off by default. This means that LM authentication no longer works if the computer running Windows Vista acts as the server. Prior versions of Windows (back as far as Windows NT 4.0 Service Pack 4) could be configured to behave this way, but it was not the default. 173:

SP4 (and natively supported in Windows 2000), is a challenge-response authentication protocol. It is intended as a cryptographically strengthened replacement for NTLMv1, enhancing NTLM security by hardening the protocol against many spoofing attacks and adding the ability for a server to authenticate

493:

In February 2010, Amplia Security discovered several flaws in the Windows implementation of the NTLM authentication mechanism which broke the security of the protocol allowing attackers to gain read/write access to files and remote code execution. One of the attacks presented included the ability to

359:

will be used instead of NTLM. HomeGroup is probably the easiest way to share resources on a small network, requiring minimal setup, even compared to configuring a few additional users to be able to use password-protected sharing, which may mean it is used much more than password-protected sharing on

232:

Briefly, the NTLMv1 algorithm is applied, except that an 8-byte client challenge is appended to the 8-byte server challenge and MD5-hashed. The least 8-byte half of the hash result is the challenge utilized in the NTLMv1 protocol. The client challenge is returned in one 24-byte slot of the response

527:

Note that the password-equivalent hashes used in pass-the-hash attacks and password cracking must first be "stolen" (such as by compromising a system with permissions sufficient to access hashes). Also, these hashes are not the same as the NTLMSSP_AUTH "hash" transmitted over the network during a

331:

Your application should not access the NTLM security package directly; instead, it should use the Negotiate security package. Negotiate allows your application to take advantage of more advanced security protocols if they are supported by the systems involved in the authentication. Currently, the

275:

However, existing NTLMv1 infrastructure allows that the challenge/response pair is not verified by the server, but sent to a Domain Controller for verification. Using NTLM2 Session, this infrastructure continues to work if the server substitutes for the challenge the hash of the server and client

146:

The server authenticates the client by sending an 8-byte random number, the challenge. The client performs an operation involving the challenge and a secret shared between client and server, specifically one of the two password hashes described above. The client returns the 24-byte result of the

457:

Starting with Windows NT 4.0 Service Pack 4, the SSP would negotiate NTLMv2 Session whenever both client and server would support it. Up to and including Windows XP, this used either 40- or 56-bit encryption on non-U.S. computers, since the United States had severe restrictions on the export of

450:

DC would mean Domain Controller, but use of that term is confusing. Any computer acting as server and authenticating a user fulfills the role of DC in this context, for example a Windows computer with a local account such as Administrator when that account is used during a network logon.

279:

NTLMv1 Client<-Server: SC Client->Server: H(P,SC) Server->DomCntl: H(P,SC), SC Server<-DomCntl: yes or no NTLM2 Session Client<-Server: SC Client->Server: H(P,H'(SC,CC)), CC Server->DomCntl: H(P,H'(SC,CC)), H'(SC,CC) Server<-DomCntl: yes or no

147:

computation. In fact, in NTLMv1 the computations are usually made using both hashes and both 24-byte results are sent. The server verifies that the client has computed the correct result, and from this infers possession of the secret, and hence the authenticity of the client.

318:

to improve interoperability (in particular, the RC4-HMAC encryption type). According to an independent researcher, this design decision allows Domain Controllers to be tricked into issuing an attacker with a Kerberos ticket if the NTLM hash is known. Microsoft adopted

200:

format, (2) an 8-byte random value (CC2 in the box below), (3) the domain name and (4) some standard format stuff. The response must include a copy of this client challenge, and is therefore variable length. In non-official documentation, this response is termed NTv2.

220:

SC = 8-byte server challenge, random CC = 8-byte client challenge, random CC* = (X, time, CC2, domain name) v2-Hash = HMAC-MD5(NT-Hash, user name, domain name) LMv2 = HMAC-MD5(v2-Hash, SC, CC) NTv2 = HMAC-MD5(v2-Hash, SC, CC*) response = LMv2 | CC | NTv2 | CC*

461:

In Windows Vista and above, LM has been disabled for inbound authentication. Windows NT-based operating systems up through and including Windows Server 2003 store two password hashes, the LAN Manager (LM) hash and the Windows NT hash. Starting in

502:

generated by the protocol. These flaws had been present in all versions of Windows for 17 years. The security advisory explaining these issues included fully working proof-of-concept exploits. All these flaws were fixed by MS10-012.

2752: 373:

may cause Windows to negotiate NTLMv1 or even LM for outbound authentication with the SMB server, allowing the device to work although it may be loaded with outdated, insecure software regardless of whether it were a new

155:

encrypt the 64-bit challenge. The three encryptions of the challenge are reunited to form the 24-byte response. Both the response using the LM hash and the NT hash are returned as the response, but this is configurable.

1056: 150:

Both the hashes produce 16-byte quantities. Five bytes of zeros are appended to obtain 21 bytes. The 21 bytes are separated in three 7-byte (56-bit) quantities. Each of these 56-bit quantities is used as a key to

204:

Both LMv2 and NTv2 hash the client and server challenge with the NT hash of the user's password and other identifying information. The exact formula is to begin with the NT hash, which is stored in the

311:

Despite these recommendations, NTLM is still widely deployed on systems. A major reason is to maintain compatibility with older systems. However, it can be avoided in some circumstances.

1676: 458:

encryption technology at the time. Starting with Windows XP SP3, 128-bit encryption could be added by installing an update and on Windows 7, 128-bit encryption would be the default.

2732: 524:

and sufficient GPU power the NTLM hash can be derived using a known plaintext attack by cracking the DES keys with hashcat mode 14000 as demonstrated by atom on the hashcat forums.

348:

The server must have the "password-protected sharing" feature enabled, which is not enabled by default and which is mutually exclusive with HomeGroup on some versions of Windows.

1060: 81:

which uses three messages to authenticate a client in a connection-oriented environment (connectionless is similar), and a fourth additional message if integrity is desired.

486:

can be used in many cases to obtain credentials from one machine which can be used to gain control of another machine. The Squirtle toolkit can be used to leverage web site

1923: 58:

authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system which is governed by

369:, such as NAS devices and network printers, the NTLM SSP may offer the only supported authentication method. Some implementations of SMB or older distributions of e.g. 332:

Negotiate security package selects between Kerberos and NTLM. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication.

1340: 345:

The client is authenticating to a server that doesn't belong to a domain or no Active Directory domain exists (commonly referred to as "workgroup" or "peer-to-peer")

391:

The client is authenticating to a server that belongs to a different Active Directory forest that has a legacy NTLM trust instead of a transitive inter-forest trust

4489: 95:

The NTLM protocol uses one or both of two hashed password values, both of which are also stored on the server (or domain controller), and which through a lack of

46:

security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft

3468: 1682: 1833: 446:: Clients use NTLMv2 authentication only, and use NTLMv2 session security if server supports it; DCs refuse LM and NTLM (accept only NTLMv2 authentication). 440:: Clients use NTLMv2 authentication only, and use NTLMv2 session security if server supports it; DCs refuse LM (accept only NTLM and NTLMv2 authentication). 3483: 1743: 1732: 1280: 323:

as the preferred authentication protocol for Windows 2000 and subsequent Active Directory domains. Kerberos is typically used when a server belongs to a

4499: 3648: 2725: 2617: 1512: 2558: 111:-based function applied to the first 14 characters of the password converted to the traditional 8-bit PC charset for the language), and the NT hash ( 2689: 2612: 1958: 1694: 1639: 1590: 926: 3305: 520:

In 2019, EvilMog published a tool called the ntlmv1-multitool to format NTLMv1 challenge responses in a hashcat compatible cracking format. With

434:: Clients use NTLMv2 authentication only, and use NTLMv2 session security if server supports it; DCs accept LM, NTLM, and NTLMv2 authentication. 422:: Clients use LM and NTLM authentication, and use NTLMv2 session security if server supports it; DCs accept LM, NTLM, and NTLMv2 authentication. 2578: 2573: 2553: 2162: 1916: 1534: 499: 428:: Clients use NTLM authentication only, and use NTLMv2 session security if server supports it; DCs accept LM, NTLM, and NTLMv2 authentication. 78: 4339: 2718: 2568: 2563: 4468: 2741: 1943: 1821: 229:

The NTLM2 Session protocol is similar to MS-CHAPv2. It consists of authentication from NTLMv1 combined with session security from NTLMv2.

132:, depending on the NTLM version; NT LanMan and NTLM version 1 use the DES-based LanMan one-way function (LMOWF), while NTLMv2 uses the NT 1057:"Active Directory Vulnerability Disclosure: Weak encryption enables attacker to change a victim's password without being logged - Aorato" 3718: 3358: 2942: 2777: 2249: 2224: 2089: 1700: 307:

Deriving a key from a password is as specified in RFC1320 and FIPS46-2. Therefore, applications are generally advised not to use NTLM.

4494: 3890: 3799: 3315: 2947: 2679: 1948: 1772: 1007: 103:, meaning that if you grab the hash value from the server, you can authenticate without knowing the actual password. The two are the 1449: 2600: 2585: 1953: 1909: 1574: 573: 454:

Prior to Windows NT 4.0 Service Pack 4, the SSP would negotiate NTLMv1 and fall back to LM if the other machine did not support it.

405:

After it has been decided either by the application developer or by the Negotiate SSP that the NTLM SSP be used for authentication,

1845: 1827: 1365: 416:: Clients use LM and NTLM authentication, and never use NTLMv2 session security; DCs accept LM, NTLM, and NTLMv2 authentication. 236:

This is a strengthened form of NTLMv1 which maintains the ability to use existing Domain Controller infrastructure yet avoids a

3638: 3618: 3581: 3543: 3528: 2094: 1851: 1688: 1306:"hand-tuned hashcat 6.0.0 beta and 2080Ti (stock clocks) breaks NTLM cracking speed mark of 100GH/s on a single compute device" 1600: 652: 4384: 3966: 3493: 1965: 1756: 292:

Implementers should be aware that NTLM does not support any recent cryptographic methods, such as AES or SHA-256. It uses

3508: 2590: 2523: 495: 4349: 4218: 3905: 3895: 3769: 3673: 3533: 2890: 2845: 2473: 1632: 517:

are available for eight- and nine-character NTLM passwords. Shorter passwords can be recovered by brute force methods.

4457: 3825: 3784: 3683: 3538: 3335: 3050: 3000: 2313: 409:

dictates the ability to use each of the protocols that the NTLM SSP implements. There are five authentication levels.

159:

85:

First, the client establishes a network path to the server and sends a NEGOTIATE_MESSAGE advertising its capabilities.

1245: 4047: 3927: 3633: 3132: 2772: 2765: 2760: 2699: 2634: 2605: 2595: 2543: 2538: 2518: 2297: 196:

The second response sent by NTLMv2 uses a variable-length client challenge which includes (1) the current time in

4379: 4344: 3774: 3764: 3703: 3613: 3503: 3473: 3122: 2820: 2661: 2646: 2533: 2528: 2468: 2463: 2318: 2254: 1890: 1738: 352: 327:. Microsoft recommends developers neither to use Kerberos nor the NTLM Security Support Provider (SSP) directly. 3744: 3688: 3668: 3513: 3282: 3167: 2419: 2277: 2179: 1228: 206: 152: 108: 3057: 1566: 4329: 4324: 4168: 4163: 4123: 4083: 4033: 3779: 3523: 3518: 3393: 3368: 3330: 3300: 3250: 3062: 2985: 2910: 2830: 2805: 2639: 2629: 2292: 2167: 1880: 1717: 1625: 1213: 293: 1551: 4309: 4273: 3885: 3870: 3628: 3586: 3478: 3408: 3325: 3310: 2905: 2488: 2191: 2174: 1778: 1186: 217:, the username and domain name. In the box below, X stands for the fixed contents of a formatting field. 4438: 4258: 4203: 4143: 4128: 3937: 3608: 3563: 3420: 3373: 1463: 324: 903: 852: 828: 804: 780: 756: 732: 624: 600: 88:

Next, the server responds with CHALLENGE_MESSAGE which is used to establish the identity of the client.

4423: 4418: 4263: 4233: 4198: 4088: 3794: 3789: 3693: 3643: 3601: 3571: 3458: 3045: 3010: 2957: 2895: 2624: 1159: 879: 487: 366: 4364: 4223: 4178: 4153: 4108: 4054: 3853: 3708: 3591: 3040: 3025: 2965: 2885: 2855: 2656: 2508: 2503: 2483: 2350: 2206: 2201: 2196: 2186: 2157: 2150: 2145: 1789: 1767: 1032: 708: 578: 506:

In 2012, it was demonstrated that every possible 8-character NTLM password hash permutation can be

378: 320: 315: 96: 4369: 4319: 4093: 4012: 3998: 3917: 3623: 3463: 3430: 3403: 3398: 3072: 2975: 2970: 2870: 2498: 2493: 2370: 2365: 2360: 2355: 1664: 1614:- A tool for formatting NTLMv1 challenge responses into a format that can be cracked with hashcat 1542: 1495: 66: 4433: 4359: 4314: 4213: 4208: 4183: 4138: 4103: 3973: 3277: 3087: 2920: 2424: 2403: 2398: 1932: 507: 479: 237: 31: 1265: 685:"Use an 8-char Windows NTLM password? Don't. Every single one can be cracked in under 2.5hrs" 537: 4374: 4283: 4118: 4061: 4019: 3880: 3848: 3804: 3759: 3678: 3438: 3235: 3112: 3102: 2865: 2860: 1538: 1107: 1081: 963: 684: 541: 370: 129: 1011: 394:

Where a firewall would otherwise restrict the ports required by Kerberos (typically TCP 88)

356: 4410: 4293: 4268: 4253: 4243: 4193: 4188: 3942: 3576: 3292: 3157: 3147: 3092: 3077: 2935: 2825: 2651: 2439: 2434: 2429: 2393: 2388: 2069: 1670: 1305: 1133: 513:

In 2019, this time was reduced to roughly 2.5 hours by using more modern hardware. Also,

1517: 1341:"Ethical hacker Dustin Heywood, a.k.a. EvilMog: 'My mission is to make companies safer'" 27:

Suite of Microsoft security protocols for authentication, integrity, and confidentiality

3900: 3443: 3255: 3245: 3230: 3162: 3030: 3005: 2980: 2930: 2900: 2810: 2345: 2340: 2332: 2287: 2135: 2074: 2064: 2059: 1815: 1799: 1648: 269: 170: 4483: 4389: 4248: 4148: 3488: 3448: 3225: 3200: 3192: 3127: 2995: 2795: 2380: 2101: 514: 475: 463: 116: 1503:

Personal HTTP(S) and SOCKS5 proxy for NTLM-unaware applications (Windows/Linux/UNIX)

4158: 4113: 4040: 4005: 3713: 3663: 3453: 3205: 3152: 3117: 3035: 3015: 2835: 2815: 2079: 1284: 660: 406: 256:. Without the client participating in the choice of challenge, the server can send 62:

settings, for which different versions of Windows have different default settings.

59: 1862: 50:(LANMAN), an older Microsoft product. The NTLM protocol suite is implemented in a 4228: 4173: 4078: 3932: 3820: 3698: 3553: 3345: 3320: 2915: 2444: 2264: 2115: 2004: 1999: 1994: 1989: 1984: 1794: 563: 55: 47: 2710: 4133: 3957: 3498: 3388: 3262: 3182: 3107: 2925: 2229: 2125: 2120: 2084: 2042: 2032: 2027: 2022: 2014: 1584: 483: 385: 17: 1506: 1411: 988: 3754: 3749: 3383: 3272: 3220: 2990: 2111: 2106: 1784: 1552:

NTLM version 2 (NTLMv2) and the LMCompatibilityLevel setting that governs it

938: 551: 43: 91:

Finally, the client responds to the challenge with an AUTHENTICATE_MESSAGE.

1611: 1608:- An HTTP proxy server to automatically authenticate through an NTLM proxy 1390: 1366:"Dustin Heywood: The "Evil" Hacker Using his Neurodivergent Mind for Good" 4334: 4238: 4098: 3858: 3723: 3353: 3210: 3097: 3082: 3020: 2880: 2840: 1762: 482:

which was addressed by Microsoft security update MS08-068. For example,

233:

message, the 24-byte calculated response is returned in the other slot.

4354: 4288: 4026: 3912: 3875: 3863: 3548: 3267: 3240: 3215: 3177: 2875: 2800: 1749: 568: 547: 521: 197: 122: 104: 1281:"25-GPU cluster cracks every standard Windows password in <6 hours" 4428: 4278: 3947: 3728: 3653: 1857: 1839: 1810: 119: 1901: 1464:"NT MD4 password hash as new password encryption method for FreeBSD" 1328: 1108:"Public Key Cryptography based User to User Authentication Overview" 1605: 1570: 1556: 189:

hash of the server challenge, a fully/partially randomly generated

4394: 3830: 3658: 3363: 3137: 2850: 1805: 1546: 1531:

software that allows users to authenticate via an MS Proxy Server.

1528: 1617: 1522: 1513:

MSDN article explaining the protocol and that it has been renamed

1501:

Cntlm – NTLM, NTLMSR, NTLMv2 Authentication Proxy and Accelerator

1490: 288:

Since 2010, Microsoft no longer recommends NTLM in applications:

3922: 3596: 3415: 3378: 1727: 1706: 1500: 1435: 210: 182: 51: 2714: 1905: 1621: 314:

Microsoft has added the NTLM hash to its implementation of the

3840: 3172: 3142: 3067: 1975: 1507:

The NTLM Authentication Protocol and Security Support Provider

420:

Send LM & NTLM - use NTLMv2 session security if negotiated

301: 297: 214: 186: 133: 112: 1595: 1266:"Windows SMB NTLM Weak Nonce vulnerability Security Advisory" 1187:"The Most Misunderstood Windows Security Setting of All Time" 1578: 1496: