NTLM Authentication Fundamentals

🖊️Author: Nairuz Abulhul

🌐 Blog: R3dbuck3t

NTLM Authentication

NTLM authentication is used for Windows authentication with systems configured as a member of a workgroup.

🏗️ Authentication Components:

<aside> 📌 NTLM is a challenge-response authentication protocol

</aside>

Authentication Process

A **client**sends a request to the server, and the server responds with a challenge( referred to as nonce is a 16-bit random number)
The client encrypts their password hash with the challenge and sends it over to the server.
At that point, the application sends the **username, the challenge, and the client's encrypted response** **to the domain controller.**
The domain controller encrypts the user's hash again (password hash and the challenge value) and compares it with the stored password hashes. If it matches, the user is allowed to authenticate to the domain.

Common Attacks against NTLM Authentication

NTLM hashes can be captured through poisoning the network traffic with tools like **Responder or Inveigh - LLMNR Poisoning**
- Windows devices constantly sending broadcasting requesting every time the user attempting to access a share. If an attacker is running a poisoning on that same segment, the poison is going to respond back with whatever the window client is looking for and and asks the client to encrypt this challenge for them.
NTLM and NTLMv2 hashes are both susceptible to cracking offline.
NTLM hashes are bypassable; an attacker can use the hashed to perform a **Pass the Hash (PtH)**attack and authenticate to the targeted machine.
NTLMv2 hashes are NOT bypassable; an attacker can’t use them to perform a Pass the Hash (PtH)attack; they can either be relayed or crack it offline.

NTLM Relays:
- NTLM relay is a way of forwarding captured NTLMv2 hashes to the the targeted machine to authenticate to it.
- Relays work if SMB signing is disabled.
- Relay Steps

<aside> 📌 LSASS is a process that is responsible for handling authentication for NTLM and Kerberos.

</aside>