In Active Directory, authentication answers: Is this user really who they claim to be? so AD mainly uses:

  • Kerberos: modern, preferred
  • NTLM: legacy, still widely present

NTLM still exists for:

  • Backward compatibility
  • Systems that don’t support Kerberos
  • Fallback when Kerberos fails

NTLM (NT LAN Manager)

a legacy Microsoft authentication protocol used in AD to verify user identities and provide Single Sign-On (SSO).

Aside from Kerberos and LDAP, AD also uses:

  • LM Hash algorithm
  • NT Hash algorithm
  • NTLMv1 / NTLMv2 Authentication protocols

NTLM Authentication Flow

NTLM uses a challenge-response mechanism (no password sent over network):

  1. NEGOTIATE: Client requests authentication
  2. CHALLENGE: Server sends random value
  3. AUTHENTICATE: Client responds using password hash

NT Hash

The NT hash (often called NTLM hash) is:

MD4(UTF-16-LE(password))

Stored in:

  • SAM (local machine)
  • NTDS.dit (Domain Controller)

NTLM Hash Structure

Example:

Rachel:500:LM_HASH:NT_HASH:::

Breakdown:

  • Rachel: Username
  • 500: RID (500 = Administrator)
  • LM hash: old, weak, often disabled
  • NT hash: important part

NT Hash Weaknesses

  • No salt, same password = same hash
  • Fast (MD4) easy brute-force with GPUs
  • Enables Pass-the-Hash attacks

Pass-the-Hash (PtH)

Instead of cracking the password: attacker uses the NT hash directly to authenticate

Example:

crackmapexec smb <IP> -u user -H <NT_HASH>

Works if:

  • NTLM authentication is allowed
  • User has sufficient privileges

LM Hash (LAN Manager)

Old password hashing algorithm (obsolete).

How it works:

  1. Password converted to uppercase
  2. Split into two 7-character chunks
  3. Each chunk hashed using DES

Weaknesses:

  • Case-insensitive
  • Split makes cracking easier
  • Extremely fast → trivial to brute-force

Storage:

  • SAM
  • NTDS.dit

NTLM Protocol Versions

NTLMv1

Uses LM or NT hash

Challenge-response with DES:

Weaknesses:

  • Weak cryptography
  • Uses LM hash
  • Easily crackable
  • No mutual authentication

NTLMv2 (Improved)

Uses NT hash only. Uses HMAC-MD5

Adds:

  • Timestamp
  • Client nonce
  • Target information

Still vulnerable to:

  • Relay attacks
  • Pass-the-Hash (via NT hash reuse)
  • No mutual authentication

Domain Cached Credentials (DCC / MSCache2)

Allows login when Domain Controller is unreachable

Stored in:

HKEY_LOCAL_MACHINE\SECURITY\Cache

Stores last 10 domain logins

Format:

$DCC2$10240#user#hash