NTLM Authentication

NTLM (NT LAN Manager) Authentication is a suite of security protocols developed by Microsoft to authenticate users and protect the integrity and confidentiality of their credentials. NTLM was commonly used in Windows networks before the introduction of the more secure Kerberos protocol.

NTLM Authentication uses a challenge-response mechanism to authenticate users without transmitting passwords directly. It relies on Hashing and multiple challenge exchanges between the client and the server to confirm user identity, allowing Windows systems to verify users accessing network resources.

The purpose of NTLM Authentication is to provide a secure method for validating users within Windows environments, especially in older networks that may not support newer protocols like Kerberos. NTLM is still used in certain situations, such as when interacting with legacy systems or when Kerberos is unavailable.

NTLM Authentication operates in a three-step process: (1) The client sends a login request to the server. (2) The server responds with a challenge, and the client then computes a Hash of the user’s credentials with the challenge and sends it back. (3) The server validates the Hash to authenticate the user. NTLM uses MD4 and MD5 Hashing, which have since become outdated and vulnerable to attacks.

Examples of NTLM usage include accessing Windows file shares, authenticating within older domains, or connecting to legacy applications that do not support Kerberos. NTLM is also used as a fallback method when Kerberos Authentication fails in certain environments.

NTLM has known security weaknesses, including Vulnerability to pass-the-Hash attacks, where attackers capture and reuse password Hashes to gain unauthorised access. Due to these risks, NTLM is largely deprecated in favour of Kerberos, and Microsoft recommends using more modern, secure protocols wherever possible.