Penetration Tester Interview Q&A…What is NTLM?

5qu1n7
3 min readJul 27, 2024

--

NTLM is considered an outdated protocol. As such, its benefits — when compared to a more modern solution, such as Kerberos (more on this subject later) — are limited. Yet the original promise of NTLM remains true: Clients use password hashing to avoid sending unprotected passwords over the network.

NTLM stands for Windows New Technology LAN Manager and it is a set of security protocols from Microsoft that verifies a user’s or computer’s identity on a network. NTLM is primarily used in Windows domain environments and works by using a challenge-response mechanism to authenticate users and computers. When a client requests access to a service on an Active Directory domain, the service sends a challenge to the client. The client must then perform a mathematical operation using its authentication token and return the result to the service. This process verifies to the server or domain controller that the user knows the password for their account. At its core, NTLM is a single sign on (SSO) tool that relies on a challenge-response protocol to confirm the user without requiring them to submit a password.

NTLM was created to replace another Microsoft authentication protocol called LAN Manager, which was considered flawed. However, NTLM is vulnerable to attacks such as brute force attacks, relay attacks, and pass-the-hash attacks.

NTLM was subject to several known security vulnerabilities related to password hashing and salting.

In NTLM, passwords stored on the server and domain controller are not “salted” — meaning that a random string of characters is not added to the hashed password to further protect it from cracking techniques. This means that adversaries who possess a password hash do not need the underlying password to authenticate a session.

NTLM’s cryptography also fails to take advantage of new advances in algorithms and encryption that significantly enhance security capabilities.

NTLM was replaced as the default authentication protocol in Windows 2000 by Kerberos (there will be a Kerberos section, later). However, NTLM is still maintained in all Windows systems for compatibility purposes between older clients and servers.

For example, computers still running Windows 95, Windows 98, or Windows NT 4.0 will use the NTLM protocol for network authentication with a Windows 2000 domain. Meanwhile, computers running Windows 2000 will use NTLM when authenticating servers with Windows NT 4.0 or earlier, as well as when accessing resources in Windows 2000 or earlier domains. NTLM is also used to authenticate local logons with non-domain controllers.

Some mitigations against NTLM Attacks:

  1. Enforce NTLM mitigations. To be fully protected from NTLM relay attacks, you will need to enable server signing and EPA on all relevant servers.
  2. Patch! Make sure your systems are fully protected with the latest security updates from Microsoft.
  3. Identify weak variations. Some NTLM clients use weak NTLM variations (e.g., don’t send a MIC). This puts your network at a greater risk of being vulnerable to NTLM relay.
  4. Monitor NTLM traffic in your network. Try to restrict insecure NTLM traffic.

Get rid of clients sending LM responses and set the Group Policy Object (GPO) network security: LAN Manager authentication level to refuse LM responses.

This should be enough information on NTLM to get you passed an interview…GOOD LUCK!!! Next up, Kerberos!

--

--

5qu1n7
5qu1n7

Written by 5qu1n7

Currently a Penetration Tester and Retired United States Air Force Military Working Dog Handler after 23 years. Who also has a habit of picking locks.

No responses yet