What is NTLM?
Introduced in 1993 NTLM is an upgraded version of its predecessor LAN Manager or LM. First released with Windows NT 3.1 NTLM introduced the concept of a domain controller which kept the password hashes for all users in a domain. NTLM has several advantages over its predecessor including never transmitting the entirety of a user's password, encrypted storage of user passwords, and the ability to create user security tokens which enable authorization as well as authentication.
Several flaws in NTLMv1 resulted in Microsoft releasing NTLMv2 in 1996 with the release of Windows NT 4.0 SP4.
How does NTLM Work?
NTLM is what is known as a challenge-response protocol used by servers to authenticate clients using password hashes. In its original incarnation NTLMv1, used a fairly simple (and easily compromised) authentication method. The process by which NTLM authenticates users is described by Microsoft below:
NTLM credentials are based on data obtained during the interactive logon process and consist of a domain name, a user name, and a one-way hash of the user's password. NTLM uses an encrypted challenge/response protocol to authenticate a user without sending the user's password over the wire. Instead, the system requesting authentication must perform a calculation that proves it has access to the secured NTLM credentials.