Protocol network icon

Windows New Technology LAN Manager (NTLM)

What is NTLM?

Introduced in 1993 NTLM is an upgraded version of its predecessor LAN Manager or LM. First released with Windows NT 3.1 NTLM introduced the concept of a domain controller which kept the password hashes for all users in a domain. NTLM has several advantages over its predecessor including never transmitting the entirety of a user's password, encrypted storage of user passwords, and the ability to create user security tokens which enable authorization as well as authentication.

Several flaws in NTLMv1 resulted in Microsoft releasing NTLMv2 in 1996 with the release of Windows NT 4.0 SP4.

How does NTLM Work?

NTLM is what is known as a challenge-response protocol used by servers to authenticate clients using password hashes. In its original incarnation NTLMv1, used a fairly simple (and easily compromised) authentication method. The process by which NTLM authenticates users is described by Microsoft below:

NTLM credentials are based on data obtained during the interactive logon process and consist of a domain name, a user name, and a one-way hash of the user's password. NTLM uses an encrypted challenge/response protocol to authenticate a user without sending the user's password over the wire. Instead, the system requesting authentication must perform a calculation that proves it has access to the secured NTLM credentials.

What are common security concerns around NTLM?

NTLM is particularly vulnerable as it was not designed for and does not support modern cryptographic methods such as AES or SHA-256. This leaves NTLM vulnerable to brute force attacks, relay attacks such as PetitPotam, and the well known pass-the-hash attack. Attacks targeting NTLM are a common tactic with many canned attacks provided by free penetration testing tools such as Kali Linux.