NTLM Authentication & NTLM Relay Attack

NTLM (NT LAN Manager) is an older Microsoft authentication protocol still used in many Windows environments. It uses a challenge-response mechanism. It is vulnerable to pass-the-hash and relay attacks, which is why Kerberos is preferred.

Ready Click Next Step to see NTLM authentication and a relay attack.

NTLM State

Client State

IDLE

Server State

WAITING

Attacker State

PASSIVE

NTLM Exchange

Challenge (nonce) -

NT Hash -

NTResponse -

Auth Result -

Hash Types

          NT Hash: MD4(unicode(pwd))

          NTLMv1: DES(challenge, hash)

          NTLMv2: HMAC-MD5(hash, challenge+nonce)

Event Log