NTLM (New Technology LAN Manager) is a legacy authentication protocol which was the default authentication method in Windows 95, 98, NT 4.0. It was superseded by Kerberos in Windows 2000 but is still supported as a fallback as of today.
The main concepts of NTLM authentication are
- NTLM only requires the client to communicate with the web server in order to authenticate. The web server handles the communication with the domain controller.
- Instead of a client sending passwords to the in plaintext, the password is hashed before being sent. Hashing is done without salt.
- NTLM supports cryptographic algorithms which are all considered vulnerable.
NTLM itself superseded the LM authentication protocol in 1993, mostly reusing the authentication mechanism while introducing the concept of the domain controller. In LM the password hashes had to be stored on every server which a user wanted to authenticate against. With usage of domain controllers, NTLM instead centralized the location of password hashes to a much smaller set of server which were trusted, the domain controllers.
NTLM exists in two versions, NTLMv1 and NTLMv2. The latter introduces some counter-measures to attacks which improves the security slightly while still being suceptable to other attacks.
NTLM Server Signing
NTLM cryptographic algorithms
The cryptographic algorithms used in NTLM depend on version
- NTLMv1 uses LM hash, an DES-based function
- NTLMv2 uses NT hash, a MD4-based function