NTLM - NT LAN Manager Authentication

According to Microsoft, NTLM should have been phased out long ago—but in practice, NTLM is still active in virtually every Active Directory environment. And as long as NTLM is active, pass-the-hash, NTLM relay, and responder attacks are possible. A single compromised NT hash is sufficient for lateral movement—no plaintext password is required.

NTLM Protocol

Challenge-Response Flow

1. Client → Server: NEGOTIATE (Capabilities)
2. Server → Client: CHALLENGE (8-byte random value)
3. Client → Server: AUTHENTICATE (NT hash via challenge)
   • NTLM Response = HMAC-MD5(NT Hash, Challenge)

Design Vulnerability

• The NT hash is the secret key—not the plaintext password
• Anyone who knows the NT hash can authenticate themselves (pass-the-hash)
• The hash is never transmitted over the network during the challenge-response process—but the hash + challenge-response can be cracked offline

NT Hash Calculation:

NT Hash = MD4(Unicode(password))

MD4 has been cryptographically broken; rainbow tables for NT hashes are available.

Where NTLM is still active

• Local Windows logins (no Kerberos)
• Workgroup authentication
• SMB connections to legacy systems
• IIS authentication (NTLM HTTP)
• Fallback when Kerberos fails (common)

NTLM Attacks

1. Pass-the-Hash (PtH)

The attacker steals the NT hash (from LSASS, SAM, or the domain) and uses it directly for authentication—no password required. Works for: SMB, RDP (Restricted Admin), WMI.

Hash sources:

• LSASS dump (Mimikatz, Task Manager, ProcDump)
• SAM file (local hashes, if admin): reg save HKLM\SAM
• ntds.dit dump (all domain hashes via DCSync)
• Credential cache

# PtH with Impacket:
psexec.py -hashes :NTLM_HASH_HERE domain.local/Administrator@TARGETIP
smbclient.py -hashes :NTLM_HASH_HERE domain.local/Administrator@TARGETIP
wmiexec.py -hashes :NTLM_HASH_HERE domain.local/Administrator@TARGETIP

# PtH with CrackMapExec (CME):
cme smb 192.168.1.0/24 -u Administrator -H NTLM_HASH --shares
cme smb TARGET -u Administrator -H NTLM_HASH -x "whoami"

Limitations:

• NTLM only (Kerberos requires a ticket, not the hash)
• Windows "Protected Users" security group blocks PtH
• LocalAccountTokenFilterPolicy: Remote admin via PtH can be restricted

2. NTLM Hash Capturing (Responder)

On the local network, the attacker responds to broadcast requests via LLMNR (Link-Local Multicast Name Resolution) and NBT-NS. For example, a client broadcasts a request for “FILESERV” (typo). The attacker responds: "I am FILESERV!" The client then sends the NTLM authentication flow, and the attacker captures the hash.

# Responder (for authorized testing):
responder -I eth0 -w -r -f
# → Captures NTLM hashes on the network
# → Saves to Responder/logs/

# Hash cracking:
hashcat -m 5600 captured-hashes.txt wordlist.txt
# -m 5600 = NetNTLMv2

Protection against Responder:

• Disable LLMNR (GPO: Computer Configuration → Administrative Templates → DNS Client)
• Disable NBT-NS (Network Settings → WINS → Disable NetBIOS)
• Disable mDNS
• Firewall: Block UDP 5355 (LLMNR) and UDP 137 (NBT-NS) internally

3. NTLM Relay Attack

The attacker intercepts an NTLM handshake and forwards it to another server. The client authenticates with the attacker, who then relays the authentication to the target server. No password cracking required.

# ntlmrelayx (Impacket, for authorized testing):
ntlmrelayx.py -tf targets.txt -smb2support
# + Responder (without SMB listener) on the same network
# → Captured NTLM → automatically relayed to all targets!

# Check which hosts have SMB signing disabled:
cme smb 192.168.1.0/24 --gen-relay-list targets.txt

Multi-relay scenarios:

• NTLM → SMB: Code execution via smbexec/psexec
• NTLM → LDAP: Grant DCSync permissions
• NTLM → HTTP/ADCS: ESC8 (Certificate Enrollment)
• NTLM → Exchange: Mailbox access

SMB signing: Without signing, NTLM relay over SMB is possible. SMB signing writes a MAC over the SMB traffic, thereby preventing relay attacks.

4. NTLMv1 Downgrade

NTLMv1 is weaker than NTLMv2 and can be forced through challenge manipulation. NTLMv1 can be cracked using specialized rainbow tables (crack.sh).

# Protection via GPO:
Network security: LAN Manager authentication level →
"Send NTLMv2 response only. Refuse LM & NTLM"

Disable NTLM

Step 1 - Determine NTLM usage

// Windows Event Log: Event ID 4776 (NTLM authentication)
// Sentinel KQL:
SecurityEvent
| where EventID == 4776  // NTLM Credential Validation
| summarize count() by Account, WorkstationName, Computer
| order by count_ desc

Identify problematic NTLM sources: printers, scanners (often NTLM only), older applications with hardcoded NTLM, NAS devices.

Step 2 - Audit Mode

GPO: Computer Configuration → Security Settings → Local Policies → Security Options
"Network security: Restrict NTLM: Audit Incoming NTLM Traffic" → Enable
"Network security: Restrict NTLM: Audit NTLM authentication in this domain" → Enable
→ 7+ days of auditing → Analyze logs

Step 3 - Phased Deactivation

First, a 4-week audit phase, then block for clients (not servers) as a baseline:

GPO: "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers"
  → Deny all (for non-critical OUs first!)

Step 4 - Domain-wide deactivation

GPO: "Network security: Restrict NTLM: NTLM authentication in this domain"
  → Deny all
"Network security: LAN Manager authentication level" →
  "Send NTLMv2 response only. Refuse LM & NTLM"

Step 5 - Enforce SMB signing

# GPO:
# Microsoft network server → Digitally sign communications (always) → Enabled
# Microsoft network client → Digitally sign communications (always) → Enabled

Set-SmbServerConfiguration -RequireSecuritySignature $True
# → Prevents NTLM relay attacks!

Quick Win: Protected Users Security Group

Add all privileged accounts (admins) to the Protected Users group. Members cannot authenticate via NTLM, Kerberos delegation is not possible, and credential caching is prevented—immediate effect without completely disabling NTLM.