Windows NTLM Manager

• November 14, 2022

How Does NTLM Authentication Work?

Computer networks are vulnerable to cyber attacks unless they are properly protected. Networks are protected, not allowing individual users to access shared data and services. This way, only a designated user can access a network. The aim is to keep the data confidential in the cyber world.

Windows NT (New Technology) LAN Manager (NTLM) is the authentication protocol used to authenticate a client accessing a resource in the Active Directory domain. NTLM is a suite of security protocols intended to provide authentication, integrity, and confidentiality to users on a Windows network. NTLM, which was initially a proprietary protocol, became available on non-Windows systems with the development of technology. NTLM passwords are considered weak because they are very easily compromised by Brute Force attacks with modern hardware.

NTLM provides users with SSO (Single Sign-On) access to the Active Directory (AD) domain through the exchange of three messages containing the cryptographic handshake:

• Client's negotiation message (Negotiate_Message)
• Server's challenge message (Challenge_Message)
• Client's authentication message (Authenticate_Message)

Since NTLM has vulnerabilities related to the password equivalence of the password hash, the need for a more secure authentication protocol has arisen in the cyber world. The protocol was replaced by the Kerberos authentication protocol after Windows 2000. NTLM has not been deprecated by Microsoft and still exists as secondary authentication in compatibility with legacy systems. NTLM's cryptography was introduced before the existence of newer algorithms such as AES or SHA-256, which is the main reason why today's hardware is susceptible to brute force attacks.

NTLM uses a challenge-response protocol to check the authenticity of a network user. To do this, the client and host go through a series of steps:

1. The client sends a username to the host.
2. The host responds with a random number (i.e. challenge).
3. The client then creates a hashed password value from this number and the user's password and then sends it back as a response.
4. The host computer knows the user's password and creates a hash password value that it will then compare with the client's response.
5. If both values match, the client's authenticity is confirmed and network access is granted. If there is no match between the values, the client is denied access.

How Does NTLM Authentication Work in an AD Environment?

NTLM Authentication allows the application server to act as an intermediary between the client and AD. The authentication process is passed to the Domain Controller in the form of a challenge, and if completed successfully, the application server authenticates the user. NTLM authenticates users through a challenge-response mechanism. This process consists of three messages:

1. The client requests validation from the server. (NTLM_AUTHENTICATE).
2. The server sends a challenge message with a random string of characters. (NTLMSSP_CHALLENGE)
3. The client encrypts the query using its private key and sends it back.

During the authentication process, the client uses the MD4 hash as the DES key of its password (if NTLMv1 is in use) to encrypt the challenge. A plaintext password is never used during the authentication process. The only version used is a hashed version called an NT hash, which is a simple hash of the plaintext password.

NTLM Authentication Process:

1. The user shares his username, password and domain name with the customer.
2. The client develops the encrypted version of the password or hash and deletes the entire password.
3. The client transmits the plaintext version of the username to the corresponding application server.
4. The application server responds to the client with a challenge, which is a 16-byte random number.
5. In response to this situation, the client sends the challenge encrypted with the hash of the user's password.
6. The application server then sends the challenge, response, and username to the domain controller (DC).
7. The DC retrieves the user's password from the database and uses it to encrypt the challenge.
8. The DC then compares the encrypted challenge and the client response. If these two parts match, the user is authenticated and access is granted.

NTLM Vulnerabilities

NTLM is an old protocol and has multiple vulnerabilities that can be exploited by attackers. About vulnerabilities:

• CVE 2019-1166 allows attackers to bypass MIC (Message Integrity Code) protection in NTLM authentication and modify any field in the NTLM message stream, including the signing requirement.
• CVE 2019-1338 – A 'security feature bypass' vulnerability exists in Microsoft Windows when a man-in-the-middle attacker can successfully bypass NTLMv2 protection if a client is also sending LMv2 responses.
• According to researchers, (MitM) attackers can use this to authenticate and steal user data on critical servers such as OWA and ADFS.
• Access to the system can be achieved using the hash attack method. NTLM hashes can be obtained using tools such as “secretsdump.py” within Impacket to dump hashes on a compromised machine.
• NTLM uses legacy encryption so it cannot take advantage of the latest advances in encryption. Tools such as Hashcat can perform actions such as cracking captured NTLMv2 hashes and retrieving used passwords.

Why Is NTLM Still Used?

Although Kerberos has replaced NTLM due to its security vulnerabilities and deficiencies, NTLM support is still available on all Windows systems. The reason of this;

• It is necessary to ensure compatibility with old systems.
• NTLM authentication is used for local logon authentication on non-domain controllers.
• It is used for Windows authentication on systems configured as a member of a workgroup.