# NTLM Hash Types

There are many different hashing algorithms that exist, but it's good to know the hash types that you are likely to see within Active Directory.

Depending on the hash type, you can either attempt lateral movement or attempt to crack the password hash. Having knowledge of these hash types can help you prioritize what where different password hashes are used, and which ones are weaker/easier to crack in a brute-force attack.

{% hint style="info" %}
For more information on Kerberos Authentication, check out [kerberos](https://stuff.weelee.zip/network/on-prem-active-directory/kerberos "mention") for a high-level overview.
{% endhint %}

## NTLM (NT LAN Manager)

{% tabs %}
{% tab title="NT Hash" %}
The NT Hash, commonly referred to as an NTLM hash, is used by the NTLM authentication protocol and is used for verifying user credentials during the authentication process. It relies on a server-challenge mechanism.

1. The plaintext is converted to UTF-16 to ensure consistent character representation (If the Unicode is not a multiple of 16 bytes, null bytes (0x00) are added)
2. The server sends the client a random 8-byte challenge value, which is combined with the 16-byte password to create a 24-byte value
3. The 24-byte value is hashed using the [MD4](https://nickthecrypt.medium.com/cryptography-hash-method-md4-message-digest-4-explained-with-python-f201b74f51d) hashing algorithm, which creates a 16-byte value, the first 8 bytes being the LM Hash and the second 8 bytes being the NT Hash

Due to the low complexity of the MD4 hashing algorithm, NTLM hashes are considered insecure.

{% hint style="info" %}
Example NT Hash: `8846F7EAEE8FB117AD06BDD830B7586C`\
\
NT/NTLM password hashes can be used in a Pass-The-Hash attack
{% endhint %}
{% endtab %}

{% tab title="NTLMv1" %}
The NTLMv1 hashing algorithm is very similar to the NTHash hashing algorithm, with some additional enhancements such as server challenge variability and extended character handling.

1. The plaintext is converted to UTF-16 to ensure consistent character representation (If the Unicode is not a multiple of 14 bytes, null bytes (0x00) are added)
2. The server sends the client a random 8-byte challenge value, which is combined with the 16-byte password to create a 22-byte value
3. The 24-byte value is hashed using the [MD4](https://nickthecrypt.medium.com/cryptography-hash-method-md4-message-digest-4-explained-with-python-f201b74f51d) hashing algorithm, which creates a 16-byte value
4. Five bytes of zeros are concatenated to the end of the 16-byte value to create a 21-byte value
5. The 21-byte value is split into three 7-byte values that are used as the key to encrypt that same 7-byte value using the DES encryption algorithm.
6. The three encrypted values are concatenated together to form the NTLMv1 hash

Due to the weakness of the DES encryption algorithm in today's world, NTLMv1 hashes are also considered insecure alongside NT Hashes.
{% endtab %}

{% tab title="NTLMv2" %}
The NTLMv2 hashing algorithm greatly improves upon its predecessor NTLMv1 by adding security enhancements such as a more complex server challenge format and using salts in the hashing process.

1. The plaintext is converted to UTF-16 to ensure consistent character representation
2. The server sends the client a random 8-byte challenge value
3. The client combines the UTF-16 password, 8-byte challenge, user info, and more
4. The entire combined value is hashed using the HMAC-MD5 algorithm to form the NTLMv2 hash

The inclusion of user information with the UTF-16 password and 8-byte challenge before hashing, as well as using a stronger hashing algorithm, HMAC-MD5, increases the complexity of NTLMv2 compared to its predecessors.

While NTLMv2 is stronger than the other NTLM options, NTLM authentication is considered less secure than Kerberos Authentication.
{% endtab %}
{% endtabs %}