NTLM Hash Types
There are many different hashing algorithms that exist, but it's good to know the hash types that you are likely to see within Active Directory.
Depending on the hash type, you can either attempt lateral movement or attempt to crack the password hash. Having knowledge of these hash types can help you prioritize what where different password hashes are used, and which ones are weaker/easier to crack in a brute-force attack.
NTLM (NT LAN Manager)
The NT Hash, commonly referred to as a NTLM hash, is used the NTLM authentication protocol and is used for verifying user credentials during the authentication process. It relies on a server-challenge mechanism.
The plaintext is converted to UTF-16 to ensure consistent character representation (If the Unicode is not a multiple of 16 bytes, null bytes (0x00) are added)
The server sends the client a random 8-byte challenge value, which is combined with the 16-byte password to create a 24-byte value
The 24-byte value is hashed using the MD4 hashing algorithm which creates a 16-byte value, the first 8-bytes being the LM Hash and the second 8-bytes being the NT Hash
Due to the low complexity of the MD4 hashing algorithm, NTLM hashes are considered insecure.
The NTLMv1 hashing algorithm is very similar to the NTHash hashing algorithm, with some additional enhancements such as server challenge variability and extended character handling.
The plaintext is converted to UTF-16 to ensure consistent character representation (If the Unicode is not a multiple of 14 bytes, null bytes (0x00) are added)
The server sends the client a random 8-byte challenge value, which is combined with the 16-byte password to create a 22-byte value
The 24-byte value is hashed using the MD4 hashing algorithm which creates a 16-byte value
Five bytes of zeros are concatenated to the end of the 16-byte value to create a 21-byte value
The 21-byte value is split into three 7-byte values that are used as the key to encrypt that same 7-byte value using the DES encryption algorithm.
The three encrypted values are concatenated together to form the NTLMv1 hash
Due to the weakness of the DES encryption algorithm in today's world, NTLMv1 hashes are also considered insecure alongside NT Hashes.
The NTLMv2 hashing algorithm greatly improves upon its predecessor NTLMv1 by adding security enhancements such as more complex server challenge format and using salts in the hashing process.
The plaintext is converted to UTF-16 to ensure consistent character representation
The server sends the client a random 8-byte challenge value
The client combines the UTF-16 password, 8-byte challenge, user info, and more
The entire combined value is hashed using the HMAC-MD5 algorithm to form the NTLMv2 hash
The inclusion of user information with the UTF-16 password and 8-byte challenge before hashing, as well as using a stronger hashing algorithm, HMAC-MD5, increases the complexity of NTLMv2 compared to its predecessors.
While NTLMv2 is stronger than the other NTLM options, NTLM authentication is considered less secure than Kerberos Authentication.
Last updated