# NTLM

NTLM is a collection of authentication protocols created by Microsoft. It is a **challenge-response authentication protocol** used to authenticate a client to a resource on an Active Directory domain.&#x20;

It is a type of **single sign-on (SSO)** because it allows the user to provide the underlying authentication factor only once, at login.&#x20;

The NTLM authentication process is done in the following way :

* The client sends the user name and domain name to the server.
* &#x20;The server generates a random character string, referred to as the challenge.
* &#x20;The client <mark style="color:red;">encrypts the challenge with the NTLM hash of the user password</mark> and sends it back to the server.
* &#x20;The server retrieves the user password (or equivalent).
* &#x20;The server uses the hash value retrieved from the security account database to encrypt the challenge string. The value is then compared to the value received from the client. If the values match, the client is authenticated.

A more detailed explanation of the working of NTLM authentication can be found [here](https://www.ionos.com/digitalguide/server/know-how/ntlm-nt-lan-manager/).

### NTLM vs NTHash vs NetNTMLv2

The terminology around NTLM authentication is messy, and even pros misuse it from time to time, so let's get some key terms defined:

* A <mark style="color:yellow;">hash function</mark> is a one-way function that takes any amount of data and returns a fixed size value. Typically, the result is referred to as a hash, digest, or fingerprint. They are used for storing passwords more securely, as there's no way to convert the hash directly back to the original data (though there are attacks to attempt to recover passwords from hashes, as we'll see later). So a server can store a hash of your password, and when you submit your password to the site, it hashes your input, and compares the result to the hash in the database, and if they match, it knows you supplied the correct password.
* An <mark style="color:yellow;">NTHash</mark> is the output of the algorithm used to store passwords on Windows systems in the SAM database and on domain controllers. An NTHash is often referred to as an NTLM hash or even just an NTLM, which is very misleading / confusing.
* When the NTLM protocol wants to do authentication over the network, it uses a challenge / response model as described above. A NetNTLMv2 challenge / response is a string specifically formatted to include the challenge and response. This is often referred to as a NetNTLMv2 hash, but it's not actually a hash. Still, it is regularly referred to as a hash because we attack it in the same manner. You'll see NetNTLMv2 objects referred to as NTLMv2, or even confusingly as NTLM.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://n0m4dsec.gitbook.io/sec-book/common-web-services/ntlm.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.