a suite of Microsoft security protocols used for authentication, integrity, and confidentiality, relying on a three-way, challenge-response mechanism. It acts as a legacy single sign-on (SSO) tool, often used when Kerberos is not available
How NTLM Authentication Works
NTLM uses a three-way, encrypted challenge/response mechanism:
- Negotiation: The client sends a negotiate message to the server.
- Challenge: The server sends a random 64-bit number (challenge) back.
- Response: The client encrypts this challenge with their user password hash and sends it back, proving identity without sending the actual password
Key Benefits of NTLM Single Sign-On (SSO): Users can authenticate to network resources automatically using their logged-in credentials. Compatibility: Essential for legacy systems, workgroups, and applications that do not support modern authentication like Kerberos. Security Services: Beyond just authentication, it provides message integrity and confidentiality.
Limitations and Vulnerabilities
- Weak Cryptography:
- NTLMv1 uses weak hashing, and while NTLMv2 is better, both are considered insecure by modern standards.
- Pass-the-Hash Attacks:
- Attackers can steal the hashed password and use it to impersonate users.
- Relay Attacks:
- NTLM is susceptible to reflection and relay attacks, where an attacker intercepts authentication and tricks a server into granting access.
- No Multi-Factor Authentication (MFA):
- NTLM does not support modern, multi-factor authentication methods.
activedirectory authentication hash protocol services vulnerability