NTLM
Good resource: https://systemweakness.com/difference-between-nt-lm-ntlm-net-ntlmv1-v2-ntlmv1-v2-hashes-c6df0afde008
The Windows OS stores hashed user account passwords locally in the SAM (Security Accounts Manager) database.
This can be done by copying the SAM and SYSTEM registry hives from a system.
Authentication and verification of user credentials is facilitated by the Local Security Authority (LSA) or LSASS.
● Windows versions up to Windows Server 2003 utilize two different types of hashes :
-
** "LM" Hash:**
Format example:299BD128C1101FD6, Converts the user's password to uppercase
The older, extremely weak algorithm, extremely vulnerable to brute force attacks. Uses DES algo "VERY WEAK & 100% Crackable"
! 700
-
** "NTLM" or (NT) Hash:**
Format example:
B4B9B02E6F09A9BD760F388B67351E2BThe newer algorithm (also called NT hash), Uses MD4 hash, Not case-insensitive like LM and also NTLM not slated which make them vulnerable to rainbow tables attack..
-
Windows disables LM hashing and utilizes NTLM hashing from Windows Vista onwards.
-
In modern Windows systems, when you see "NTLM hash," it typically refers to both components stored in the format:
LM hash:NT hash
-
In modern versions of Windows, the SAM database is encrypted with a syskey.
Note: Elevated/Administrative privileges are required in order to access and interact with the LSASS process.
● NTLM
When a user account is created, it is encrypted using the MD4 hashing algorithm, while the original password is disposed of.
● NTLM improves upon LM in the following ways:
- Does not split the hash in to two chunks.
- Case sensitive.
- Allows the use of symbols and unicode characters.
But it's still vulnerable to Pass-the-Hash Attacks
Crack NTLM hashes:
if collected via meterpreter the format is like this and doesn't need to be formatted other way:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
bob:1009:aad3b435b51404eeaad3b435b51404ee:5835048ce94ad0564e29a924a03510ef:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::