ExplainTheHack
← Back to NTLM Authentication

NTLM Authentication Brief

What It Is

NTLM is a challenge-response authentication protocol embedded inside other protocols (SMB, HTTP, LDAP). The server sends a challenge, the client computes a response using the NT hash, and the domain controller verifies it. The password and hash are never sent directly over the wire.

Core Security Insight

The hash is the secret, not the password. Anyone who possesses the NT hash can compute valid authentication responses without knowing the original password. This is the fundamental property that enables Pass the Hash. Combined with the lack of mutual authentication (the client cannot verify the server), NTLM enables both hash reuse and relay attacks.

Key Properties

  • Challenge-response — server issues challenge, client computes response using the NT hash, DC verifies via pass-through authentication
  • Hash is the credential — the NT hash alone is sufficient to authenticate; no password needed
  • Embedded protocol — rides inside SMB, HTTP, LDAP; appears in many network contexts
  • No mutual authentication — client cannot verify server identity; enables relay attacks
  • NTLMv2 improves response calculation but does not fix the fundamental design issues

Interview Phrasing

NTLM is a challenge-response protocol still widely used as a fallback alongside Kerberos. The critical property is that the NT hash alone is sufficient to authenticate — if an attacker extracts the hash, they can log in without knowing the password. NTLM also lacks mutual authentication, enabling relay attacks. It persists because disabling it entirely is a significant operational challenge for most organizations.

Common Pitfalls

  • Saying NTLM sends the password over the network — it uses challenge-response to avoid this
  • Believing Kerberos fully replaced NTLM — NTLM remains active as a fallback in most environments
  • Treating NTLM hashes as equivalent to passwords — a hash authenticates directly (PtH) but does not reveal the password without cracking
  • Confusing NT hash with Net-NTLMv2 hash — NT hash works for PtH; Net-NTLMv2 is a challenge-response capture that can only be cracked