Last Updated on January 3, 2025 by Deepanshu Sharma
What Is NTLM?
NTLM is an authentication protocol used to verify users’ identities in an IT system. It was released in 1993 and later improved in 1998 with NTLMv2. NTLM is the successor to the older LM protocol, which was used in Microsoft’s LAN Manager product in the 1980s. During that time, computer networks were simpler and not connected to the internet. The main concern was the theft of user passwords through eavesdropping on network logon traffic. To mitigate this risk, NTLM does not send user passwords across the network. Instead, it uses a password hash as proof of the user’s knowledge of the password.
How Does NTLM Work?
Here’s a step-by-step process of how NTLM Authentication works:
- Client Request: The client sends a request to access a network resource (e.g., a file share, a web server) on the server.
- Server Challenge: The server responds with a challenge, a random value that the client needs to use in the authentication process. The challenge is a unique value for each authentication attempt.
- Client Response (NTLMv1): The client generates an NTLMv1 response using the challenge and the user’s credentials (username and password) hashed in the NTLM hash format. The NTLM hash is a one-way hash of the user’s password, which is more secure than sending the password in plaintext. This response is sent back to the server.
- Server Verification (NTLMv1): The server receives the client’s response and uses the stored NTLM hash of the user’s password to verify the response. If the response is valid, the server grants access to the requested resource.
- Client Response (NTLMv2): In a more secure variation of NTLM, the client can use NTLMv2. In this case, the client generates an NTLMv2 response using the challenge and additional data like the client and server’s timestamps. This makes it more resistant to certain types of attacks compared to NTLMv1.
- Server Verification (NTLMv2): If the client uses NTLMv2, the server verifies the response using the stored NTLM hash of the user’s password and additional data from the authentication request.
- Access Granted: If the server verifies the client’s response (either NTLMv1 or NTLMv2), it grants access to the requested network resource. The client can now access the resource securely.
Difference Between NTLM And Kerberos
Kerberos is an authentication protocol that replaced NTLM as the standard authentication tool on Windows 2000 and later versions. The main difference between NTLM and Kerberos is their authentication process. NTLM uses a three-way handshake, while Kerberos uses a two-part process with a ticket granting service or key distribution center. Another difference is the use of password hashing in NTLM and encryption in Kerberos. Although Kerberos is the default authentication method, NTLM serves as a backup if authentication fails.
The Problem With NTLM Authentication
NTLM authentication is an outdated and weak protocol that is not secure by today’s standards. It is vulnerable to various attacks and lacks important security features such as multifactor authentication. The protocol uses a known hashing algorithm without salting, making it susceptible to brute-force attacks. Additionally, NTLM does not support modern cryptographic methods and relies on the compromised MD4 hash function. Overall, NTLM is easily compromised and should be replaced with more secure protocols like Kerberos.
NTLM Benefits and Challenges
As mentioned, NTLM is an outdated protocol and thus has limited benefits compared to modern solutions like Kerberos. However, its original purpose of avoiding unprotected password transmission remains true. Nevertheless, relying on NTLM authentication has clear disadvantages, which include:
Limited authentication: NTLM relies on a challenge-response protocol and does not support multifactor authentication (MFA), which enhances security by using multiple pieces of information for user verification.
Security vulnerabilities: The simplistic password hashing in NTLM makes systems susceptible to attacks like pass-the-hash and brute-force attacks.
Outdated cryptography: NTLM fails to utilize the latest advancements in encryption to enhance password security.
How Can You Protect Your Network Using NTLM?
To enhance security, organizations should minimize their usage of NTLM due to well-known security vulnerabilities. However, for those organizations that still rely on NTLM for compatibility reasons, the following recommendations are provided:
Implement NTLM mitigations: To protect against NTLM relay attacks, it is necessary to enable server signing and Extended Protection for Authentication (EPA) on all relevant servers.
Apply patches: Keep systems up to date with the latest security updates from Microsoft to ensure maximum protection.
Utilize advanced techniques: Adopt advanced NTLM relay detection and prevention techniques, such as channel binding, which ensures the integrity of the NTLM sessions by binding them to the underlying transport channel.
Identify weak NTLM variations: Some NTLM clients utilize weak variations that do not send a Message Integrity Code (MIC), increasing the network’s vulnerability to NTLM relay attacks. Identify and address these weak variations.
Monitor NTLM traffic: Restrict insecure NTLM traffic by closely monitoring its usage within the network.
Eliminate LM responses: Eliminate clients that send Lan Manager (LM) responses and configure the Group Policy Object (GPO) network security to refuse LM responses.
Conclusion
In conclusion, the NTLM authentication protocol is outdated and has several weaknesses that make it insecure. These weaknesses include easy cracking of password hashes and vulnerability to pass-the-hash attacks. NTLM also lacks modern security features like mutual authentication and session security, making it unsuitable for current network environments. It has limited interoperability with other authentication protocols and is not efficient in handling large-scale authentication requests. Organizations should consider migrating to more secure and modern authentication protocols like Kerberos or OAuth to improve security, interoperability, and scalability. This will help protect sensitive data, mitigate risks, and integrate with modern technologies.