NTLM

Last updated

In a Windows network, NT (New Technology) LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. [1] [2] [3] NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system, which is governed by Group Policy settings, for which different versions of Windows have different default settings.

Contents

NTLM passwords are considered weak because they can be brute-forced very easily with modern hardware. [4]

Protocol

NTLM is a challenge–response authentication protocol which uses three messages to authenticate a client in a connection-oriented environment (connectionless is similar), and a fourth additional message if integrity is desired. [5] [6] [7] [8]

  1. First, the client establishes a network path to the server and sends a NEGOTIATE_MESSAGE advertising its capabilities. [9]
  2. Next, the server responds with CHALLENGE_MESSAGE which is used to establish the identity of the client. [10]
  3. Finally, the client responds to the challenge with an AUTHENTICATE_MESSAGE. [11]

The NTLM protocol uses one or both of two hashed password values, both of which are also stored on the server (or domain controller), and which through a lack of salting are password equivalent, meaning that if you grab the hash value from the server, you can authenticate without knowing the actual password. The two are the LM hash (a DES-based function applied to the first 14 characters of the password converted to the traditional 8-bit PC charset for the language), and the NT hash (MD4 of the little endian UTF-16 Unicode password). Both hash values are 16 bytes (128 bits) each. [12]

The NTLM protocol also uses one of two one-way functions, depending on the NTLM version; NT LanMan and NTLM version 1 use the DES-based LanMan one-way function (LMOWF), while NTLMv2 uses the NT MD4 based one-way function (NTOWF). [12] [13]

NTLMv1

The server authenticates the client by sending an 8-byte random number, the challenge. The client performs an operation involving the challenge and a secret shared between client and server, specifically one of the two password hashes described above. The client returns the 24-byte result of the computation. In fact, in NTLMv1 the computations are usually made using both hashes and both 24-byte results are sent. The server verifies that the client has computed the correct result, and from this infers possession of the secret, and hence the authenticity of the client.

Both the hashes produce 16-byte quantities. Five bytes of zeros are appended to obtain 21 bytes. The 21 bytes are separated in three 7-byte (56-bit) quantities. Each of these 56-bit quantities is used as a key to DES encrypt the 64-bit challenge. The three encryptions of the challenge are reunited to form the 24-byte response. Both the response using the LM hash and the NT hash are returned as the response, but this is configurable.

C = 8-byte server challenge, random K1 | K2 | K3 = NTLM-Hash | 5-bytes-0 response = DES(K1,C) | DES(K2,C) | DES(K3,C) 

NTLMv2

NTLMv2, introduced in Windows NT 4.0 SP4 [14] (and natively supported in Windows 2000), is a challenge-response authentication protocol. It is intended as a cryptographically strengthened replacement for NTLMv1, enhancing NTLM security by hardening the protocol against many spoofing attacks and adding the ability for a server to authenticate to the client. [1] [15] [16]

NTLMv2 sends two responses to an 8-byte server challenge. Each response contains a 16-byte HMAC-MD5 hash of the server challenge, a fully/partially randomly generated client challenge, and an HMAC-MD5 hash of the user's password and other identifying information. The two responses differ in the format of the client challenge. The shorter response uses an 8-byte random value for this challenge. In order to verify the response, the server must receive as part of the response the client challenge. For this shorter response, the 8-byte client challenge appended to the 16-byte response makes a 24-byte package which is consistent with the 24-byte response format of the previous NTLMv1 protocol. In certain non-official documentation (e.g. DCE/RPC Over SMB, Leighton) this response is termed LMv2.

The second response sent by NTLMv2 uses a variable-length client challenge which includes (1) the current time in NT Time format, (2) an 8-byte random value (CC2 in the box below), (3) the domain name and (4) some standard format stuff. The response must include a copy of this client challenge, and is therefore variable length. In non-official documentation, this response is termed NTv2.

Both LMv2 and NTv2 hash the client and server challenge with the NT hash of the user's password and other identifying information. The exact formula is to begin with the NT hash, which is stored in the SAM or AD, and continue to hash in, using HMAC-MD5, the username and domain name. In the box below, X stands for the fixed contents of a formatting field.

SC = 8-byte server challenge, random CC = 8-byte client challenge, random CC* = (X, time, CC2, domain name) v2-Hash = HMAC-MD5(NT-Hash, user name, domain name) LMv2 = HMAC-MD5(v2-Hash, SC, CC) NTv2 = HMAC-MD5(v2-Hash, SC, CC*) response = LMv2 | CC | NTv2 | CC* 

NTLM2 Session

The NTLM2 Session protocol is similar to MS-CHAPv2. [17] It consists of authentication from NTLMv1 combined with session security from NTLMv2.

Briefly, the NTLMv1 algorithm is applied, except that an 8-byte client challenge is appended to the 8-byte server challenge and MD5-hashed. The least 8-byte half of the hash result is the challenge utilized in the NTLMv1 protocol. The client challenge is returned in one 24-byte slot of the response message, the 24-byte calculated response is returned in the other slot.

This is a strengthened form of NTLMv1 which maintains the ability to use existing Domain Controller infrastructure yet avoids a dictionary attack by a rogue server. For a fixed X, the server computes a table where location Y has value K such that Y=DES_K(X). Without the client participating in the choice of challenge, the server can send X, look up response Y in the table and get K. This attack can be made practical by using rainbow tables. [18]

However, existing NTLMv1 infrastructure allows that the challenge/response pair is not verified by the server, but sent to a Domain Controller for verification. Using NTLM2 Session, this infrastructure continues to work if the server substitutes for the challenge the hash of the server and client challenges.

NTLMv1   Client<-Server:  SC   Client->Server:  H(P,SC)   Server->DomCntl: H(P,SC), SC   Server<-DomCntl: yes or no  NTLM2 Session   Client<-Server:  SC   Client->Server:  H(P,H'(SC,CC)), CC   Server->DomCntl: H(P,H'(SC,CC)), H'(SC,CC)   Server<-DomCntl: yes or no 

Availability and use of NTLM

Since 2010, Microsoft no longer recommends NTLM in applications: [19]

Implementers should be aware that NTLM does not support any recent cryptographic methods, such as AES or SHA-256. It uses cyclic redundancy checks (CRC) or MD5 for integrity, and RC4 for encryption.

Deriving a key from a password is as specified in RFC1320 and FIPS46-2. Therefore, applications are generally advised not to use NTLM.

Despite these recommendations, NTLM is still widely deployed on systems.[ citation needed ] A major reason is to maintain compatibility with older systems. However, it can be avoided in some circumstances.[ how? ]

Microsoft has added the NTLM hash to its implementation of the Kerberos protocol to improve interoperability (in particular, the RC4-HMAC encryption type). According to an independent researcher, this design decision allows Domain Controllers to be tricked into issuing an attacker with a Kerberos ticket if the NTLM hash is known. [20] Microsoft adopted Kerberos as the preferred authentication protocol for Windows 2000 and subsequent Active Directory domains. [16] Kerberos is typically used when a server belongs to a Windows Server domain. Microsoft recommends developers neither to use Kerberos nor the NTLM Security Support Provider (SSP) directly. [21]

Your application should not access the NTLM security package directly; instead, it should use the Negotiate security package. Negotiate allows your application to take advantage of more advanced security protocols if they are supported by the systems involved in the authentication. Currently, the Negotiate security package selects between Kerberos and NTLM. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication.

Use of the NTLM Security Support Provider

The NTLM SSP is used in the following situations:

Use of protocol versions

After it has been decided either by the application developer or by the Negotiate SSP that the NTLM SSP be used for authentication, Group Policy dictates the ability to use each of the protocols that the NTLM SSP implements. There are five authentication levels. [23]

DC would mean Domain Controller, but use of that term is confusing. Any computer acting as server and authenticating a user fulfills the role of DC in this context, for example a Windows computer with a local account such as Administrator when that account is used during a network logon.

Prior to Windows NT 4.0 Service Pack 4, the SSP would negotiate NTLMv1 and fall back to LM if the other machine did not support it.

Starting with Windows NT 4.0 Service Pack 4, the SSP would negotiate NTLMv2 Session whenever both client and server would support it. [24] Up to and including Windows XP, this used either 40- or 56-bit encryption on non-U.S. computers, since the United States had severe restrictions on the export of encryption technology at the time. Starting with Windows XP SP3, 128-bit encryption could be added by installing an update and on Windows 7, 128-bit encryption would be the default.

In Windows Vista and above, LM has been disabled for inbound authentication. Windows NT-based operating systems up through and including Windows Server 2003 store two password hashes, the LAN Manager (LM) hash and the Windows NT hash. Starting in Windows Vista, the capability to store both is there, but one is turned off by default. This means that LM authentication no longer works if the computer running Windows Vista acts as the server. Prior versions of Windows (back as far as Windows NT 4.0 Service Pack 4) could be configured to behave this way, but it was not the default. [25]

Weakness and vulnerabilities

NTLM remains vulnerable to the pass the hash attack, which is a variant on the reflection attack which was addressed by Microsoft security update MS08-068. For example, Metasploit can be used in many cases to obtain credentials from one machine which can be used to gain control of another machine. [3] [26] The Squirtle toolkit can be used to leverage web site cross-site scripting attacks into attacks on nearby assets via NTLM. [27]

In February 2010, Amplia Security discovered several flaws in the Windows implementation of the NTLM authentication mechanism which broke the security of the protocol allowing attackers to gain read/write access to files and remote code execution. One of the attacks presented included the ability to predict pseudo-random numbers and challenges/responses generated by the protocol. These flaws had been present in all versions of Windows for 17 years. The security advisory explaining these issues included fully working proof-of-concept exploits. All these flaws were fixed by MS10-012. [28] [29]

In 2012, it was demonstrated that every possible 8-character NTLM password hash permutation can be cracked in under 6 hours. [30]

In 2019, this time was reduced to roughly 2.5 hours by using more modern hardware. [4] [31] Also, Rainbow tables are available for eight- and nine-character NTLM passwords. Shorter passwords can be recovered by brute force methods. [32]

In 2019, EvilMog [33] [34] published a tool called the ntlmv1-multitool [35] to format NTLMv1 challenge responses in a hashcat compatible cracking format. With hashcat and sufficient GPU power the NTLM hash can be derived using a known plaintext attack by cracking the DES keys with hashcat mode 14000 as demonstrated by atom [36] on the hashcat forums.

Note that the password-equivalent hashes used in pass-the-hash attacks and password cracking must first be "stolen" (such as by compromising a system with permissions sufficient to access hashes). Also, these hashes are not the same as the NTLMSSP_AUTH "hash" transmitted over the network during a conventional NTLM authentication.

Compatibility with Linux

NTLM implementations for Linux include Cntlm [37] and winbind (part of Samba) [38] allow Linux applications to use NTLM proxies.

FreeBSD also supports storing passwords via Crypt (C) in the insecure NT-Hash form. [39]

See also

Related Research Articles

<span class="mw-page-title-main">Kerberos (protocol)</span> Computer authentication protocol

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model, and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. RADIUS was developed by Livingston Enterprises in 1991 as an access server authentication and accounting protocol. It was later brought into IEEE 802 and IETF standards.

<span class="mw-page-title-main">Server Message Block</span> Network communication protocol for providing shared access to resources

Server Message Block (SMB) is a communication protocol used to share files, printers, serial ports, and miscellaneous communications between nodes on a network. On Microsoft Windows, the SMB implementation consists of two vaguely named Windows services: "Server" and "Workstation". It uses NTLM or Kerberos protocols for user authentication. It also provides an authenticated inter-process communication (IPC) mechanism.

In computer security, challenge-response authentication is a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated.

An authentication protocol is a type of computer communications protocol or cryptographic protocol specifically designed for transfer of authentication data between two entities. It allows the receiving entity to authenticate the connecting entity as well as authenticate itself to the connecting entity by declaring the type of information needed for authentication as well as syntax. It is the most important layer of protection needed for secure communication within computer networks.

The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1, 10 and 11 that stores users' passwords. It can be used to authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory authenticates remote users. SAM uses cryptographic measures to prevent unauthenticated users accessing the system.

Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses SASL. Authentication mechanisms can also support proxy authorization, a facility allowing one user to assume the identity of another. They can also provide a data security layer offering data integrity and data confidentiality services. DIGEST-MD5 provides an example of mechanisms which can provide a data-security layer. Application protocols that support SASL typically also support Transport Layer Security (TLS) to complement the services offered by SASL.

Integrated Windows Authentication (IWA) is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services, Internet Explorer, and other Active Directory aware applications.

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

LAN Manager is a discontinued network operating system (NOS) available from multiple vendors and developed by Microsoft in cooperation with 3Com Corporation. It was designed to succeed 3Com's 3+Share network server software which ran atop a heavily modified version of MS-DOS.

<span class="mw-page-title-main">Digest access authentication</span> Method of negotiating credentials between web server and browser

Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password, with a user's web browser. This can be used to confirm the identity of a user before sending sensitive information, such as online banking transaction history. It applies a hash function to the username and password before sending them over the network. In contrast, basic access authentication uses the easily reversible Base64 encoding instead of hashing, making it non-secure unless used in conjunction with TLS.

NTLMSSP is a binary messaging protocol used by the Microsoft Security Support Provider Interface (SSPI) to facilitate NTLM challenge-response authentication and to negotiate integrity and confidentiality options. NTLMSSP is used wherever SSPI authentication is used including Server Message Block / CIFS extended security authentication, HTTP Negotiate authentication and MSRPC services.

MS-CHAP is the Microsoft version of the Challenge-Handshake Authentication Protocol, (CHAP).

In cryptography, CRAM-MD5 is a challenge–response authentication mechanism (CRAM) based on the HMAC-MD5 algorithm. As one of the mechanisms supported by the Simple Authentication and Security Layer (SASL), it is often used in email software as part of SMTP Authentication and for the authentication of POP and IMAP users, as well as in applications implementing LDAP, XMPP, BEEP, and other protocols.

Apple Open Directory is the LDAP directory service model implementation from Apple Inc. A directory service is software which stores and organizes information about a computer network's users and network resources and which allows network administrators to manage users' access to the resources.

<span class="mw-page-title-main">Cain and Abel (software)</span> Password recovery software

Cain and Abel was a password recovery tool for Microsoft Windows. It could recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks were done via rainbow tables which could be generated with the winrtgen.exe program provided with Cain and Abel. Cain and Abel was maintained by Massimiliano Montoro and Sean Babcock.

MSN Chat was the Microsoft Network version of IRCX, which replaced Microsoft Chat, a set of Exchange-based IRCX servers first available in the Microsoft Comic Chat client, although Comic Chat was not required to connect.

Security Support Provider Interface (SSPI) is a component of Windows API that performs security-related operations such as authentication.

In computer security, pass the hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case. It replaces the need for stealing the plaintext password to gain access with stealing the hash.

In cryptography, the Salted Challenge Response Authentication Mechanism (SCRAM) is a family of modern, password-based challenge–response authentication mechanisms providing authentication of a user to a server. As it is specified for Simple Authentication and Security Layer (SASL), it can be used for password-based logins to services like LDAP, HTTP, SMTP, POP3, IMAP and JMAP (e-mail), XMPP (chat), or MongoDB and PostgreSQL (databases). For XMPP, supporting it is mandatory.

References

  1. 1 2 "Introduction", NT LAN Manager (NTLM) Authentication Protocol Specification, Microsoft, retrieved 2010-08-15
  2. "Session Security Details", NT LAN Manager (NTLM) Authentication Protocol Specification, Microsoft, retrieved 2010-08-15
  3. 1 2 Takahashi, T (2009-12-17), "Reflecting on NTLM Reflection", FrequencyX Blog, IBM Internet System Security (ISS), archived from the original on 2009-12-31, retrieved 2010-08-14
  4. 1 2 Claburn, Thomas (February 14, 2019). "Use an 8-char Windows NTLM password? Don't. Every single one can be cracked in under 2.5hrs". www.theregister.co.uk. Retrieved 2020-11-26.
  5. "Microsoft NTLM", MSDN, Microsoft, retrieved 2010-08-15
  6. "Message Syntax | section 2.2", NT LAN Manager (NTLM) Authentication Protocol Specification, Microsoft, retrieved 2010-08-15
  7. "Connection-Oriented", NT LAN Manager (NTLM) Authentication Protocol Specification (3.1.5.1 ed.), Microsoft, retrieved 2010-08-15
  8. "Connectionless", NT LAN Manager (NTLM) Authentication Protocol Specification (3.1.5.2 ed.), Microsoft, retrieved 2010-08-15
  9. "NEGOTIATE_MESSAGE", NT LAN Manager (NTLM) Authentication Protocol Specification (2.2.1.1 ed.), Microsoft, retrieved 2010-08-15
  10. "CHALLENGE_MESSAGE", NT LAN Manager (NTLM) Authentication Protocol Specification (2.2.1.2 ed.), Microsoft, retrieved 2010-08-15
  11. "AUTHENTICATE_MESSAGE", NT LAN Manager (NTLM) Authentication Protocol Specification (2.2.1.3 ed.), Microsoft, retrieved 2010-08-15
  12. 1 2 "NTLM v1 Authentication", NT LAN Manager (NTLM) Authentication Protocol Specification (3.3.1 ed.), Microsoft, retrieved 2010-08-15
  13. "NTLM v2 Authentication", NT LAN Manager (NTLM) Authentication Protocol Specification (3.3.1 ed.), Microsoft, retrieved 2010-08-15
  14. What's New in Windows NT 4.0 Service Pack 4?
  15. How to enable NTLM 2 authentication, Support, Microsoft, 2007-01-25, retrieved 2010-08-14
  16. 1 2 "Security Configuration", Microsoft Windows 2000 Security Hardening Guide, TechNet, Microsoft, retrieved 2010-08-14
  17. Glass, Eric, "NTLM", Davenport, Source forge
  18. Varughese, Sam (February 2006). "Rainbow Cracking and Password Security". Palisade. Archived from the original on 2010-06-01. Retrieved 2010-08-14.
  19. "Security Considerations for Implementers", NT LAN Manager (NTLM) Authentication Protocol Specification, Microsoft, retrieved 2010-08-16
  20. "Active Directory Vulnerability Disclosure: Weak encryption enables attacker to change a victim's password without being logged - Aorato". Archived from the original on 2014-10-06. Retrieved 2014-10-05.
  21. "Microsoft NTLM". TechNet Library. Microsoft. Retrieved 2 November 2015.
  22. "Public Key Cryptography based User to User Authentication Overview". TechNet Library. Microsoft. Retrieved 2 November 2015.
  23. "LAN Manager authentication level". MSDN Library. Microsoft. Retrieved 2 November 2015.
  24. "Windows Authentication". TechNet Library. Microsoft. June 29, 2011. Retrieved 2 November 2015.
  25. Jesper Johansson. "The Most Misunderstood Windows Security Setting of All Time". TechNet Magazine. Microsoft. Retrieved 2 November 2015.
  26. HD Moore. "MS08-068: Metasploit and SMB Relay".
  27. Kurt Grutzmacher (2008-08-08). Nail the Coffin Shut, NTLM is Dead. Defcon 16.
  28. Hernan Ochoa and Agustin Azubel (2010-07-28). Understanding the Windows SMB NTLM Weak Nonce vulnerability (PDF). Blackhat USA 2010.
  29. Hernan Ochoa and Agustin Azubel. "Windows SMB NTLM Weak Nonce vulnerability Security Advisory".
  30. Goodin, Dan (2012-12-10). "25-GPU cluster cracks every standard Windows password in <6 hours". Ars Technica . Retrieved 2020-11-23.
  31. hashcat (2019-02-13). "hand-tuned hashcat 6.0.0 beta and 2080Ti (stock clocks) breaks NTLM cracking speed mark of 100GH/s on a single compute device". @hashcat. Retrieved 2019-02-26.
  32. A Case for Modern Rainbow Table Usage
  33. "Ethical hacker Dustin Heywood, a.k.a. EvilMog: 'My mission is to make companies safer'". The Globe and Mail. 2019-12-09. Retrieved 2023-10-12.
  34. "Dustin Heywood: The "Evil" Hacker Using his Neurodivergent Mind for Good". IBM Newsroom. Retrieved 2023-10-12.
  35. Heywood, Dustin (2023-10-11), 10 Nov, 2020 Updates , retrieved 2023-10-12
  36. "How to make use of the DES KPA mode". hashcat.net. Retrieved 2023-10-12.
  37. "Cntlm: Fast NTLM Authentication Proxy in C".
  38. "NTLM authentication - MoodleDocs".
  39. "NT MD4 password hash as new password encryption method for FreeBSD". Mail-archive.com. Retrieved 2 December 2018.