What is NTLM hash?

The NTLM hash is the cryptographic format in which user passwords are stored on Windows systems.

NTLM hashes are stored in the SAM (security account manager) or NTDS file of a domain controller. They are a fundamental part of the mechanism used to authenticate a user through different communications protocols.

It’s, therefore, critical information and highly sought after by hostile actors when trying to unleash a cyber-attack. When pentesting, for example, it’s common for attackers to try to obtain these hashes (using tools such as pwdump or mimikatz) and use Pass The Hash techniques using NTLM hashes to exploit the privileges of one or more systems. In this way, they could execute elevated privileges and even execute commands.

The NTLM hash is encoded by taking the user’s password and converting it into a 16-byte key using an MD4 hash function. This key is divided into two halves of 8 bytes each, which are used as input to three rounds of DES encryption to generate a 16-byte output that represents the NTLM hash.

Each DES round uses an 8-byte key derived from the original key half using a parity operation. The two 8-byte results from the three DES rounds are concatenated to form the 16-byte NTLM hash that is used to verify the user’s password in the Windows operating system.

NTLM hashes are likely to be used in many Windows authentication attacks, so it’s advisable to limit their use and use Kerberos.