NTLM Theft

NTLM (NT LAN Manager) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. It is commonly used in Windows environments for network authentication.

NTLM Theft refers to the unauthorized acquisition of NTLM hashes, which can be used to authenticate to systems without needing the plaintext password. This is a common attack vector in Active Directory environments.

Common Methods of NTLM Theft:

  1. Pass-the-Hash (PtH): An attacker captures the NTLM hash of a user's password and uses it to authenticate to other systems without needing the plaintext password.

  2. NTLM Relay: An attacker captures the NTLM hash of a user's password and relays it to another system for authentication.

  3. Kerberos Ticket Stealing: An attacker captures the Kerberos ticket of a user and uses it to authenticate to other systems without needing the plaintext password.

Tools for NTLM Theft:

  • Responder: A tool that can be used to capture NTLM hashes by responding to NetBIOS and LLMNR requests.

  • John the Ripper: A tool that can be used to crack NTLM hashes.

  • Ntlmrelayx: A tool that can be used to relay NTLM hashes to other systems.

Mitigation Strategies:

  • Use Strong Passwords: Ensure that users have strong passwords that are difficult to crack.

  • Use Multiple Authentication Methods: Use multiple authentication methods, such as MFA (Multi-Factor Authentication).

  • Use Secure Password Storage: Use secure password storage, such as a password manager.

  • Monitor for Suspicious Activity: Monitor for suspicious activity, such as failed login attempts or unusual authentication patterns.

  • Disable NTLM: Disable NTLM authentication where possible, and use Kerberos instead.

PreviousAD Lab SetupNextResponder (LLMNR)

Last updated