NTLM and LAN Manager


Earlier to Windows Server 2000 and AD, NTLM Authentication was the recommended challenge/response authentication system. It was developed for use with the Windows Server NT line and its enterprise client versions, such as Windows NT 4.0 Workstation, Windows 2000 Professional, and so on. NTLM worked by running a userís password through a complex mathematical function and then storing the result, known as the password hash, in the Security Account Manager (SAM) database. When a user wanted to log on, he typed his password, which was then run through the same mathematical function, and if the hash matched that stored in the SAM, the user must have entered the correct password and was considered authenticated for that resource request. Those requests included logging on to a client in the domain and accessing a server resource, and every time, the resource being accessed would have to communicate with a domain controller to authenticate the user, which was a burden on the server.

However, if all that the client sent was the confusion with the password, then it would be easy to sniff the value on the network and fake requests from the client. Instead, the confusion is used as part of the NTLM challenge/ response, which goes like this:

1. The user wants access to a resource on a server she has not communicated with as part of the logon session, and so the user sends the server her username in plain text.

2. The server makes up a random 16-byte number and sends it to the client. This is the challenge.

3. The client encrypts the challenge with the hash of the userís password and sends it to the server.

4. The server sends to a domain controller the username, the challenge sent to the client, and the response received from the client.

5. The domain controller looks up the password hash based on the username and uses the hash to run the encryption on the challenge that was sent to the client. If the result matches that generated by the user, she had the right password, and she is authenticated. With this process, the userís raw hash is not sent over the network.


Prior to NTLM, there was just LAN Manager authentication, which is weak by todayís standards because, among other reasons, the hash generated is easier to break than the NTLM hash. With LAN Manager, the password is stored as all uppercase characters, reducing the number of combinations possible, and the password is broken into two seven-character chunks, making it easier to break. With Windows Vista and Windows Server 2008, the LAN Manager hash is not stored.

There are two versions of NTLM:

NTLM Version 1: A more secure challenge/response authentication than LAN Manager, using 56-bit encryption for protocol security and passwords stored as NT hashes. It is used by clients running Windows NT 4.0 Service Pack 3 and below.

NTLM Version 2: The current version of NTLM, which uses 128- bit encryption and is used for machines running Windows NT 4.0 Service Pack 4 and above. This is the most secure challenge/ response authentication available.