NTLM Authentication

Also known as: NTLM, NT LAN Manager

A legacy Windows challenge-response authentication protocol that proves a user's identity from a stored password hash, now considered weak by modern standards.

NTLM (NT LAN Manager) is a family of Microsoft authentication protocols designed for Windows networks before Kerberos became dominant. It uses a challenge-response handshake based on the user's NT hash, without ever transmitting the password. Although still used as a fallback when Kerberos is unavailable or for workgroup-style scenarios, NTLM is vulnerable to relay attacks (NTLM Relay), pass-the-hash, brute-force on weak passwords, and offline cracking of captured hashes. Microsoft now classifies it as legacy and is progressively disabling NTLMv1 and reducing NTLMv2 reliance via SMB signing, channel binding, Extended Protection for Authentication, and Kerberos-only configurations.

Examples

An attacker capturing NTLMv2 hashes via a rogue SMB server and cracking them offline with hashcat.
NTLM relay through an unsigned SMB session to authenticate to a domain controller.

NTLM Authentication

Examples

Related terms

Kerberos

Active Directory

Authentication

Password

Rainbow Table Attack

Credential Stealer

Definition

Examples

Related terms

Kerberos

Active Directory

Authentication

Password

Rainbow Table Attack

Credential Stealer