Active Directory : NTLM

Hi, welcome to Active Directory series, I'm Sandeep Singh Rajput.

DEMON HACKER

~2 min read · April 29, 2026 (Updated: April 29, 2026) · Free: Yes

NTLM Authentication.

NTLM stands for New Technology Lan Manager.
NTLM is an authentication used in windows to authenticate a user.
It is a challenge-response authentication protocol used by Windows systems to authenticate users without sending passwords over the network.

simple : NTLM authentication protocol hai jo windows systems me users ko authenticate krne ke lia use hota hai without passwords ko network par forward kia, sirf challenge-response mechanism se.

NTLM Auth Process :

step by step

Client send a negotiate message to server to start authentication process. it includes NTLM supported features.

ex. Hey Server ! I want to login using NTLM.

2. The server responds with a random challenge (nonce) to client.

Prove, you know the password using this challenge.

3. Client sends a response for the challenge send by server.(response bhejna us challenge ka jo server ne dia tha client ko.

[this is most important part in this authentication. client server ko kya or kese bhejta hai ye part define karta hai. This is done by client.]

Converts password into NT hash (pass → hash me convert)

Encrypts the challenge using that hash. (challenge + NTLM Hash → response)

Sends the response back. (response → server)

Password kabhi bhi network pe send (transmit) nahi hota.

4. Server verifies the response with database. Server retrives the NTLM Hash from database/ Active Directory. and compares it with the client response.

if match : login → successful

lf not match: login → not successful.

Tool : Responder , Impacket,

NTLM Authentication Attack scenerio :