NTLM Hashes: Beyond MD4

TL;DR

Yes, there are several types of NTLM hashes beyond just the raw MD4 hash. Understanding these different types is crucial for effective cyber security assessments and incident response. This guide explains them and how to identify them.

Understanding NTLM Hashes

NTLM (NT LAN Manager) is an authentication protocol used in older Windows networks. When a user logs on, their password isn’t stored directly; instead, a hash of the password is kept. Over time, Microsoft improved how these hashes were generated for security reasons. Here’s a breakdown:

1. NTLM Hash Types

1. NTLM (v1) – Raw MD4: This is the oldest and least secure type. It’s easily crackable with tools like John the Ripper or Hashcat.
2. NTLM (v2): A significant improvement over v1, using a more complex hashing process. Still vulnerable but requires more resources to crack.
3. NTLMv2 Response: This is generated during authentication and includes a challenge response mechanism making it harder to crack than NTLMv2. It’s the most common type you’ll encounter in modern Windows environments (pre-Active Directory Credential Guard).
4. NTLM with Session Key: Includes an additional session key, further complicating attacks.

2. Identifying NTLM Hash Types

You can identify the hash type using various tools and techniques:

a) Using Mimikatz

Mimikatz is a powerful tool for extracting credentials from Windows memory. It usually displays the hash type alongside the hash itself.

sekurlsa::lmhash

The output will show hashes labelled as ‘NTLMv1’, ‘NTLMv2’ or similar, indicating their respective types.

b) Using Hashcat

Hashcat can automatically detect hash types when you run a cracking attempt. It’s not a direct identification tool but the output will tell you what algorithms it tried to use.

hashcat -m  

Where represents an NTLM hash mode (e.g., 1000 for NTLMv1, 2000 for NTLMv2). Hashcat will attempt to crack the hashes using the specified algorithm and report if it’s successful or not.

c) Using Cyber security tools like Responder

Responder captures NTLM authentication attempts. It can identify hash types during a Man-in-the-Middle (MITM) attack.

3. Practical Implications

• Prioritise Cracking: Raw MD4 hashes should be prioritised for cracking as they are the easiest to compromise.
• Assess Network Security: The prevalence of older NTLM hash types indicates potential vulnerabilities in your network’s authentication mechanisms. Consider disabling NTLMv1 if possible.
• Implement Modern Authentication: Migrate to more secure authentication protocols like Kerberos or multi-factor authentication (MFA) where feasible.
• Credential Guard: Enable Credential Guard on Windows clients and servers to protect credentials in memory, making it harder for attackers to extract NTLM hashes.

4. Tools for Cracking

• John the Ripper: A versatile password cracking tool supporting various hash types.
• Hashcat: A powerful and highly optimisable password cracking tool, especially effective with GPUs.
• Offline NTLM Password Cracker (OTPC): Specifically designed for cracking NTLM hashes offline.