NTLM & NTLM2
Last updated
Was this helpful?
Last updated
Was this helpful?
NTLM hashes are stored in the Security Account Manager (SAM) database and in Domain Controller's NTDS.dit database. They look like this:
Contrary to what you'd expect, the LM hash is the one before _the semicolon and the NT hash is the one _after the semicolon. Starting with Windows Vista and Windows Server 2008, by default, only the NT hash is stored.
Net-NTLM hashes are used for network authentication (they are derived from a challenge/response algorithm and are based on the user's NT hash). Here's an example of a Net-NTLMv2 (a.k.a NTLMv2) hash:
From a pentesting perspective:
You CAN perform Pass-The-Hash attacks with NTLM hashes.
You CANNOT perform Pass-The-Hash attacks with Net-NTLM hashes. However, tehy can be used to perfom relay attacks.
You get NTLM hashes when dumping the SAM database of any Windows OS, a Domain Controller's NTDS.dit database or from MimikatzMimikatz (Fun fact, although you can't get clear-text passwords from Mimikatz on Windows >= 8.1 you can get NTLM hashes from memory). Some tools just give you the NT hash (e.g. ) and that's perfectly fine: obviously you can still Pass-The-Hash with just the NT hash.
You get Net-NTLMv1/v2 (a.k.a NTLMv1/v2) hashes when using tools like Responder or Inveigh.