NTLM: The Network Authentication Protocol

NTLM is an authentication protocol used by Microsoft. All Windows versions older than Windows XP SP3 use NTLM as their default. Newer versions of Windows still use NTLM for backwards compatibility.

The NTLM authentication protocol works in the following manner:

1. The user provides a Domain Name, username and password to access their computer. The computer computes a cryptographic hash of the password and discards the actual password.
2. When the user attempts to access the server, the computer sends the username to the server in cleartext. 
3. The server generates a 16-byte random number, called a “challenge”, and sends it to the user.
4. The user encrypts this challenge using its password hash and returns it to the server (aka “response”)
5. The server sends the following three items to the Domain Controller: a. User Name b. Challenge sent to the client c. Response received from the client
6. The Domain Controller uses the username to retrieve the hash of the user’s password from the Security Account Manager database. It uses this password hash to encrypt the challenge.
7. The Domain Controller compares the encrypted challenge it computed (in step 6) to the response computed by the client (in step 4). If they are identical, authentication is successful and the Domain Controller notifies the server.