🐲
OSCP Notes
  • 🐲OSCP Notes
  • 🐲OSCP Methodology
  • 💡Misc
    • Metasploit
    • Antivirus Evasion
    • Password attacks
    • Reverse Shells
    • Port Forwarding, Tunneling and Pivoting
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
      • Lingolo-ng
    • Information Gathering
      • Passive Reconnaissance
        • Whois
        • Google Dorks
        • NetCraft
        • Git Repository
      • Active Reconnaissance
        • DNS Enumeration
        • Host Discovery
        • Port scanning
        • SMTP - 25
        • SNMP
  • Linux
    • Local Enumeration
    • Local Privileges Escalation
      • Scheduled tasks
      • Password Authentication
      • Monitor Processes
      • SetUID Binaries and Capabilities
      • Sudoers
      • Kernel Exploits
  • Windows
    • 🧠Mindmap
    • 🥝Mimikatz Basics
    • Enumeration
      • External Enumeration
      • Local Enumeration
      • Active Directory
        • PowerView
    • NTLM Hashes
    • Local Privilege Escalation
      • Service Binary Hijacking
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Scheduled Tasks
      • Token impersonation
      • Backup Operators Group
    • Lateral Movement
      • WMI and WinRM
      • PsExec
      • Pass The Hash
      • Overpass The Hash
      • Pass The Ticket
      • DCOM
    • Persistence
      • Golden Ticket
      • Shadow Copy
    • Authentication Attacks
      • AS-REP Roasting
      • Kerberoasting
      • Password Spray
      • Silver Ticket
      • DC Sync
    • Client Side
    • NTLM Authentication
    • Kerberos Authentication
    • Cached Credentials
  • Web attacks
    • WordPress
    • SQL Injection (SQLi)
    • Command Injection
    • Directory Traversal
    • Local File Inclusion (LFI)
    • File Upload
Powered by GitBook
On this page
  1. Windows

NTLM Authentication

PreviousClient SideNextKerberos Authentication

Last updated 7 months ago

  • Client to Application Server (Negotiation Message): The client sends a negotiation message containing the username to the application server.

  • Application Server to Client (Challenge Message): The application server responds with a challenge message that includes a random number (nonce).

  • Client to Application Server (Authentication Message): The client uses the received random number to compute an NTLM hash and sends an authentication message back to the application server containing the NTLM hash.

  • Application Server to Domain Controller (Verify Message): The application server forwards the random number (nonce), username, and NTLM hash to the domain controller to verify the credentials.

  • Domain Controller to Application Server (Approve Message): The domain controller checks the NTLM hash and responds to the application server with an approve or deny message based on the authentication outcome.

  • Application Server to Client: The application server informs the client whether the authentication was successful (approve) or unsuccessful (deny).

NTLM Authentication flow
Drawing