Authentication protocols are classified as cryptographic protocols that transfer authentication data between two hosts. Windows NTLM is a suite of security protocols that provide login authentication, file integrity, and information security. NTLM uses a challenge-response method to authenticate user logins. NTLM will use three messages to authenticate a user. The first message is a NEGOCIATE_MESSEGE sent from the client to the server. The second message is a CHALLENGE_MESSEGE sent from the server to the client in response to the client's request. The third message is an AUTHENICATE_MESSEGE sent from the client to the server in response to the server's challenge. There are two versions of NTLM. The second version NTLMv2 is a cryptographically superior replacement for NTLMv1. NTLMv2 has been hardened against spoofing attacks and has the ability for the server to authenticate the user. NTLM is still commonly used in many systems. Microsoft recommends that systems not use NTLM for authentication because of vulnerabilities to pass the hash attacks:

• The replacement for NTLM is Kerberos. Microsoft developed Kerberos to address the vulnerabilities found within NTLM.
• Kerberos works by using symmetric-key cryptography along with a trusted third-party for authentication. Kerberos can also use public-key cryptography. The default port for Kerberos is 88.
• During the client authorization process, a cleartext message of the user ID is sent from the client to the authentication server. The cleartext message does not contain the password or secret key at this stage.
• Only the user ID is sent to the authentication server during this phase.
• Next the authentication server searches for the user ID in the user database.
• In Windows Server 2012, this database would be found in the Active Directory.
• Once a match is found, the authentication server will generate a secret key. The secret key is created by using the hashed password of the user matched within the database.
• Next the authentication server searches its database to confirm the client is in there. After the client is confirmed, the authentication server will send two messages to the client.
• The first message will contain the session key. The session key is encrypted from the secret key generated by the authentication server.
• The second message contains a Ticket Granting Ticket (TGT). The TGT holds information about the client network address, client ID, ticket validity period, and the session key.
• The second message is encrypted using the secret key of the Ticker Generating System (TGS). Once the client receives both messages the decryption process is started.
• The client decrypts the first message with the secret key generated by the authentication server when the password was first entered. If the submitted password does not match the one found in the authentication server's database, then the client will not be able to decrypt the first message.
• If the client enters a valid password, the first message can be decrypted to show the session key. The second message cannot be decrypted because it is using the secret key of the TGS. Once the client has the session key from the first message, the TGS will grant authentication to the client.

Now we will discuss an example of how hashed passwords work during the NTLM login process. In a business environment, most users will belong to a domain. Some companies may create multiple domains for different departments. When a user logs into a device, they must enter a domain name, username, and password. After the user submits the credentials, a hash value of the password is automatically created. In this example, authentication will be verified by NTLMv2. According to Microsoft, the credentials NTLM use are based on data received from the security account manager or security account manager (SAM) database.

This data is comprised of the domain name, username, and hash value of the password. Once the user requests login authentication, NTLM will send an encrypted challenge message containing a 16-byte random number. The client responds by adding the hash value of the password to the 16-byte number and sending it back to the authentication server. From there, the authentication server will send the domain name, username, and response (containing hashed password) to the domain controller. The domain controller takes the username and matches it with the hashed password from the SAM database. The password hash from the SAM database is used to create a second challenge. The domain controller compares the two challenges and if they are the same, authentication will be granted to the user. This login method is considered weak because it only uses one set of credentials to verify the identity of a user. This type of login is known as a single-sign on (SSO). Another weakness is all the usernames and hashed passwords are stored in one location within the SAM.

A hacker could easily steal many passwords including the admin password by dumping the contents of the SAM database to a text file. Most hackers will exploit a device of a low-level employee first to gain access to the SAM database on that domain. Once a hacker has access to the SAM, they can start to attack other devices on the domain. If the hacker can get the admin hash (most do), they will be able to attack all domains on the network. Although the cryptographic algorithm Kerberos and MD5 use is more advanced than NTLM; they all still use a one-way encryption method. All three authentication protocols are vulnerable to pass the hash attacks.