Overview[1]#
NT LAN Manager (NTLM) (not to be confused with LAN Manager) is a Microsoft authentication protocol used with the SMB protocol.NT LAN Manager was followed by NTLMv2, at which time the original was renamed to NTLMv1.
MS-CHAP is similar and is used for authentication with Microsoft remote access protocols. During protocol negotiation, the internal name is NTLM 0.12. The version number 0.12 has not been explained. It is the successor of LANMAN (Microsoft LAN Manager), an older Microsoft authentication protocol, and attempted to be backwards compatible with LANMAN.
Before official documentation of the protocol was available, it was analyzed by the Samba team through network analysis. The cryptographic calculations are identical to that of MS-CHAP and are documented in RFC 2433 for v1 and RFC 2759 for v2. Both MS-CHAP v1 and v2 have been analyzed; Bruce Schneier, Peiter Mudge Zatko and David Wagner, among other researchers, found weaknesses in both protocols.[1] Still both protocols remain in widespread use.
NTLM and modern Windows versions#
Microsoft adopted Kerberos as the preferred authentication protocol for Windows Server 2000 and Windows Server 2003 Microsoft Active Directory domains. Kerberos is typically used when a client belongs to a AD DOMAIN, or if a trust relationship with a AD DOMAIN is established in some other way (such as Linux to Windows AD authentication).NTLM is still used in the following situations:#
- The client is authenticating to a server using an IP Address.
- The client is authenticating to a server that belongs to a different AD Forest, or doesn't belong to a AD DOMAIN.
- No Active Directory domain exists (commonly referred to as "workgroup" or "peer-to-peer").
- Where a firewall would otherwise restrict the ports required by Kerberos (of which there are quite a few)
Starting with Windows Vista, and also with Windows Server 2008, both Lan Manager and NT LAN Manager are deprecated by default.
NT LAN Manager is still supported for inbound authentication, but for outbound authentication a newer version of NT LAN Manager, called NTLMv2, is sent by default instead. Prior versions of Windows (back as far as Windows NT 4.0 Service Pack 4) could be configured to behave this way, but it was not the default.
Technically speaking, the computer will accept LM for inbound authentication but by default neither Windows Vista nor Windows Server 2008 store the LM hash. Therefore, there is no way for them to authenticate an inbound LM response - typical error message is System error 86 has occurred. The specified network password is not correct.
You can control the authentication behavior, starting with Windows NT 4.0 Service Pack 4,using the LMCompatibilityLevel registry setting, shown in Group Policy as Network Security:LAN Manager Authentication Level. The default value for LMCompatibilityLevel in Windows Vista and Windows Server 2008 is 3,or Send NTLMv2 Response Only.
NT LAN Manager Vulnerabilities#
NT LAN Manager Vulnerabilities shows some of the Vulnerabilities with using NT LAN Manager (NTLM)More Information#
There might be more information for this subject on one of the following:- Channel Binding
- LAN Manager
- LAN Manager authentication level
- NT LAN Manager
- NT LAN Manager Vulnerabilities
- NTLM
- NTLM SSP
- Pass-the-hash
- SPNEGO
- [#1] - NT LAN Manager
- based on information obtained 2013-05-17