Skip to content

NTLM Authentication

shell Application Domain Controller Client Server (DC) | | | | [Step 1] -------------------------> | | | Autetication Reques | | | | | | <------------------------- [Step 2] | | | NTLM Challeng | | | | | | [Step 3] --------------------------> | | | NTLM Response | | | | | | | [Step 4] --------------------------> | | | Send (Challenge, Response) | | | | | | <-------------------------- [Step 5] | | | (Approve/Reject) | |<--------------------------- [Step 6] | | | (Approve/Reject) | | | | |

  1. The client sends an authentication request to the server they want to access.
  2. The server generates a random number and sends it as a challenge to the client.
  3. The client combines his NTLM password hash with the challenge (and other known data) to generate a response to the challenge and sends it back to the server for verification.
  4. The server forwards both the challenge and the response to the Domain Controller for verification.
  5. The domain controller uses the challenge to recalculate the response and compares it to the initial response sent by the client. If they both match, the client is authenticated; otherwise, access is denied. The authentication result is sent back to the server.
  6. The server forwards the authentication result to the client.

Note: The described process applies when using a domain account. If a local account is used, the server can verify the response to the challenge itself without requiring interaction with the domain controller since it has the password hash stored locally on its SAM.