LM vs NTLM - What's the difference?

3.5K    Asked by AndreaBailey in Cyber Security , Asked on Mar 21, 2022

I've noticed that when extracting password hashes from a domain controller (using Elcomsoft proactive password auditor) sometimes I'll get LM and NTLM hashes and other times I'll only get NTLM hashes.

I note that the NTLM + LM hashes (the accounts that contain both sets) are recovered orders of magnitude faster than the hashes that are only NTLM.

I'm curious as to why this is the case?

I understand that LM is the older and weaker of the two, but I don't understand why both LM and NTLM are being stored in these scenarios?

More importantly, given that it appears that NTLM hashes exclusively are the safer option, how can I enforce NTLM only and remove existing LM hashes for users?

Answered by Amit verma

LM vs NTLM

There's a pretty good Microsoft KB article on this exact subject. Basically, LM is used for compatibility with older clients. Specifically, Windows 98 and below. If you do not have any older clients on the network, then the cause for both hashes is most likely due to the password length being and not security related.

    In the event that the user's password is longer than 15 characters, the host or domain controller will not store the LM hash for the user; the LM response cannot be used to authenticate the user in this case. A response is still generated and placed in the LM Response field, using a 16-byte null value (0x00000000000000000000000000000000) as the LM hash in the calculation. This value is ignored by the target.

It is advised to disable LM hashes as the protocol is severely broken as you suggested. For those who might not be aware, some of the problems with LM's include:

  • Passwords are not case sensitive.
  • Passwords are split into 7 chars and hashed separately, making brute force trivial.
  • Passwords are limited to a maximum of 14 characters in length.
  • There are a couple methods to remove LM hashes listed in the KB article I mentioned. I will quote the GPO method in case the link goes bad.

Method 1: Implement the NoLMHash Policy by Using Group Policy

To disable the storage of LM hashes of a user's passwords in the local computer's SAM database by using Local Group Policy (Windows XP or Windows Server 2003) or in a Windows Server 2003 Active Directory environment by using Group Policy in Active Directory (Windows Server 2003), follow these steps: In Group Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options. In the list of available policies, double-click Network security: Do not store LAN Manager hash value on next password change. Click Enabled, and then click OK.



Your Answer

Answer (1)

Ranjana

LM (LAN Manager) and NTLM (NT LAN Manager) are two authentication protocols used in Windows environments for securing access to resources. They have significant differences in terms of security, functionality, and usage. Here’s a detailed comparison:


LM (LAN Manager)

**1. Historical Context:

LM was introduced in the 1980s as part of Microsoft's LAN Manager software.

It was used in early Windows versions, such as Windows 95 and Windows 98.

**2. Security:

Weak Hashing Algorithm: LM uses a relatively weak hashing algorithm that is susceptible to modern attacks.

Case-Insensitive: LM passwords are not case-sensitive, reducing the complexity and security of the passwords.

Divided Passwords: LM splits the password into two 7-character chunks and hashes them separately, further weakening the security.

Vulnerable to Attacks: Due to the weak hashing and short password segments, LM is highly vulnerable to brute-force and rainbow table attacks.

**3. Password Handling:

No Salting: LM hashes are not salted, making them more vulnerable to precomputed attacks.

Legacy Compatibility: Despite its weaknesses, LM was kept for compatibility with older systems until it was deprecated.

NTLM (NT LAN Manager)

**1. Historical Context:

NTLM was introduced with Windows NT and has been used in various versions of Windows, including Windows 2000, XP, Vista, 7, and Server editions.

NTLM is still used in some form in modern Windows versions, though it is being replaced by more secure protocols like Kerberos.

**2. Security:

Stronger Hashing Algorithm: NTLM uses a stronger hashing algorithm (MD4 and MD5 in different versions) than LM.

Case-Sensitive: NTLM passwords are case-sensitive, increasing the complexity and security of the passwords.

Single Hash: NTLM hashes the entire password as a single entity, unlike LM's splitting method.

NTLMv2: An improved version, NTLMv2, introduced more security enhancements, including the use of stronger cryptographic algorithms and better handling of challenge-response mechanisms.

**3. Password Handling:

Salting: NTLMv2 includes salting mechanisms to make precomputed attacks more difficult.

Challenge-Response: NTLM uses a challenge-response mechanism for authentication, where the server sends a challenge, and the client responds with a hashed value, adding an extra layer of security compared to LM.

Backward Compatibility: NTLM can still be used in environments where older systems are present, but it is recommended to use NTLMv2 for enhanced security.

Key Differences

Hashing Algorithm:

LM: Uses DES-based hashing which is weaker.

NTLM: Uses MD4 and MD5-based hashing (NTLMv2 is stronger).

Password Case Sensitivity:

LM: Case-insensitive.

NTLM: Case-sensitive.

Password Length Handling:

LM: Splits passwords into 7-character chunks.

NTLM: Handles the entire password as a single hash.

Security Vulnerabilities:

LM: Highly vulnerable to brute-force, rainbow table, and other modern attacks.

NTLM: More secure, especially NTLMv2, but still has vulnerabilities compared to newer protocols like Kerberos.

Usage:

LM: Deprecated and should not be used in modern environments.

NTLM: Still in use, particularly NTLMv2, but gradually being replaced by more secure protocols like Kerberos.

Summary

LM is an older and much weaker authentication protocol that has been largely phased out due to its significant security vulnerabilities. NTLM, especially NTLMv2, offers improved security features but is still not as robust as modern authentication protocols like Kerberos. For contemporary environments, it is recommended to use NTLMv2 if NTLM is necessary, but to prefer Kerberos wherever possible for its stronger security guarantees.

6 Months

Online Course

Tutorials

Salesforce Tutorial

Software Testing Tutorial

SQL Tutorial

Business Analyst Tutorial

Devops Tutorial

Data Science Tutorial

AWS Tutorial

Hadoop Tutorial

SSRS Tutorial

AWS S3 Tutorial

Functional Testing Tutorial

SSAS Tutorial

Automation Testing Tutorial

Manual Testing Tutorial

Selenium Tutorial

Kubernetes Tutorial

Scala Tutorial

ETL Testing Tutorial

Python Tutorial

Pyspark Tutorial

R Tutorial

Unit Testing Tutorial

API Testing Tutorial

Puppet Tutorial

Integration Testing Tutorial

Chef Tutorial

Jenkins Tutorial

Ansible Tutorial

Vagrant Tutorial

Docker Tutorial

Interviews

Parent Categories

Copyright | JanBaskTraining.com