What is Windows local password NTLM hashes

514    Asked by Aashishchaursiya in SQL Server , Asked on Nov 29, 2021

Recently I have dumped some hashes from my local machine because I'm trying to understand the process in which Windows 7 hashes its passwords. There, I had discovered my local password hash that looks (similar) to this: Jason:502:aad3c435b514a4eeaad3b935b51304fe:c46b9e588fa0d112de6f59fd6d58eae3:::

Now what I would like to know is the meaning of the different sections, so We have this hash: Jason:502:aad3c435b514a4eeaad3b935b51304fe:c46b9e588fa0d112de6f59fd6d58eae3:::

that looks to be separated by : if we separate this by the : we end up with this:

[Jason, :, 502, :, aad3c435b514a4eeaad3b935b51304fe, :, c46b9e588fa0d112de6f59fd6d58eae3, :, :, :]


  • I'm assuming the first part Jason is the username, that's the most logical to me.
  • The third part aad3c435b514a4eeaad3b935b51304fe is the ntlm hash would be my best guess.

  • If i have assumed coreectly then that leaves c46b9e588fa0d112de6f59fd6d58eae3 and 502 left.
  • I'd guess that the other hash (c46b9e588fa0d112de6f59fd6d58eae3) is the derived key, that is created from the password itself.
  • The 502 would be the binary data of the user.
  • And the: is just a separator or padding.

Now i want to confirm, am I correct in my assumptions on what each part of the hash represents? If not can someone please explain to me what each section represents?

 

  [Jason, :, 502, :, aad3c435b514a4eeaad3b935b51304fe, :, c46b9e588fa0d112de6f59fd6d58eae3, :, :, 

as the example

  • Jason is the user name
  • 502 is the relative identifier (500 is an administrator, 502 here is a kerberos account.) (adsecurity.org/?p=483)
  • aad3c435b514a4eeaad3b935b51304f is the LM hash
  • c46b9e588fa0d112de6f59fd6d58eae3 is the NT hash
  • Details on difference between the hashes can be found here: LM / NT Hashes

What is NTLM Hash?

Microsoft’s Windows New Technology LAN Manager (NTLM) is a set of protocols that allows hosts to verify their identification while also protecting the privacy and confidentiality of their data. NTLM is the replacement for Microsoft LAN Manager (LANMAN), an earlier Microsoft product.

A security support provider that incorporates the LAN Manager identification protocol, NTLMv1, NTLMv2, and NTLM2 session protocols in a standard bundle, implements the NTLM protocol set. NTLM uses a challenge-response process for user authentication. NTLM uses a three-way handshake:

  • Client -> Negotiation Message.
  • Server → Challenge Message.
  • Client → Authentication Message.








Your Answer

Interviews

Parent Categories