Skip to main content

Older protocols are hard to kill. From consumer-based protocols like SMBv1 to network-based protocols like Windows NT LAN Manager (NTLM), we typically need time and planning to move off protocols that we rely on. Many of us are still using NTLM to authenticate to our networks especially for remote access during the pandemic. This old but well-used protocol was the default for network authentication in the Windows NT 4.0 operating system. It is less secure than more modern protocols such as Kerberos.

Why is NTLM a concern? Generally speaking, the older a protocol is the more likely it is to depend on older ciphers. NTML v1 uses the DES block cipher algorithm using an MD4 hash. It’s possible to break it by brute force mainly because a full 128-bit key is not used. NTLM v2 uses a stronger hash algorithm and encryption. Still, it can be exploited using pass-the-hash or man-in-the-middle techniques.

If possible, wean yourself off using NTLM. At a minimum, you should know exactly when and where NTLM is still being used in your network.

How to audit for NTLM use

Original article source was posted here

All rights reserved Jenson Knight.