Credential Dumping: NTLM Hash Dump

Tilak Upadhyay - Nov 6 - - Dev Community

What is NTLM?

NTLM (NT LAN Manager) is a suite of Microsoft security protocols designed to provide authentication and encryption for users accessing network resources. NTLM was introduced in the early versions of Windows and is now largely considered outdated, yet it remains prevalent in various systems due to compatibility with legacy applications and networks.

Data Stored in NTLM:

NTLM stores crucial credential data in the form of hashes rather than plaintext passwords, enhancing security by preventing exposure of actual passwords. The primary types of data associated with NTLM include:

  1. User Password Hashes: NTLM generates a hash from a user’s password, which is stored in a secure location. When a user attempts to authenticate, the system hashes the input password and compares it to the stored hash.
  2. Challenge/Response Mechanism: NTLM uses a challenge/response mechanism for authentication. When a user logs in, the server sends a challenge to the client. The client then uses its password hash to compute a response, which is sent back to the server for validation.
  3. Session Keys: NTLM can generate session keys during authentication to encrypt communications between the client and server, ensuring confidentiality and integrity of data exchanged during the session.
  4. Security Identifiers (SIDs): NTLM also utilizes SIDs to uniquely identify users and groups within Windows environments, facilitating access control and permissions management.

What is NTLM Credential Dumping?

NTLM Credential dumping is a critical post-exploitation activity where an attacker collects NTLM hashes from a compromised Windows system.

Once attackers extract NTLM hashes, they can use them in pass-the-hash attacks, enabling unauthorized access or lateral movement within a network. This article outlines the methods of NTLM hash extraction, detection strategies and the chances of generating false positives when detecting these activities using SIEM and EDR queries.

NTLM hashes are commonly found in two locations:

1. Non-Domain Controller Systems (e.g., Workstations and Servers): NTLM hashes are primarily stored in the memory of the LSASS (Local Security Authority Subsystem Service) process. This process manages security policies and handles account logins, which makes it a target for credential dumping attacks on individual workstations and servers.

2. Domain Controller Systems: On domain controllers, NTLM hashes are stored within the NTDS.dit file—the Active Directory database file. This file contains hashed credentials for all users in the domain, making it a high-value target for attackers aiming to compromise a network.

. . .