Cyber Security Interview Prep. Q7: "NTLM Authentication"

Category: Security

Question: What is NTLM? How does it work?

My answer:

NTLM is an authentication protocol used by Windows machines. NTLM is the older method that uses a 3-way-handshake (no relation to TCP 😅). Where possible, Kerberos is likely to be favoured over NTLM, however if Kerberos is not available, systems will often default to NTLM.

In a nutshell, NTLM works in 3 steps:

1) The client sends a request to the server.

2) The server replies with a challenge.

3) The client sends a response.

If the response is the correct one, the user account that the client sent the initial request with is authenticated.

If we were asked to further break down the NTLM authentication process, we could elaborate as follows (note that as we are providing more details, I have added an additional step- the last one- which was not included in my simpler explanation of NTLM found above):

1) The Client sends a request to the server, supplying the username of the account that is in use.

2) The Server generates a string called a nonce. This is the "challenge". It is encrypted such that only the holder of the correct password can calculate the correct response for the challenge.

3) The Client uses the password for the user account it supplied to the server to calculate the correct response to the challenge, and sends this back to the Server.

4) The Server checks the response supplied by the Client by comparing it with the response the Server expected. If it matches, Client's account is authenticated.