Friday, September 4, 2015

How NTLM authentication works?

NTLM Protocol





















  1. User requests access. The user tries to log on to the client by providing user credentials. Before logon, the client computer caches the password hash and discards the password. The client sends a request to the server, which includes the user name along with the request in plain text.
  2. Server sends a challenge message. The server generates a 16-byte random number called challenge, or nonce, and sends it to the client.
  3. Client sends response message. The client uses a password hash generated from the user's password to encrypt the challenge sent by the server. It sends this encrypted challenge in the form of a response back to the server.
  4. Server sends challenge and response to domain controller. The server sends the user name, the original challenge, and the response from the client computer to the domain controller.
  5. Domain controller compares challenge and response to authenticate user. The domain controller obtains the password hash for the user, and then uses this hash to encrypt the original challenge. Next, the domain controller compares the encrypted challenge with the response from the client computer. If they match, the domain controller sends the server confirmation that the user is authenticated.
  6. Server sends response to the client. Assuming valid credentials, the server grants the client access to the requested service or resource.

NTLM Handshake

When a client needs to authenticate itself to a proxy or server using the NTLM scheme then the following 4-way handshake takes place.

    1: C  --> S   GET ...
    
    2: C <--  S   401 Unauthorized
                  WWW-Authenticate: NTLM
    
    3: C  --> S   GET ...
                  Authorization: NTLM <base64-encoded type-1-message>
    
    4: C <--  S   401 Unauthorized
                  WWW-Authenticate: NTLM <base64-encoded type-2-message>
    
    5: C  --> S   GET ...
                  Authorization: NTLM <base64-encoded type-3-message>
    6: C <--  S   200 Ok 





NTLM Message Types







During the handshaking 3 types of messages are used.







Type1 Message- The Type 1 message is sent from the client to the server to initiate NTLM

                             authentication.

Type2 Message- The Type 2 message is sent by the server to the client in response to the client's                                    type1 message. It serves to complete the negotiation of options with the client, and                              also provides a challenge to the client.

Type3 Message-The Type 3 message is the final step in authentication. This message contains the

                            clients' responses to the Type 2 challenge, which demonstrate that the client has                                   knowledge of the account password without sending the password directly.


















Posted by



at






















Labels:


















No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)