NTLM2 Authentication – Quick Guide to Pen Testers
by CyberTest
Posted on April 3, 2020
There are many types of authentications out there like Kerberos but for this blog post we will focus only on Microsoft’s Windows NTLM2 authentication. In most cases you will probably pen test internal hosted web Apps that use NTLM2 SSO authentication protocol to automatically log you in if you are on the Active Directory domain. This makes it seamless but as a pen tester you need to know how it works and what to test.
The first thing you need to know is how NTLM2 authentication works. In a nutshell:1. Client computes a hash of the password and discards the actual password.
2. Client sends user name to server in plaintext.
3. Server generates 16 byte random number and sends to client.
4. Client encrypts the 16 byte random number with password hash generated in step 1 and sends it to the server.
5. Server compares the hash it receives from the client with its own hash it generates. If it matches then the authentication is success. If not then the authentication failed.
NTLM2 uses one-way-hash function HMAC-MD5 for generation the hashes. NTLM2 also uses time stamping so prevent reply attacks. There is more to it but this is just high level description how NTLM2 works. Your job is to know if the data of the App you’re testing contains any sensitive information. If yes then the data will travel in plaintext if not using https. In that case that will be a finding and will require https to secure the data. In some cases where the site is internal and the data is public or contains no sensitive data, it may be ok to use NTLM2 without https. Kerberos offers better security than NTLM2 but if Kerberos is not supported it falls back to NTLM2 authentication.