A .NTLM hash and Net-NTLM hash
NTLM (V1 / V2) of the hash is located in the Security Accounts Manager (SAM) database and database fields NTDS.dit controlled in the Hash value may be acquired directly Pass the Hash Attack
Net-NTLM (V1 / V2) of the hash value is calculated based on the user password NTLM hash for network authentication, the following steps:
the client sends a request to the server, the login request includes a user name of the plaintext. Server will be saved in advance login user name and corresponding password hash
server after receiving the request, generates a 16-bit random number (called Challenge is a challenge code), expressly returned to the client. Using the stored login user password hash encrypted Challenge, get Challenge1
after receiving a Challenge, log in using the user's password hash for Challenge encryption, access Challenge2 (This result is called response), to the Response ( Net-NTLM Hash ) sent to server
the server receives the client encrypted response, and comparing Challenge1 response, if identical, the authentication is successful.
PS:
1. In the NTLM authentication, NTLM response divided NTLM v1, NTLMv2, NTLM session v2 three protocols, different protocols and encryption algorithm Challenge different formats, so there exist different protocols of Net-NTLM hash, i.e. Net-NTLM v1 hash, Net-NTLM v2 hash
Manifestation 2.Response is Net-NTLM Hash, Hash password encryption Server result it is provided by the client returned Chanllenge generated.