Give a detailed explanation of NTLM Hash.
I have recently dumped some hashes from my local machine because I'm trying to understand the process in which Windows 7 hashes it's passwords.
I have discovered my local password hash that looks (similar) to this: Jason:502:aad3c435b514a4eeaad3b935b51304fe:c46b9e588fa0d112de6f59fd6d58eae3:::
Now what I would like to know is what the different sections mean, so:
We have this hash: Jason:502:aad3c435b514a4eeaad3b935b51304fe:c46b9e588fa0d112de6f59fd6d58eae3::: that looks to be separated by : if we separate this by the : we end up with this:
[Jason, :, 502, :, aad3c435b514a4eeaad3b935b51304fe, :, c46b9e588fa0d112de6f59fd6d58eae3, :, :, :]
I'm assuming the first part Jason is the username, that's the most logical to me.
The third part aad3c435b514a4eeaad3b935b51304fe is the ntlm hash would be my best guess.
If my assumption is correct then that leaves c46b9e588fa0d112de6f59fd6d58eae3 and 502 left.
I'd guess that the other hash (c46b9e588fa0d112de6f59fd6d58eae3) is the derived key, that is created from the password itself.
The 502 would be the binary data of the user.
And the : is just a separator or a padding.
Now for my question, am I correct in my assumptions on what each part of the hash represents? If not can someone please explain to me what each part represents?
Using
[Jason, :, 502, :, aad3c435b514a4eeaad3b935b51304fe, :, c46b9e588fa0d112de6f59fd6d58eae3, :, :,
as the example
Jason is the user name
502 is the relative identifier (500 is an administrator, 502 here is a kerberos account.) (adsecurity.org/?p=483)
aad3c435b514a4eeaad3b935b51304f is the LM hash
c46b9e588fa0d112de6f59fd6d58eae3 is the NTLM hash