LM vs NTLM - What's the difference?

2.7K    Asked by AndreaBailey in Cyber Security , Asked on Mar 21, 2022

I've noticed that when extracting password hashes from a domain controller (using Elcomsoft proactive password auditor) sometimes I'll get LM and NTLM hashes and other times I'll only get NTLM hashes.

I note that the NTLM + LM hashes (the accounts that contain both sets) are recovered orders of magnitude faster than the hashes that are only NTLM.

I'm curious as to why this is the case?

I understand that LM is the older and weaker of the two, but I don't understand why both LM and NTLM are being stored in these scenarios?

More importantly, given that it appears that NTLM hashes exclusively are the safer option, how can I enforce NTLM only and remove existing LM hashes for users?

Answered by Amit verma

LM vs NTLM

There's a pretty good Microsoft KB article on this exact subject. Basically, LM is used for compatibility with older clients. Specifically, Windows 98 and below. If you do not have any older clients on the network, then the cause for both hashes is most likely due to the password length being and not security related.

    In the event that the user's password is longer than 15 characters, the host or domain controller will not store the LM hash for the user; the LM response cannot be used to authenticate the user in this case. A response is still generated and placed in the LM Response field, using a 16-byte null value (0x00000000000000000000000000000000) as the LM hash in the calculation. This value is ignored by the target.

It is advised to disable LM hashes as the protocol is severely broken as you suggested. For those who might not be aware, some of the problems with LM's include:

  • Passwords are not case sensitive.
  • Passwords are split into 7 chars and hashed separately, making brute force trivial.
  • Passwords are limited to a maximum of 14 characters in length.
  • There are a couple methods to remove LM hashes listed in the KB article I mentioned. I will quote the GPO method in case the link goes bad.

Method 1: Implement the NoLMHash Policy by Using Group Policy

To disable the storage of LM hashes of a user's passwords in the local computer's SAM database by using Local Group Policy (Windows XP or Windows Server 2003) or in a Windows Server 2003 Active Directory environment by using Group Policy in Active Directory (Windows Server 2003), follow these steps: In Group Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options. In the list of available policies, double-click Network security: Do not store LAN Manager hash value on next password change. Click Enabled, and then click OK.



Your Answer

Online Course

Tutorials

Salesforce Tutorial

Software Testing Tutorial

SQL Tutorial

Business Analyst Tutorial

Devops Tutorial

Data Science Tutorial

AWS Tutorial

Hadoop Tutorial

SSRS Tutorial

AWS S3 Tutorial

Functional Testing Tutorial

SSAS Tutorial

Automation Testing Tutorial

Manual Testing Tutorial

Selenium Tutorial

Kubernetes Tutorial

Scala Tutorial

ETL Testing Tutorial

Python Tutorial

Pyspark Tutorial

R Tutorial

Unit Testing Tutorial

API Testing Tutorial

Puppet Tutorial

Integration Testing Tutorial

Chef Tutorial

Jenkins Tutorial

Ansible Tutorial

Vagrant Tutorial

Docker Tutorial

Interviews

Parent Categories

Copyright | JanBaskTraining.com