Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Logon with NTLM hash password

yuriproshkinyuriproshkin Member Posts: 2
edited December 2019 in NTDEV

Hi, I am graduated recently from the university and I get my first project from the company (I know I am not a professional but please accept me as an student who wanted to grow up in the industry if you find out this question silly).

In this project (as my first employed programmer), I should develop a program which it gets a username, an NTLM hash password, and address of a local machine or remote machine to join to that machine with the credentials. I wanted to know how can I done this project and how should I go through it? Is there any guide for newbie software developer who started his work in the industry or some of you can give me some links or tutorials for this project.


  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,583

    Hmmmm... I'm afraid this question is not really within the scope of problems we discuss here on NTDEV. Still, I leave it here (and not lock the thread) in case anyone happens to want to answer it.

    I was under the impression that you couldn't read password hashes from the AD anymore. But that's just based on my general knowledge...


    Peter Viscarola

  • MBond2MBond2 Member Posts: 19

    are you trying to use the SSPI API? InitializeSecurityContext, AcceptSecurityContext etc?

    if so this is not a project for someone new. these APIs are very complex and poorly designed. the samples on MSDN are adequate but leave out most error handling

    or are you trying to write a client that uses NTLM authentication? in 2019 / 2020 that would be odd since the protocol is depreciated as insecure

    password hashes are stored in SAM or AD, but you can't really get them from those locations per se. it is hard to help without knowing more about what your overall objective is

  • yuriproshkinyuriproshkin Member Posts: 2

    Thank you MBond2. Yeah, I am agree with you which It is not a project for a newbie but I get this task to implement. I have to implement a program which it gets username, password (hashed form in NTLM) and the address of a domain controller. After getting these credentials, program must log into that domain controller and get an access from it. It is completely a hard and tough project for someone like me but I should implement in 4 month deadline.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,204

    There is a huge difference between a "hard and tough project" and an "impossible project". If Peter and Marion are right, and their reputations suggest that they are, then the hashed password is not available, no matter how many months you have. That would hardly be surprising, given the security exposure it creates.

    What are you trying to do here? Are you trying to get a new machine to join the domain automatically? If you are logged in as a domain administrator, then that can be done easily using PowerShell, no coding required:

    If you're not logged in as domain administrator, then it's not possible. The whole point of having a domain administrator is that you can't perform administrative actions without logging in as the administrator.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • MBond2MBond2 Member Posts: 19

    again, are you trying to use the SSPI APIs? LogonUser, an LDAP bind?

    if you are asking here, we assume you are writing software for Windows (UM or KM). If so, there is absolutly no reason to be creating a raw protocol handler for NTLM or Kerberos as these are built into the OS and used buy the different authentication APIs.

    The SSPI APIs allow you to control the transport and it is expected that your software will run on both the client and server (think about a standard TCP server). They provide a way to use windows authentication and authorization for custom protocols

    LogonUser and the SAM APIs will communicate with the local SAM database and or a configured domain controller automatically (using NTLM or Kerberos as per the configured enviornment). They provide a way to get a login / impersonation token to be used to access resources on the local machine. (think about the run as functionallity in the start menu)

    LDAP binding will communicate with a specified domain controller from a stand alone machine, a domain member, or a member of an unrelated domain using Microsoft standard protocols. Authentication may or may not be required depending on the operation in question, but if it is, then the LDAP API will do this internally based on options you supply (IIRC it uses SSPI internally)

    once you know what kind of API is appropriate, it will be much easier to help you

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE