Logon with NTLM hash password

Hi, I am graduated recently from the university and I get my first project from the company (I know I am not a professional but please accept me as an student who wanted to grow up in the industry if you find out this question silly).

In this project (as my first employed programmer), I should develop a program which it gets a username, an NTLM hash password, and address of a local machine or remote machine to join to that machine with the credentials. I wanted to know how can I done this project and how should I go through it? Is there any guide for newbie software developer who started his work in the industry or some of you can give me some links or tutorials for this project.

Hmmmm… I’m afraid this question is not really within the scope of problems we discuss here on NTDEV. Still, I leave it here (and not lock the thread) in case anyone happens to want to answer it.

I was under the impression that you couldn’t read password hashes from the AD anymore. But that’s just based on my general knowledge…

Peter

are you trying to use the SSPI API? InitializeSecurityContext, AcceptSecurityContext etc?

if so this is not a project for someone new. these APIs are very complex and poorly designed. the samples on MSDN are adequate but leave out most error handling

or are you trying to write a client that uses NTLM authentication? in 2019 / 2020 that would be odd since the protocol is depreciated as insecure

password hashes are stored in SAM or AD, but you can’t really get them from those locations per se. it is hard to help without knowing more about what your overall objective is

1 Like

Thank you MBond2. Yeah, I am agree with you which It is not a project for a newbie but I get this task to implement. I have to implement a program which it gets username, password (hashed form in NTLM) and the address of a domain controller. After getting these credentials, program must log into that domain controller and get an access from it. It is completely a hard and tough project for someone like me but I should implement in 4 month deadline.

There is a huge difference between a “hard and tough project” and an “impossible project”. If Peter and Marion are right, and their reputations suggest that they are, then the hashed password is not available, no matter how many months you have. That would hardly be surprising, given the security exposure it creates.

What are you trying to do here? Are you trying to get a new machine to join the domain automatically? If you are logged in as a domain administrator, then that can be done easily using PowerShell, no coding required:

https://www.petri.com/add-computer-to-domain-powershell

If you’re not logged in as domain administrator, then it’s not possible. The whole point of having a domain administrator is that you can’t perform administrative actions without logging in as the administrator.

again, are you trying to use the SSPI APIs? LogonUser, an LDAP bind?

if you are asking here, we assume you are writing software for Windows (UM or KM). If so, there is absolutly no reason to be creating a raw protocol handler for NTLM or Kerberos as these are built into the OS and used buy the different authentication APIs.

The SSPI APIs allow you to control the transport and it is expected that your software will run on both the client and server (think about a standard TCP server). They provide a way to use windows authentication and authorization for custom protocols

LogonUser and the SAM APIs will communicate with the local SAM database and or a configured domain controller automatically (using NTLM or Kerberos as per the configured enviornment). They provide a way to get a login / impersonation token to be used to access resources on the local machine. (think about the run as functionallity in the start menu)

LDAP binding will communicate with a specified domain controller from a stand alone machine, a domain member, or a member of an unrelated domain using Microsoft standard protocols. Authentication may or may not be required depending on the operation in question, but if it is, then the LDAP API will do this internally based on options you supply (IIRC it uses SSPI internally)

once you know what kind of API is appropriate, it will be much easier to help you

1 Like

@MBond2 Thank you for replay to my question dear brother. The main problem is the fact I don’t know what kind of API, I should use for this project. I have these credentials username, domain name, and the NTLM Hash for the username password.

So, I should write a program which used this information to logon to an AD. I research a lot about this kind of project but I just find out only a real project out there called Mimikatz which is used this approach to login to an active directory but I couldn’t fully understand how is it work. It was too complicated for source-code analysis.

However, that is my bad, I know it but as a junior in the industry I should hardly work to done it. I am nervous now.

If you have ‘username, domain name, and the NTLM Hash’ you do not have credentials that can be used.

your can attempt to ‘crack’ the hash, or to use the hash to verify another party that has the complete password, but you cannot use this hash in any sort of legitimate way to obtain access yourself.

NTLM and NTLMv2 are challenge respone protocols. the correct response cannot be known without the correct password in combination with the psudo-random challenge. The hash is a one-way encrypted version of the password that can be used to verify the resonse, but not to generate one - except perhaps by some nafariours methods that we will not discuss here