0PricingLogin
Cyber Security Academy · Lesson

Windows Authentication: NTLM and Kerberos

Understand how NTLM challenge-response and Kerberos ticket-granting work.

Windows Authentication Overview

Windows uses two primary authentication protocols: NTLM (older, challenge-response) and Kerberos (modern, ticket-based). Understanding both is essential for Active Directory attack and defense.

NTLM Challenge-Response

NTLM works in three messages: Negotiate, Challenge, Authenticate. The client hashes the user's password with the server's random challenge. The hash — not the plaintext — is transmitted.

# NTLM flow:
# 1. Client sends: NEGOTIATE
# 2. Server sends: CHALLENGE (8-byte nonce)
# 3. Client sends: NT hash of (password + nonce)
#
# The NT hash = MD4(UTF-16LE(password))

All lessons in this course

  1. Windows Authentication: NTLM and Kerberos
  2. Pass-the-Hash and Pass-the-Ticket Attacks
  3. Kerberoasting and AS-REP Roasting
  4. Active Directory Hardening
← Back to Cyber Security Academy