NTLM hashes are stored in the Security Account Manager (SAM) database and in Domain Controller's NTDS.dit database. They look like this:

              LM                :             NT

Contrary to what you'd expect, the LM hash is the one before _the semicolon and the NT hash is the one _after the semicolon. Starting with Windows Vista and Windows Server 2008, by default, only the NT hash is stored.

Net-NTLM hashes are used for network authentication (they are derived from a challenge/response algorithm and are based on the user's NT hash). Here's an example of a Net-NTLMv2 (a.k.a NTLMv2) hash:


From a pentesting perspective:

  • You CAN perform Pass-The-Hash attacks with NTLM hashes.

  • You CANNOT perform Pass-The-Hash attacks with Net-NTLM hashes. However, tehy can be used to perfom relay attacks.

You get NTLM hashes when dumping the SAM database of any Windows OS, a Domain Controller's NTDS.dit database or from MimikatzMimikatz (Fun fact, although you can't get clear-text passwords from Mimikatz on Windows >= 8.1 you can get NTLM hashes from memory). Some tools just give you the NT hash (e.g. ) and that's perfectly fine: obviously you can still Pass-The-Hash with just the NT hash.

You get Net-NTLMv1/v2 (a.k.a NTLMv1/v2) hashes when using tools like Responder or Inveigh.



Last updated