Ecco la dicitura di fonte ufficiale :
The following steps present an outline of NTLM noninteractive
authentication. The first step provides the user's NTLM credentials
and occurs only as part of the interactive authentication (logon)
process.
- (Interactive authentication only) A user accesses a client computer and provides a domain name, user name, and password. The
client computes a cryptographic hash of the password and discards the
actual password.
- The client sends the user name to the server (in plaintext).
- The server generates a 16-byte random number, called a challenge or nonce, and sends it to the client.
- The client encrypts this challenge with the hash of the user's password and returns the result to the server. This is called the
response.
- The server sends the following three items to the domain controller:
- User name
- Challenge sent to the client
- Response received from the client
- The domain controller uses the user name to retrieve the hash of the user's password from the Security Account Manager database. It
uses this password hash to encrypt the challenge.
- The domain controller compares the encrypted challenge it computed (in step 6) to the response computed by the client (in step 4). If
they are identical, authentication is successful.
Quindi la sfida è un messaggio generato dal server che viene crittografato con l'hash della password dell'account dal client e dalla DC e confrontato su DC.
I metodi di crittografia sono variabili tra le versioni di NTLM e le diverse impostazioni del server.
Ecco un po 'di Wikipedia :
Both LMv2 and NTv2 hash the client and server challenge with the NT
hash of the user's password and other identifying information. The
exact formula is to begin with the NT Hash, which is stored in the SAM
or AD, and continue to hash in, using HMAC-MD5, the username and
domain name.