Windows Authentication#
SID - (Security Identifier)#
https://morgantechspace.com/2013/10/difference-between-rid-and-sid-in.html
S-1-5-21-4064627337-2434140041-2375368561-1036
S: Stands for SID
1: v1 of the SID spec
5: The identifier authority value, typically 5, aka SECURITY_NT_AUTHORITY
21-4064627337-2434140041-2375368561: id of the computer or domain that created the SID
1036: RID (Relative ID) a principal (user or group) relative to the local or domain security
Windows Authentication Mechanisms#
LM Hash#
- 14 chr password (or padded with null)
- split into two seven-character chunks
- Two DES keys are created from each chunk
- These chunks are then encrypted using the string KGS!@#$%
- creating two 8-byte ciphertext values.
- These two values are then concatenated together
- and that's an LM hash
NT Hash#
- password in little-endian UTF-16 format
- MD4 hashed
- MD4(UTF-16-LE(password))
NTLM protocol#
- NTLM is a challenge-response authentication protocol
- NTLM can user either the LM hash or The NT hash
- NTLM hashes are stored locally in
- The SAM database on a machine or
- The NTDS.DIT datable on a DC
- The authentication flow looks like this:
-- client -> NEGOTIATE_MESSAGE -> server
-- client <- CHALLENGE_MESSAGE <- server
-- client -> AUTHENTICATE_MESSAGE -> server