https://community.isc2.org/t5/Tech-Talk/Windows-domain-password-hashing-process/m-p/38399#M2926 <P>You need to be a little more specific about which authentication mechanism is in use, but it will be either NTLM or more likely Kerberos. There are also subtle variations in how the mechanisms work depending on the Windows version and / or the Domain Functional Level that's been enabled.</P><P>&nbsp;</P><P>However, some basics of how both of these mechanisms work and how to define which one is in use can be found in the link below - this will hopefully give you a good starting point:</P><P>&nbsp;</P><P><A href="https://answers.microsoft.com/en-us/msoffice/forum/all/ntlm-vs-kerberos/d8b139bf-6b5a-4a53-9a00-bb75d4e219eb" target="_blank">https://answers.microsoft.com/en-us/msoffice/forum/all/ntlm-vs-kerberos/d8b139bf-6b5a-4a53-9a00-bb75d4e219eb</A></P><P>&nbsp;</P> Mon, 24 Aug 2020 09:47:28 GMT AlecTrevelyan 2020-08-24T09:47:28Z https://community.isc2.org/t5/Tech-Talk/Windows-domain-password-hashing-process/m-p/38393#M2925 <P>Maybe my keyword google talents are just lacking. Continuing: I am culturally aware that a Windows AD server only keeps domain user password hashes for comparison.&nbsp; I just don't know which machine performs the hash.</P><P>&nbsp;</P><P>Is it typically the client which hashes, then sends the hash data to the DC?&nbsp; Or (in less secure networks) is the password passed in plaintext across the network, then hashed and compared at the server?</P><P>&nbsp;</P><P>Thanks!</P> Mon, 24 Aug 2020 02:37:00 GMT https://community.isc2.org/t5/Tech-Talk/Windows-domain-password-hashing-process/m-p/38393#M2925 ericgeater 2020-08-24T02:37:00Z https://community.isc2.org/t5/Tech-Talk/Windows-domain-password-hashing-process/m-p/38399#M2926 <P>You need to be a little more specific about which authentication mechanism is in use, but it will be either NTLM or more likely Kerberos. There are also subtle variations in how the mechanisms work depending on the Windows version and / or the Domain Functional Level that's been enabled.</P><P>&nbsp;</P><P>However, some basics of how both of these mechanisms work and how to define which one is in use can be found in the link below - this will hopefully give you a good starting point:</P><P>&nbsp;</P><P><A href="https://answers.microsoft.com/en-us/msoffice/forum/all/ntlm-vs-kerberos/d8b139bf-6b5a-4a53-9a00-bb75d4e219eb" target="_blank">https://answers.microsoft.com/en-us/msoffice/forum/all/ntlm-vs-kerberos/d8b139bf-6b5a-4a53-9a00-bb75d4e219eb</A></P><P>&nbsp;</P> Mon, 24 Aug 2020 09:47:28 GMT https://community.isc2.org/t5/Tech-Talk/Windows-domain-password-hashing-process/m-p/38399#M2926 AlecTrevelyan 2020-08-24T09:47:28Z https://community.isc2.org/t5/Tech-Talk/Windows-domain-password-hashing-process/m-p/38405#M2928 <P>That was a great starting point.&nbsp; It looks like both NTLM and Kerberos perform the hash on the client, in different stages.</P><P>&nbsp;</P><P>This wouldn't have come up at all, except I remember seeing manuals describe external VPN connections via LDAP pass authentication traffic over the network in the clear.&nbsp; That raised my curiosity about internal client-server traffic, and whether Windows computers handled domain passwords the same way (or not).</P> Mon, 24 Aug 2020 14:08:24 GMT https://community.isc2.org/t5/Tech-Talk/Windows-domain-password-hashing-process/m-p/38405#M2928 ericgeater 2020-08-24T14:08:24Z https://community.isc2.org/t5/Tech-Talk/Windows-domain-password-hashing-process/m-p/38428#M2930 <P>Turns out there is A LOT going on when you enter your password into a windows machine:</P><P><SPAN><A href="https://twitter.com/SteveSyfuhs/status/1297957799079510018?s=20" target="_blank">https://twitter.com/SteveSyfuhs/status/1297957799079510018?s=20</A></SPAN></P> Tue, 25 Aug 2020 11:43:06 GMT https://community.isc2.org/t5/Tech-Talk/Windows-domain-password-hashing-process/m-p/38428#M2930 wimremes 2020-08-25T11:43:06Z