Solved: Windows domain password hashing process

ericgeater · ‎08-23-2020

Maybe my keyword google talents are just lacking. Continuing: I am culturally aware that a Windows AD server only keeps domain user password hashes for comparison. I just don't know which machine performs the hash.

Is it typically the client which hashes, then sends the hash data to the DC? Or (in less secure networks) is the password passed in plaintext across the network, then hashed and compared at the server?

Thanks!

-----------
A claim is as good as its veracity.

AlecTrevelyan · ‎08-24-2020

You need to be a little more specific about which authentication mechanism is in use, but it will be either NTLM or more likely Kerberos. There are also subtle variations in how the mechanisms work depending on the Windows version and / or the Domain Functional Level that's been enabled.

However, some basics of how both of these mechanisms work and how to define which one is in use can be found in the link below - this will hopefully give you a good starting point:

https://answers.microsoft.com/en-us/msoffice/forum/all/ntlm-vs-kerberos/d8b139bf-6b5a-4a53-9a00-bb75...

ericgeater · ‎08-24-2020

That was a great starting point. It looks like both NTLM and Kerberos perform the hash on the client, in different stages.

This wouldn't have come up at all, except I remember seeing manuals describe external VPN connections via LDAP pass authentication traffic over the network in the clear. That raised my curiosity about internal client-server traffic, and whether Windows computers handled domain passwords the same way (or not).

-----------
A claim is as good as its veracity.

wimremes · ‎08-25-2020

Turns out there is A LOT going on when you enter your password into a windows machine:

https://twitter.com/SteveSyfuhs/status/1297957799079510018?s=20

Sic semper tyrannis.