How to check what ntlm version you are using in your domain
Navigate to the following registry path.
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
If NtlmMinClientSec and NtlmMinServerSec DWORD value stars with,
512 then it is NTLMv1
5376 then it is NTLMv2
5368 then it is NTLMv2-SSP
SSP means security support provider. NTLM provides ESS functionality (Extended Session Security) which adds to the complexity of the NTLM hash. ESS functionality adds an “SSP” flag in the NTLM hash (NTLM2-SSP). This increases the length of the NTLM hash longer which adds complexity while cracking the hash.
NTLMv2 is default authentication protocol and this by default incorporated SSP feature. When NTLMv2 is used, the ESS functionality is automatically incorporated into the authentication process.
Also if you search for event id 4624 in your Security logs, then at the bottom you will see what ntlm version your system is using.
I hope you have learned something new from here.
Thanks. Please Subscribe below.
LinkedIn:
https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/
YouTube: