I'm confusing between NTLM and NTLM (on network)

Im doing a little research about Windows password and I've a little question.

Windows encrypt user passwords and store them on: C:\WINDOWS\system32\config\SAM encrypting them by the NTLM algorithm (plus Syskey)

NTLM is also a network authenticat开发者_JAVA百科ion protocols, so I'm messing up with this.

I would like to know if the NTLM encryption is the same of the NTLM network protocol. I mean, in Windows, when you type your user and password, if the system starts a network protocol on the same system (localhost), as it would if they were too different computers (ip).

Or otherwise, if they are two different things with the same name. It would be great if someone could give me a little explanation about the difference of both methods.

Hope you can understand my question, as I'm not English!

Thanks in advance!

Disclaimer: I work for Microsoft, but not on Windows or any team that developed NTLM. This knowledge comes from external sources and thus may not be accurate.

NTLM is two things: a one-way hash algorithm and an authentication protocol.

The one-way hash function is what the Windows OS uses to store passwords (in the secrets file, as you note.) This is, of course, so that plaintext passwords need not be stored on disk. When you type your password on the login screen, it will be hashed with the NTLM hash algorithm and compared against the existing hash in the secrets file. If they match, you'll be authenticated. If not, you'll be prompted to enter your password again.

The authentication protocol is a challenge/response protocol that authenticates some on-the-wire protocol like CIFS or HTTP. The algorithm utilizes the aforementioned NTLM hash algorithms in order to build the responses to the server's challenges based on the password that the user typed. The protocol specification for the NTLM authentication protocol is available from Microsoft under their Open Specifications license.

To answer your question, when you log in to Windows, it's likely just using the NTLM hash and checking it against the on-disk file, not doing some network call. Of course, if your machine happened to be a domain controller (and, somehow, couldn't do Kerberos) then it may do NTLM authentication over the network to localhost, but that's a pretty contrived example. Of course, if you're hitting a network resource on that local machine (say, CIFS file sharing or hitting a web site) then you'll be using the network authentication protocol, not going directly to the secrets file.

NTLM is not a network protocol. It's an authentication protocol. They are totally separate things.

There's a pretty good discussion of NTLM here. Pay special attention to the fact that NTLM isn't used any longer (it's been replaced by Kerberos and NTLM2, both of which are defined and discussed in the linked article).