TL;DR

• LM hashes are local users hashes turned off since Windows Vista / Windows Server 2008
• NTLM (aka NT) hashes are local users hashes
• NTLMv1/v2 (aka NTLM protocol) is a protocol used for network authentication
• Net-NTLMv1/v2 are hashes used by NTLM protocol
• MSCASHv1/v2 (aka DCCv1/v2) hashes are domain users CACHED hashes

<aside> ⚠️

NTLM ≠ NTLMv1/v2 ≠ Net-NTLMv1/v2 ≠ MSCASHv1/v2

</aside>

Lan Manager (LM) hash

It was the dominating password storing algorithm on Windows till Windows XP/Windows server 2003.

It’s disabled by default since Windows vista/Windows server 2008.

Algorithm used is DES (very vulnerable!) LM was a weak hashing algorithm for many reasons. You will figure these reasons out once You know how LM hashing works:

Let’s assume that the user’s password is PassWord:

1. All characters will be converted to upper case PassWord → PASSWORD
2. In case the password’s length is less than 14 characters it will be padded with null characters, so its length becomes 14, so the result will be PASSWORD000000
3. These 14 characters will be split into 2 halves PASSWOR D000000
4. Each half is converted to bits, and after every 7 bits, a parity bit (0) will be added, so the result would be a 64 bits key. 1101000011 → 101000001. As a result, we will get two keys from the 2 pre-generated halves after adding these parity bits
5. Each of these keys is then used to encrypt the string KGS!@#$% using DES algorithm in ECB mode so that the result would be PASSWOR = E52CAC67419A9A22 D000000 = 4A3B108F3FA6CB6D 6 – The output of the two halves is then combined, and that makes out LM hash: E52CAC67419A9A224A3B108F3FA6CB6D

NTLM hash (aka NT hash)

NTLM hashes are composed of two parts:

• LM hash
• NT hash (can be lonely, it stays NTLM hash)