This post is meant to be a straight to the point reference. I will keep curating it over time as I need it
NTLM Hashes Structure
NTLM Hashes
Usage: NTLM (NT LAN Manager) hashes are used in Windows environments, both in local accounts and in domain accounts. NTLM is an older authentication protocol that predates Kerberos and is still supported for backward compatibility.
RIDs vs UIDs
Notes about RIDs, as there seem to be some confusions around them (When we think in terms of Linux UIDs):
- Linux UIDs: In Linux, the root user has a UID of 0, and other users typically start at 1000 or higher. The UID is a unique identifier for each user account.
- Windows RIDs: In Windows, the RID (Relative Identifier) is the last part of a Security Identifier (SID). The SID uniquely identifies a security principal (user, group, or computer) within a domain.
RID Assignments
- Well-Known RIDs: Windows reserves certain RIDs for specific purposes:
- RID 500: Typically assigned to the built-in Administrator account.
- RID 501: Typically assigned to the built-in Guest account.
- RID 512: Typically assigned to the Domain Admins group.
- RID 513: Typically assigned to the Domain Users group.
- Dynamically Assigned RIDs: For regular user accounts, RIDs are dynamically assigned starting from 1000 or higher. The RID Master FSMO role is responsible for allocating RIDs to domain controllers.
Kerberos Hashes Structure
Note: This is NOT a TGT
References
Kerberos Parameters + Types
https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml