The 2026 Guide to NTLM Hash Security and Kerberos Migration

Posted on by Admin

An NTLM hash is the mathematical version of a password that Windows uses for legacy authentication. For years, the security industry has known that older versions of this system were broken. Now, the 2025 and 2026 security baselines target the death of the entire NTLM stack, including NTLMv2. Microsoft is pushing companies to use Kerberos instead. These hashes are still the main way for attackers to move laterally across company networks since they’re easy to intercept and relay.

Architecting Defence: Surviving the Death of the NTLM Hash

The NT LAN Manager (NTLM) protocol has been used for more than 30 years to assist old applications and local logins across business networks. But things have changed. As we move through the 2025 and 2026 upgrade cycles, Microsoft is killing the entire NTLM stack.

Passwordless systems are becoming the norm in modern networks, but the NTLM hash is still a huge target for ransomware groups. The threat isn't just about the severely outdated NTLMv1 anymore. Attackers target NTLMv2 to execute devastating network relay attacks.

Network Security Architects must understand how these hashes work. If you don't grasp how attackers move laterally, you can't secure your Active Directory. 

At 7ASecurity, our team maps these attack paths practically every day in global enterprise networks. We show defenders exactly where their security boundaries fail and how to fix them.

What We'll Cover

  • How the NTLM hash differs from the NTLMv2 protocol.
  • How attackers dump hashes from protected memory using vulnerable drivers.
  • The threat of advanced ESC8 relay chains targeting ADCS.
  • Microsoft’s timeline for enforcing local KDC and killing NTLM fallback.

The Anatomy of the NTLM Hash

To understand why NTLM is retiring, we have to look at the math. When a user creates a password, Windows doesn't store the clear text. It converts that password into a UTF-16 string and runs it through the MD4 hashing algorithm.

Hash = MD4(UTF16LE(password))

This formula produces the NT hash. It has a massive structural flaw because it's completely unsalted. There's no random data added to the equation. This means identical passwords will always generate the exact same hash.

When you log in over a network using NTLMv2, the protocol uses a "nonce" (a one-time cryptographic challenge). This proves you own the hash without sending it across the wire, which stops simple replay attacks. 

But the underlying, unsalted NTLM hash still sits in the memory of the Local Security Authority Subsystem Service (lsass.exe) on the machine.

If an attacker gets local admin rights, they can dump that memory and steal the hash. Modern Windows environments use Protected Process Light (PPL) to shield LSASS. 

To get around this protection, attackers use a technique called "Bring Your Own Vulnerable Driver" (BYOVD). They install a legitimate, signed hardware driver that contains a known flaw to bypass PPL.

You might think Microsoft's Vulnerable Driver Blocklist stops this. It doesn't. Attackers constantly bypass these blocklists by sourcing obscure, previously unknown drivers (zero-days) or by targeting endpoints where the blocklist hasn't synced properly.

The Threat of Advanced Relaying

Once an attacker has your NTLM hash, they don't bother trying to crack it. They simply pass it or relay it.

Some of the most devastating cyberattacks in 2026 rely on NTLM relaying. An attacker positions themselves on the network and forces a target server to authenticate to them. When the server sends its NTLMv2 challenge, the attacker intercepts it and relays it to a different, high-value target.

While relaying to LDAP is still a threat, most modern Domain Controllers have LDAP Signing enabled by default. The true "holy grail" for attackers right now is Active Directory Certificate Services (ADCS). In the security industry, this specific attack path is known as ESC8.

How an ESC8 Attack Works

If an attacker relays an intercepted hash from a Domain Controller to an unpatched ADCS web enrolment endpoint (which often uses HTTP instead of HTTPS), they can fraudulently request a digital certificate. They act as that Domain Controller. 

Once they have that certificate, they authenticate via Kerberos and gain total, permanent control of the entire domain.

To stop this, you need Extended Protection for Authentication (EPA). EPA works because it mathematically binds the authentication channel to the encrypted TLS channel, killing the relay.

The 2026 Roadmap: Killing the Fallback

There’s a misconception that Microsoft is introducing a sudden "kill switch" for NTLM late in 2026. The reality is that the architecture to replace it is already here.

With Windows 11 24H2 and Server 2025, Microsoft integrated two massive features. They added: 

  1. Local KDC, which lets local accounts use Kerberos, and 
  1. IAKerb, which enables machines without a direct line of sight to a Domain Controller to proxy their Kerberos traffic through another server. 

These updates eliminate the technical excuses for keeping NTLM around.

However, the real challenge for 2026 isn't a single registry key but the cumulative shift toward making NTLM a "last-resort" protocol through Group Policy. Microsoft gives administrators tools (like the 4000-series Enhanced NTLM Auditing logs) to map dependencies now. 

The end goal is the total phase-out of NTLM hashes as a default fallback mechanism. If your legacy apps can't speak Kerberos, they will eventually break.

The Human Element: Scanners vs. Reality

Many organisations rely on automated vulnerability scanners to map their internal risks. When it comes to complex Active Directory attacks, this approach is a dangerous strategy. Automated scanners lack context.

An automated tool detects when an NTLM hash is enabled and flags it as a medium risk. Our senior auditors see that NTLM is enabled, find an unpatched ADCS web enrolment endpoint, and use a forced authentication trigger to escalate to Domain Admin in 15 minutes.

That is the difference between a scan and a manual internal penetration test.

We don't rely on automated checklists. Our heavily vetted experts manually investigate your Group Policy. We map complex relay chains (Target A -> Trigger B -> Admin on C) and identify the logic flaws that attackers abuse. 

We verify if your mitigations actually work. For example, we check if Extended Protection for Authentication (EPA) is properly binding your authentication channel to the TLS channel, which is how it kills relay attacks.

Preparing for a Kerberos-Only Network

You can't afford to wait for your legacy applications to break. Transitioning to a secure-by-default environment requires immediate action.

To secure your network today, you must:

  1. Enforce SMB Signing and Encryption. Signing prevents attackers from relaying a hash against your file servers. However, adopting SMB Encryption (the new Server 2025 standard) is the best way to protect data in transit.
  2. Enable LDAP Signing and Channel Binding. Stop attackers from relaying credentials back to your Domain Controllers.
  3. Implement EPA. Ensure Extended Protection for Authentication is active across all IIS and ADCS endpoints.
  4. Monitor the 4000-Series Logs. Actively audit why your applications still fall back to NTLM instead of negotiating Kerberos.

Uncover Your Hidden AD Risks

Don't wait for an attacker to find your unpatched relay chains. Get an expert-led security audit that identifies exactly how attackers can exploit your legacy infrastructure.

Secure Your Active Directory Today

Frequently Asked Questions About NTLM Hash

What’s the difference between an NT hash and NTLMv2?

The NT hash is the mathematical, unsalted version of your password stored in Windows’s operating system memory. 

NTLMv2 is the actual network protocol that uses a cryptographic challenge to prove you own that hash without sending it directly across the network.

What’s the difference between Local KDC and IAKerb?

Local KDC is a feature that lets local machine accounts authenticate using Kerberos instead of NTLM.
 
IAKerb is a protocol extension that allows Kerberos authentication to proxy through intermediate servers when a machine can’t communicate directly with a Domain Controller.

Why’s Microsoft killing the NTLM protocol?

NTLM is fundamentally flawed because it doesn't support modern cryptographic standards or mutual authentication. It's particularly susceptible to relay attacks, making it a severe liability. Microsoft is forcing a move to Kerberos to establish a more resilient, phishing-resistant baseline.

How does Extended Protection for Authentication (EPA) stop relay attacks?

EPA stops relay attacks by cryptographically binding the authentication channel directly to the underlying TLS channel. If an attacker tries to intercept and relay the authentication over a different connection, the server detects the mismatch and drops the request.

Will my antivirus stop a Pass-the-Hash attack?

Standard antivirus usually misses these attacks because they don't rely on traditional malware files. Pass-the-Hash and relay attacks use legitimate Windows protocols and native tools, enabling attackers to blend in seamlessly with normal network traffic.

Why do vulnerability scanners miss NTLM relay risks?

Scanners look for missing software patches and basic configuration errors. They can't understand the complex relationship between different servers. This means that they won't piece together that a misconfiguration on Server A can be combined with a trigger on Server B to compromise Server C. That requires human analysis.

Book Your Custom Active Directory Audit
Email this article
Share on Facebook
Share on Twitter
Share on LinkedIn
, , , , , , , , , Blog