NTLM Hash Generator

Generate Windows NTLM hashes for security testing, password recovery research, and understanding Windows authentication mechanisms. Uses MD4 on UTF-16LE encoded passwords.

Security Research OnlyMD4 + UTF-16LEWindows Compatible
UTF-16LE encoded
Examples:

NTLM hash will appear here

NTLM Hash Specifications
  • Algorithm: MD4
  • Digest Size: 128 bits
  • Encoding: UTF-16LE
  • Used in: Windows Authentication
  • Status: Deprecated (but widely used)
  • Year: 1993 (Windows NT)
About NTLM Hash

NTLM (NT LAN Manager) hash is a Windows authentication protocol that uses the MD4 hash function on the UTF-16LE encoded password. It's been the primary authentication method in Windows since Windows NT 3.1 (1993) and is still widely used in Active Directory environments, though considered deprecated in favor of Kerberos.

Hash Type: MD4
Encoding: UTF-16LE
Storage: SAM File
Security: Vulnerable

Understanding NTLM Hash

History and Development

NTLM (NT LAN Manager) hash was introduced with Windows NT 3.1 in 1993 as a replacement for the weak LM (LAN Manager) hash. It represented a significant security improvement by using the MD4 hash function and supporting case-sensitive, longer passwords. Despite its age, NTLM remains widely used in Windows environments for backward compatibility, though Microsoft now recommends Kerberos for authentication.

Technical Specifications

AlgorithmMD4 (Message Digest Algorithm 4)
EncodingUTF-16LE (Little Endian)
Digest Size128 bits (16 bytes / 32 hex characters)
Storage LocationSAM file (local) / NTDS.dit (Domain)
IntroducedWindows NT 3.1 (1993)
Case SensitivityYes (unlike LM hash)
Maximum Password Length128 characters (practical), 256 (theoretical)
Security StatusDeprecated (but widely used)

How NTLM Hash is Generated

  1. Password Input: User provides a password (e.g., "MyPassword123")
  2. UTF-16LE Conversion: The password is converted to UTF-16 little-endian format (each character uses 2 bytes, least significant byte first)
  3. MD4 Hashing: The UTF-16LE byte array is hashed using the MD4 algorithm, producing a 128-bit (16-byte) hash
  4. Hex Representation: The 16 bytes are typically represented as a 32-character hexadecimal string

Security Warning

NTLM hashes have significant security vulnerabilities:

  • Uses broken MD4 algorithm
  • No salt (same password always produces same hash)
  • Vulnerable to pass-the-hash attacks
  • Can be cracked with modern hardware
  • Subject to rainbow table attacks

Use only for educational purposes or legacy system compatibility. Modern systems should use Kerberos or other secure authentication methods.

Key Features

  • Real-time Generation: Instant NTLM hash calculation
  • Password Strength: Built-in strength meter
  • Multiple Formats: Standard, with colon, LM format
  • Random Generator: Create strong test passwords

Common Use Cases

  • Security auditing and testing
  • Password recovery research
  • Active Directory migration
  • Cryptography education
  • Legacy system maintenance

NTLM vs Modern Auth

FeatureNTLMKerberos
ProtocolChallenge-ResponseTicket-based
SecurityWeakStrong
Pass-the-hashVulnerableResistant
SaltNoYes

Complete Guide to NTLM Hash Generation

Step-by-Step Usage Guide

1

Enter Password

Type or paste the password you want to hash. The password is case-sensitive, just like in Windows.

2

Check Password Strength

Use the built-in strength meter to evaluate your password's security against brute-force attacks.

3

Select Output Format

Choose between standard hex, colon-separated (for hash files), or LM hash format.

4

Use or Save Results

Copy the hash to clipboard or download it with password details for documentation.

Example NTLM Hashes

Password: "" (empty)NTLM: 31d6cfe0d16ae931b73c59d7e0c089c0
Password: "password"NTLM: 8846f7eaee8fb117ad06bdd830b7586c
Password: "admin"NTLM: 209c6174da490caeb422f3fa5a7ae634
Password: "123456"NTLM: 32ed87bdb5fdc5e9cba88547376818d4
Password: "P@ssw0rd"NTLM: bd716d5be68abbb1b8a3abfadee36c4f

NTLM Security Vulnerabilities

Known Weaknesses

  • MD4 Algorithm Broken:

    MD4 is completely broken and collisions can be found in milliseconds

  • No Salt:

    Identical passwords produce identical hashes, enabling rainbow table attacks

  • Pass-the-Hash:

    Attackers can use the hash directly for authentication without the password

Real-World Attacks

  • CriticalPass-the-hash attacks in lateral movement
  • HighRainbow table cracking (due to no salt)
  • HighGPU-accelerated brute force attacks
  • MediumLLMNR/NBT-NS poisoning

Understanding Pass-the-Hash Attacks

Pass-the-hash is a technique that allows an attacker to authenticate to a remote server using the underlying NTLM hash instead of the plaintext password. This works because NTLM uses the hash itself in the authentication protocol - the plaintext password is never required once you have the hash.

Attack Flow:

  1. Attacker gains access to a system and extracts NTLM hashes from memory (LSASS) or disk (SAM)
  2. Using tools like Mimikatz, they inject the hash into their own authentication session
  3. They can now authenticate to other systems as that user without ever knowing the password
  4. This enables lateral movement across the network
Mitigation: Use Kerberos authentication, enable Credential Guard, implement least privilege, and monitor for suspicious authentication patterns.

Tools That Exploit This:

  • Mimikatz
  • Impacket (secretsdump)
  • Metasploit (psexec)
  • CrackMapExec

Frequently Asked Questions About NTLM Hashes

NTLM hashes can be extracted from Windows systems through various methods:
  • From SAM file: Located at C:\Windows\System32\config\SAM (requires SYSTEM privileges)
  • From LSASS memory: Using tools like Mimikatz (requires admin privileges)
  • From NTDS.dit: Domain controller database containing all domain user hashes
  • From network captures: Capturing NTLM authentication traffic
Note: Extracting hashes from a system without authorization is illegal and unethical.

Windows continues to support NTLM for backward compatibility reasons:
  • Legacy applications that only understand NTLM authentication
  • Workgroup environments without Active Directory (where Kerberos isn't available)
  • Cross-forest authentication where trust relationships may not support Kerberos
  • Authentication to older Windows versions (pre-Windows 2000)
Microsoft recommends disabling NTLM where possible and using Kerberos. Windows 11 and Windows Server 2022 have made progress in reducing NTLM usage, but it remains available for compatibility.

Cracking speed depends on hardware and password complexity:
  • Simple passwords (8 chars, lowercase): Seconds to minutes on modern GPU
  • Common passwords: Almost instant with rainbow tables
  • Complex passwords (12+ chars, mixed case, symbols): Could take years
  • With modern GPU (RTX 4090): ~300 billion hashes per second
Tools like hashcat and John the Ripper can crack millions of NTLM hashes per second on consumer hardware. This is why strong, unique passwords are essential.

Modern Windows environments use multiple authentication protocols:
  • Kerberos: Primary authentication protocol in Active Directory domains
  • PKU2U: Peer-to-peer authentication using digital certificates
  • WebAuthn: Passwordless authentication with biometrics/security keys
  • Windows Hello: Biometric and PIN-based authentication
For network authentication, Kerberos is the recommended replacement, offering better security, mutual authentication, and resistance to pass-the-hash attacks.

In Active Directory, NTLM hashes are stored in the NTDS.dit database file:
  • Located on Domain Controllers at C:\Windows\NTDS\NTDS.dit
  • Stored as part of the user object's 'unicodePwd' attribute
  • Both LM hash (if enabled) and NTLM hash are stored
  • Protected by the system's Boot Key and SYSKEY
  • Replicated to all Domain Controllers in the domain
The NTDS.dit file is heavily protected and encrypted, but attackers who gain Domain Admin privileges can extract all domain hashes using tools like ntdsutil or Volume Shadow Copy.

NTLM Security Best Practices

Disable When Possible

Use Group Policy to restrict NTLM usage:

  • Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
  • Network security: Restrict NTLM: Audit Incoming NTLM Traffic
  • Set to "Deny All" in secure environments

Enable Protections

  • Enable Credential Guard (Virtualization-based security)
  • Use Extended Protection for Authentication
  • Enable LDAP signing and channel binding
  • Use SMB signing

Monitor and Audit

  • Enable NTLM logging (Event ID 8001-8004)
  • Monitor for anomalous NTLM authentication
  • Track NTLM usage in your environment
  • Audit for legacy application dependencies

Related Security Tools

MD4 Hash
LM Hash
Kerberos
Password Strength
Hash Identifier
Security Audit

Learn About Windows Authentication

Understanding NTLM and its vulnerabilities is crucial for Windows security. Explore our resources to learn about authentication protocols, attack vectors, and modern security best practices.

Windows Security Guide

All NTLM hash generation is performed locally in your browser. Your passwords never leave your device.

This tool is for educational and security research purposes only. Do not use for illegal activities.

View SourceReport Vulnerability

Logo

HiFi Toolkit is a free online platform offering essential tools and converters for developers, designers, and everyday productivity tasks.

Follow Us

Our Tools
Our Company
Special Tools

© 2026 HiFi Toolkit. All rights reserved.

Terms & ConditionsPrivacy Policy