home
Naukri Code 360
expand-more
Library
expand-more
Web Technologies
expand-more
API Testing Tools
expand-more
Postman
expand-more
Requests
expand-more
NTLM Authentication in Postman
Table of contents
1.
Introduction
2.
NTLM 
2.1.
Encryption and Hashing
2.2.
NTLM Authentication Protocol
2.3.
Security Concerns and Discontinuation
2.4.
Why is it still used then?
3.
NTLM Authentication in Postman
4.
Frequently Asked Questions
4.1.
What modern hashing algorithms have replaced MD4?
4.2.
What should be used instead of NTLM?
4.3.
What’s the benefit of using Postman?
5.
Conclusion
Last Updated: Mar 27, 2024

NTLM Authentication in Postman

Author Satvik Gupta
0 upvote
Career growth poll
Do you think IIT Guwahati certified course can help you in your career?

Introduction

NTLM stands for NT (New Technology) Lan Manager, which Microsoft introduced with WindowsNT. It’s a collection of authentication protocols that Microsoft developed for Windows servers. 

Suppose a company has an internal network of computers, printers, and other resources that runs on Windows. 

In that case, NTLM helps in the authentication of the users of those resources. For example, it ensured someone trying to access a file had the authorization to access it. Due to security vulnerabilities, NTLM has been discontinued and is not recommended by Microsoft anymore.

Postman is an API development tool. It is used to develop, test, design and use APIs (Application Programming Interface). It’s especially useful in testing APIs during development since it can automate sending requests and even the order in which they are sent. 

Authentication using NTLM in Postman

We will see how NTLM works, its drawbacks, and why it is not recommended for use anymore. We will also discuss why it is still used despite its security concerns, and we will see how we can use it in Postman.

NTLM 

Computer Networks Graphic

In a computer network with multiple users and resources - such as computers, databases, printers, fax machines, etc.- no one from outside must be able to access this network or any of its resources. Any company that is large enough will have such a network, and they will need to implement methods to control access to protect their business.

NTLM was introduced as a successor to Microsoft’s earlier authentication protocol, LANMAN (LAN Manager). It handles requests between devices on the same network. It ensures that the client (the device making the request) is a valid user so they can access the device they are targeting (the resource). Attackers will try to hack into the system and access resources they shouldn’t be able to. So how do we protect against this?

Microsoft created the NTLM protocol for this. It uses a challenge-response methodology to authenticate users. Before we see how this works, let’s discuss what encryption, hashing, and salting mean.

Encryption and Hashing

  • Encryption (as discussed here) is using a key to encrypt a piece of data before it is sent over a network. The receiver will have the same key, and they will use it to decrypt the data and then read it. Only the key used to encrypt the data can be used to decrypt it. This is similar to a standard physical lock.
     
  • Hashing is the process of using a hashing algorithm, or hashing function, to convert a piece of data into a different form. The two unique things about hashing are that it is irreversible and repeatable. Irreversible means that, given a hash value, we cannot determine what data produced this hash. Repeatable means that the data will always produce the same hash value (the hashing algorithm should also remain the same).

    Hashing is particularly useful in verifying passwords. Instead of storing the user’s passwords in the database, we store their hash values. Then, when a user tries to log in, we hash their entered password again, using the same hash function. We say the user is valid if the hash matches the stored one. If it doesn’t, the user has entered the wrong password.

    The advantage of this is that even if hackers attack the server and steal the data, they will just get the hashes, not the actual passwords.
     
  • Salting is the process of adding a random string to the end of a user’s password before hashing. This is called salt. It is stored in the database along with the hash. What does this do? This protects against rainbow table attacks. 

    Hackers create a large table of passwords, along with their hashes, using brute force methods or from previous databases that they have hacked. This is called the rainbow table. Thus, when they hack a new database, they can check if any of the hashes in the database are present in the rainbow table. If it is, they now know that user’s password. 

    Salting prevents this, as hackers cannot keep a rainbow table large enough to store passwords and salts. This is because the same password will have different salts even on the same website.

 

Now, let’s see how NTLM authentication works.

NTLM Authentication Protocol

The NTLM Authentication Protocol follows the following steps:

  • The user logs into the computer, and types in the username and password
  • The computer produces the hash of the password using a fixed hashing algorithm and saves it in the cache.
  • The user tries to access a resource on the network, say a printer. For this, the user must send a request to a domain controller, which checks if the user is authenticated.
  • The user sends the domain controller a log-on request, which includes his username. This is the negotiation step.
  • The domain controller responds with a challenge number. It sends back a random number to the client machine.
  • The client computer will use the hash of the password, which was stored in the cache, to encrypt the challenge number. The client computer then sends this encrypted value to the domain controller.
  • The domain controller checks if the password is correct by encrypting the challenge it sent, with the hash of the user’s password stored in the controller’s database. 
  • If the value the controller produces matches the value the client machine sent, the user is authenticated.

 

Once the user is authenticated, they get access to whatever service or resource they requested, provided they are authorized to use it.

This seems like a very secure and robust method of authentication. Why is it not recommended anymore? Let’s see that as well.

Security Concerns and Discontinuation

  • Hackers can easily obtain hashes - User hashes are not that hard to get in this protocol. They are stored in the cache, and cache reading programs exist from which hackers can obtain them. They are also stored in system files, and SAM (Security Account Manager), and any user with administrator privileges can read them. The hashes are also stored server-side in domain controllers. Hackers have exploited this by creating software that pretends to be another domain controller and gets the real domain controllers to share their hash files with them.
     
  • The hashing algorithm used is unsafe - it is the algorithm used in NTLM. It has been proven to be unsafe and breakable. There are ways to find a piece of data whose MD4 hash is known already. This means the reversible property of MD4 hashes is broken, rendering them useless.
     
  • Passwords aren’t salted - NTLM doesn’t use salting, which means rainbow table attacks work very well against it. It also means 2 users with the same password will have the same hash, which is not good for security.

Why is it still used then?

  • The major reason is for backward compatibility. Many applications, software, and other programs only support NTLM and not more modern forms. These softwares are also outdated, but businesses that have been using these softwares for years and have everything on them, so we cannot discard them suddenly. Thus they have to continue using them, and they require NTLM.
     
  • Corporations with a huge amount of Windows servers and desktops, such as printers, and other network nodes, have invested much into making custom NTLM protocols and network management. If they discard it now, they must redo all that work.

NTLM Authentication in Postman

Let's Try it Out!

When developing APIs for networks that use Windows servers, you need to test them using NTLM, since that is what is used on Windows. Postman is the go-to tool in the industry for developing and testing APIs, so there needs to be a way to add NTLM to Postman. If we manually implement it, that would take a lof of programming effort, and would also be prone to bugs. 

Thankfully, Postman does implement this for us, and it is very easy to use.

NTLM in postman

Type in your request type and URL. 

Then, go to the Authorization tab. Click on the drop-down arrow, and choose NTLM Authentication. Now, in the right side panel, type in your username and password, and hit send! 

NTLM in postman

 

Voila! You will get a success response, provided your username and password are correct.

Frequently Asked Questions

What modern hashing algorithms have replaced MD4?

MD4 was replaced by MD5, which improved its security somewhat. But, even MD5 was broken very soon, and now it’s not recommended for use either. The current most used hashing algorithm in the industry is SHA-256, which stands for Secure Hash Algorithm - 256. The 256 represents the size of it’s output, which is 256 bits.

What should be used instead of NTLM?

Microsoft has replaced NTLM with Kerberos authentication protocol. It is a much more secure and robust protocol, it gives a higher amount of security and doesn’t allow for hashes to be used without knowing the password. It uses encryption as its main security method rather than hashing. 

What’s the benefit of using Postman?

Postman is a development tool. While developing software, we need certain tools to help us perform mundane, or monotonous tasks easily and efficiently, so that we can focus on the coding part that is actually difficult. Postman helps us do that, by automating the testing of APIs. We can test interrelated APIs easily with Postman. We can also add environments and variables; as you saw, it helps make authentication easy to test.

Conclusion

In this blog, we have explored what NTLM and Postman are. We have seen the meaning of hashing, encryption and salting. We have seen the steps involved in the NTLM challenge and response protocol. We have also discussed why NTLM is now viewed as insecure and not recommended.

We hope you leave this article with a broader knowledge of NTLM, Postman and Authentication. We recommend that you explore our different articles on NTLM and Postman as well, such as:

Define, Develop and Test your API in Postman

Deployment of an API in Postman

You can practice questions on various problems on Coding Ninjas Studio, attempt mock tests, go through interview experiences, interview bundle, go along guided paths for preparations, and a lot more!

Keep coding, keep reading Ninjas. 

Previous article
Hawk Authentication in Postman
Next article
Akamai EdgeGrid in Postman
Live masterclass
author
Become a YouTube Analyst: Use Python to analyze viewers data
by Coding Ninjas
04 Feb, 2025
02:30 PM
discord 84+ registered
author
Get hired as an Amazon SDE : Resume building tips
by Coding Ninjas
03 Feb, 2025
02:30 PM
discord 377+ registered
author
Expert tips: Ace Leadership roles in Fortune 500 companies
by Coding Ninjas
03 Feb, 2025
12:30 PM
discord 71+ registered
author
Become a YouTube Analyst: Use Python to analyze viewers data
by Coding Ninjas
04 Feb, 2025
02:30 PM
discord 84+ registered
author
Get hired as an Amazon SDE : Resume building tips
by Coding Ninjas
03 Feb, 2025
02:30 PM
discord 377+ registered
View more events