Ping-pong
If local access to the system is not possible, LC4 can eavesdrop on the network to retrieve the hashes from log-in information. To authenticate users, the domain controller (DC) transmits an 8-byte pseudo-random value (challenge) to the client through the network. Both the LM hash and the NTLM hash are expanded by five zeros to 21 bytes and divided up into three 56-bit keys. NT encrypts the challenge once with each key and sends the three 8-byte strings back to the DC as a 24-byte response. The DC performs the same procedure, comparing the client's answer with its own result. If they are identical, the user has entered the correct password.
On the basis of the challenge and response transmitted, LC4 attempts to draw conclusions about the password. With a dictionary attack or a brute-force attack, it tries to determine the password by encrypting the unencrypted challenge sent by the DC with hashes until it is identical to the response.
Here, too, attackers first try to reproduce the simpler LM response. Windows even helps it: for reasons of compatibility, Windows clients answer to the challenge both with an LM response and with an NTLM response with standard settings. The LM string can be used to calculate the LM password, and then you can vary uppercase and lowercase to reconstruct the NTLM password. Since Service Pack 4 for Windows NT 4.0, the compatibility mode can be switched off so that only NTLM responses are accepted.