Support authentication with NT hash in NTLM auth flow

[exploide]

With NTLM authentication, it is technically not necessary to possess the cleartext password. Since the challenge-response scheme is solved with the NT hash of the password instead of its cleartext value, it is sufficient to know the NT hash.

It would be awesome if ldap3 would support connection establishment with a known NT hash instead of a password.

Use cases:

1. Someone might be hesitant to store a cleartext password somewhere and would like to do it with the hash instead.
2. In penetration testing, it is common to get access to an NT hash and assessment tools need support for that. For example [feature] add ability to auth via NTHASH g0h4n/RustHound-CE#5

[inejge]

NTLM handling in the library is very experimental, and may not even end up in the released code, depending on how extensive the support for other things (like channel bindings) is going to be. NT hashes are hence a very low priority. I'll keep the issue open until I decide what's going to happen to NTLM support as a whole.

[exploide]

Okay, thanks for the fast response. I think it would also be fine to have basic NTLM auth support first and then gradually improve over time. Maybe people will conduct PRs if they require a missing feature like LDAP signing, channel binding or NT hash support.

But in general, I would consider NTLM auth support an important feature. In many cases the LDAP implementation will be Active Directory and NTLM is often required there.