How is an NTLM hash generated from a plaintext password?

First, the plaintext password is converted to hexadecimal format, then transformed into Unicode by appending 0x00 after each byte. This Unicode string is then hashed using the MD4 algorithm to produce a 32-character hexadecimal hash, which is the NTLM hash. For example, the password "test123" becomes the NTLM hash c5a237b7e9d8e708d8436b6148a25fa1—this can be verified with tools like Mimikatz by extracting the hash from the lsass.exe process. Penetration testers often obtain NTLM hashes from the SAM file or NTDS.dit, as discussed in Penetration Techniques - Obtaining Local User Hashes via SAM Database.