Skip to main content
Support
IntermediateT1557

NTLM Relay Attacks

NTLM relay captures an authentication attempt in transit and replays it to a different server -- the victim unknowingly authenticates the attacker to a target they never intended to reach.

NTLM is an older authentication protocol used in Windows networks. Unlike Kerberos, NTLM does not verify that you are talking to the server you think you are talking to. An attacker can sit between you and the server (a man-in-the-middle position) and relay your authentication to a completely different server. This is like someone eavesdropping on your password and immediately using it somewhere else -- except they do not even need to know your password, just forward the authentication messages in real time. Common tricks to trigger NTLM authentication include: poisoning name resolution (Responder tool), creating malicious file shares, or exploiting features like the Print Spooler service.

Imagine you write a letter of recommendation addressed to Company A. A man-in-the-middle intercepts the letter before it arrives, whiteouts the recipient name, writes "Company B" instead, and delivers it there. Company B sees your genuine signature and letterhead, accepts it as authentic, and grants access. NTLM relay works identically: the victim's computer tries to authenticate to one server, but the attacker intercepts the NTLM challenge-response exchange and replays it to a completely different server. The target server accepts it because the cryptographic response is valid -- it just was never intended for that server.

Try It Yourself

Key Takeaways

  1. NTLM relay forwards authentication to a different server without knowing the password.
  2. Coercion techniques (Responder, PetitPotam, PrinterBug) trigger NTLM auth from victims.
  3. SMB signing, LDAP channel binding, and disabling NTLM are the primary defenses.
  4. PetitPotam + ADCS relay (ESC8) can escalate from zero to Domain Admin in minutes.
  5. NTLM relay is a foundational technique in many multi-step attack chains.
Why Should I Care?

NTLM relay is one of the most reliable initial access and privilege escalation techniques. Many organizations still have SMB signing disabled and NTLM enabled, making this attack trivially exploitable.

Defense Recommendations

Enforce signing, binding, and authentication protections across all protocols to prevent relay.

  1. 1Enable SMB signing on ALL systems via Group Policy (not just DCs).
  2. 2Enable LDAP signing and channel binding on all domain controllers.
  3. 3Disable NTLM authentication where possible; use Kerberos exclusively.
  4. 4Disable the Print Spooler service on all Domain Controllers.
  5. 5Enable Extended Protection for Authentication (EPA) on IIS, Exchange, and ADCS web enrollment.

Related Topics

Authentication ProtocolsAD CS Abuse (Certificate Attacks)Hybrid Identity & Azure AD Connect
Sources
Password Spraying & Brute Force
Kerberoasting Deep Dive
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org