Skip to main content
Support

NTLM Relay Attack

Intercepting & Relaying Authentication

Intercept NTLM authentication on the network and relay it to a different service to gain unauthorized access — the attacker never needs to crack the password.

Intermediate~6 minT1557.001
Prerequisites:Network access on the same subnet as target hostsResponder for LLMNR/NBT-NS poisoningImpacket ntlmrelayx.py for relayingPetitPotam.py for authentication coercion
1

Launch Responder to Capture NTLM Auth

NTLM Relay Attack — Step 1/4
┌──(kali)-[~/tools] └─$

Click or press Enter to skip

Step 1: Poison Name Resolution

Responder poisons LLMNR and NBT-NS name resolution. When a machine fails DNS lookup (e.g., typo in a UNC path), Responder answers "I'm that server, authenticate to me."

We are answering network name queries with "I'm the server you're looking for!" When victim machines believe us, they send their credentials. Think of it as pretending to be the receptionist to collect everyone's ID badges.

Detection Events
4688Responder/relay tool process creation
Attack Flow
LLMNR/NBT-NS poisonNTLM auth captured
Attacker
Victim Host
DC01
Request
Response
Attack
Data
Back to all scenarios
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org