Last updated: April 29, 2026
NTLM Relay is one of the most effective attacks against modern Windows environments — and it works even on fully-patched systems if defenders haven’t enabled specific hardening. This module covers how relay works, common exploit chains, and the defences that actually block it.
How NTLM authentication works
NTLM is a challenge-response protocol. Client sends NTLM_NEGOTIATE; server responds with a challenge; client hashes its password with the challenge and returns the response; server verifies.
Critical design flaw: NTLM does not verify to WHOM the client is authenticating. If an attacker can get the client to initiate NTLM auth to the attacker’s server, the attacker can relay the auth to a different server and impersonate the client there.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.