What is an NTLM Relay Attack?

Updated on August 29, 2025

An NTLM relay attack is a man-in-the-middle (MitM) technique that allows an attacker to intercept a victim’s NTLM authentication and “relay” it to a different server. This enables the attacker to gain unauthorized access to the target server by impersonating the victim, all without ever needing to crack the user’s password.

This type of attack exploits a known weakness in the NTLM protocol. It makes NTLM relay attacks a significant threat for organizations that rely on Windows authentication.

The attack differs fundamentally from other credential-based attacks because it doesn’t require password cracking or hash extraction. Instead, it leverages the legitimate authentication process itself as the attack vector.

Definition and Core Concepts

An NTLM relay attack is a type of credential relay attack that exploits the NTLM (NT LAN Manager) authentication protocol. The attacker positions themselves between a client and a legitimate server, intercepts the authentication exchange, and forwards it to an unsuspecting third-party server to gain unauthorized access.

NTLM Authentication Process

NTLM is a challenge-response authentication protocol. The handshake consists of three steps:

• Negotiate: A client sends a Negotiate message to a server, requesting to authenticate.
• Challenge: The server responds with a unique, random Challenge message.
• Authenticate: The client encrypts the challenge with its password hash and sends the response back to the server. The server then validates the response.

This three-way handshake creates the vulnerability that NTLM relay attacks exploit. The protocol lacks adequate verification that the client and server are communicating directly.

Relay vs. Cracking

An NTLM relay attack is fundamentally different from offline password cracking or a Pass-the-Hash attack. An NTLM relay attack does not require the attacker to know the victim’s password hash.

Instead, it uses the legitimate challenge-response to authenticate on the victim’s behalf to a different system. The attacker acts as a transparent proxy, forwarding authentication messages between the victim and target systems.

Pass-the-Hash attacks require the attacker to extract and reuse password hashes. NTLM relay attacks work with the authentication process itself, making them particularly dangerous because they bypass traditional hash-based defenses.

How It Works

An NTLM relay attack requires the attacker to position themselves as a man-in-the-middle between a victim and a target server. The attack exploits the trust relationship inherent in the NTLM protocol.

Man-in-the-Middle Positioning

The attacker must first intercept the victim’s network traffic. This can be achieved through techniques like ARP spoofing, DNS poisoning, or by leveraging vulnerable protocols like Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) that allow a host to impersonate a requested service.

LLMNR and NBT-NS are particularly useful for attackers because they respond to name resolution requests when DNS fails. An attacker on the same network segment can respond to these requests and direct traffic to their machine.

The Relay Process

The attack follows a precise sequence of message forwarding:

• Step 1: The victim client attempts to access a service, but due to the attacker’s MitM position, the request goes to the attacker’s machine.
• Step 2: The attacker forwards the victim’s initial authentication request to an entirely different, unsuspecting target server.
• Step 3: The target server, believing it’s communicating with the legitimate client, sends a Challenge to the attacker.
• Step 4: The attacker forwards the Challenge to the victim.
• Step 5: The victim computes a valid Authenticate response to the challenge and sends it back to the attacker.
• Step 6: The attacker relays this valid Authenticate response to the target server. The target server validates the response, and the attacker is successfully authenticated as the victim.

The attacker has now gained access to the target server with the victim’s privileges. The victim is unaware that their authentication was used on another machine.

The attack succeeds because the NTLM protocol doesn’t include adequate channel binding or mutual authentication mechanisms to verify the intended communication endpoints.

Use Cases and Applications

NTLM relay attacks are a dangerous method for gaining access within a network. They’re particularly effective in Active Directory environments where NTLM authentication is still enabled.

Lateral Movement

An attacker can relay a standard user’s authentication from one machine to another to expand their presence in the network. This technique allows attackers to access file shares, databases, or other network resources using the victim’s credentials.

The attack is especially effective when users have local administrator privileges on multiple systems. A single successful relay can provide administrative access to additional machines in the network.

Privilege Escalation

If an attacker can get a privileged user (e.g., a domain administrator) to authenticate, they can relay that authentication to a domain controller and achieve full domain control.

This scenario often occurs when administrators connect to compromised workstations for troubleshooting. The attacker relays the administrator’s authentication to critical infrastructure components, potentially compromising the entire domain.

Detection and Mitigation

Security teams must implement both detection mechanisms and preventive controls to defend against NTLM relay attacks.

Detection

Security teams can detect NTLM relay attacks by monitoring for suspicious NTLM authentications. This can include monitoring for NTLM traffic originating from unusual IP addresses, a high volume of failed authentications, or unexpected NTLM authentications on servers that should only be using Kerberos.

Effective detection requires logging and analyzing authentication events across the network. Windows Event Logs, particularly Event ID 4624 and 4625, provide valuable data for identifying anomalous authentication patterns.

Network traffic analysis can reveal indicators such as NTLM authentication attempts from unexpected source IP addresses or authentication flows that don’t match normal user behavior patterns.

Mitigation

The most effective defenses involve hardening the environment through protocol and configuration changes.

• Disable NTLM: The most direct mitigation is to disable NTLM entirely and enforce the use of the Kerberos protocol. Kerberos includes mutual authentication and ticket-based access controls that prevent relay attacks.
• SMB Signing: Enforcing SMB (Server Message Block) signing on all Windows systems prevents NTLM relay attacks against SMB services. SMB signing cryptographically signs each message, which the attacker cannot forge.
• Credential Guard: This Windows security feature prevents the caching of NTLM credentials in memory, which limits the attacker’s ability to obtain the necessary information for a relay attack.

Additional mitigations include disabling LLMNR and NBT-NS protocols, implementing network segmentation, and requiring EPA (Extended Protection for Authentication) for web applications.

Key Terms

• NTLM Relay Attack: A man-in-the-middle attack that relays NTLM authentication from one system to another without requiring password knowledge.
• NTLM: A suite of security protocols used for authentication in Windows environments, consisting of NTLMv1 and NTLMv2 variants.
• Challenge-Response: The three-way handshake used in NTLM authentication involving negotiate, challenge, and authenticate messages.
• Man-in-the-Middle (MitM): An attack where the attacker secretly intercepts and relays messages between two parties who believe they are communicating directly.
• SMB Signing: A security feature that cryptographically signs SMB messages to prevent tampering and relay attacks.
• LLMNR: Link-Local Multicast Name Resolution, a protocol that can be abused for relay attacks by responding to name resolution requests.