NTLM Relay Attack
NTLM Relay attacks forward intercepted NTLM authentication to other services like LDAP, HTTP, or MSSQL, granting the attacker the victim's access level on the target service.
NTLM Relay attacks forward intercepted NTLM authentication to other services like LDAP, HTTP, or MSSQL, granting the attacker the victim's access level on the target service.
Continue your mission
An NTLM Relay attack is a credential forwarding technique that exploits the NTLM authentication protocol across any service that supports it, not just SMB. The attacker intercepts an NTLM authentication exchange and relays it to a different service or server, gaining the victim's level of access on the target. NTLM relay can target LDAP, HTTP, MSSQL, Exchange, and other protocols that accept NTLM authentication.
The attacker coerces or waits for a victim to authenticate using NTLM. This can be triggered through LLMNR poisoning, malicious document links, or forced authentication techniques. The attacker acts as a man-in-the-middle, receiving the victim's NTLM authentication messages and forwarding them to a target service. The target service completes the authentication, believing it is communicating directly with the victim. Depending on the relayed service, the attacker may gain the ability to read or modify Active Directory objects via LDAP, execute queries on databases via MSSQL, or access mailboxes via Exchange. Tools like ntlmrelayx support multi-protocol relay and automated post-exploitation including adding users, modifying ACLs, or dumping credentials.
NTLM Relay attacks remain one of the most impactful Active Directory attack vectors because NTLM is still widely enabled for backward compatibility. A single relayed authentication from a privileged account can lead to full domain compromise when relayed to LDAP for ACL modifications. Organizations should enforce Extended Protection for Authentication, disable NTLM where feasible, require channel binding on all services, and implement credential guard to protect against NTLM credential theft and relay.
CDA Theater missions that address topics covered in this article.
Rogue access point detection identifies unauthorized wireless APs on the network using WIPS sensors, wired-side monitoring, and signal triangulation to prevent network bypass.
LLM security risks include data leakage, prompt injection, model supply chain attacks, and unauthorized tool execution, requiring organizations to treat AI models as high-privilege components.
Written by CDA Editorial
Found an issue? Help improve this article.