Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
Entry № 840

NTLM Relay Attack

Reviewed byCybersecurity entrepreneur & security researcher

What is NTLM Relay Attack?

NTLM Relay AttackAn adversary-in-the-middle attack (MITRE T1557.001) in which an attacker forwards a victim's NTLM authentication to another service to impersonate them without ever knowing the password.


An NTLM relay attack abuses the challenge-response design of NTLM authentication (MS-NLMP). The attacker tricks a victim host into authenticating to attacker-controlled infrastructure — via WebDAV, file-share UNC paths, or coercion — then forwards the victim's NTLM messages to a target service such as LDAP, SMB, ADCS web enrollment, or MSSQL. The target completes the challenge and grants access in the victim's identity. Because no cleartext password or hash is recovered, only cryptographically signed and channel-bound protocols stop it.

The defining weakness is that NTLM authentication is not bound to the transport that carries it, so a challenge-response valid for one connection is valid for any other. Microsoft has spent over a decade patching individual relay paths rather than the design. CVE-2019-1040 ("Drop the MIC") let attackers strip the Message Integrity Check field from the NTLM_AUTHENTICATE message, re-enabling cross-protocol relay from SMB to LDAP/LDAPS via ntlmrelayx --remove-mic. Coercion vectors keep appearing: the PrinterBug (MS-RPRN), PetitPotam (MS-EFSRPC, CVE-2021-36942, patched 10 Aug 2021), and DFSCoerce all force a chosen host — often a domain controller — to authenticate on demand. Relaying a coerced DC machine account to ADCS web enrollment (the ESC8 technique) yields a certificate that authenticates as the DC, enabling DCSync and full domain takeover.

flowchart LR
  A[Attacker] -->|1. Coerce / poison<br/>PetitPotam, PrinterBug, LLMNR| V[Victim host]
  V -->|2. NTLM_NEGOTIATE| A
  A -->|3. Relay to target| T[(Target: LDAP / SMB / ADCS)]
  T -->|4. Challenge| A
  A -->|5. Forward challenge| V
  V -->|6. NTLM_AUTHENTICATE| A
  A -->|7. Relay response| T
  T -->|8. Access granted as victim| A

Mitigations: enforce SMB signing, enable LDAP signing and channel binding / Extended Protection for Authentication (EPA), disable NTLM where feasible, and patch coercion vectors (including the 2025 SMB-client reflection bug CVE-2025-33073). Impacket's ntlmrelayx is the canonical tool.

Examples

  1. 01

    Coercing a domain controller with PetitPotam and relaying its NTLM authentication to ADCS to obtain a DC certificate.

  2. 02

    Relaying a workstation's NTLMv2 to MSSQL with xp_cmdshell enabled for RCE.

Frequently asked questions

What is NTLM Relay Attack?

An adversary-in-the-middle attack (MITRE T1557.001) in which an attacker forwards a victim's NTLM authentication to another service to impersonate them without ever knowing the password. It belongs to the Attacks & Threats category of cybersecurity.

What does NTLM Relay Attack mean?

An adversary-in-the-middle attack (MITRE T1557.001) in which an attacker forwards a victim's NTLM authentication to another service to impersonate them without ever knowing the password.

How do you defend against NTLM Relay Attack?

Defences for NTLM Relay Attack typically combine technical controls and operational practices, as detailed in the full definition above.

What are other names for NTLM Relay Attack?

Common alternative names include: NTLM relaying, T1557.001.

Related terms

See also