NTLM Relay Attack
What is NTLM Relay Attack?
NTLM Relay AttackAn adversary-in-the-middle attack (MITRE T1557.001) in which an attacker forwards a victim's NTLM authentication to another service to impersonate them without ever knowing the password.
An NTLM relay attack abuses the challenge-response design of NTLM authentication. The attacker tricks a victim host into authenticating to attacker-controlled infrastructure (for example via WebDAV, file-share UNC paths, or PetitPotam-style coercion), then forwards the victim's NTLM messages to a target service such as LDAP, SMB, ADCS web enrollment, or MSSQL. The target accepts the legitimate challenge response and grants the attacker access in the victim's identity. Because no cleartext password or hash is recovered, only signed and bound protocols stop it. Mitigations include enforcing SMB signing, LDAP signing and channel binding (EPA), disabling NTLM where possible, and patching coercion vectors. Impacket's ntlmrelayx is the canonical tool.
● Examples
- 01
Coercing a domain controller with PetitPotam and relaying its NTLM authentication to ADCS to obtain a DC certificate.
- 02
Relaying a workstation's NTLMv2 to MSSQL with xp_cmdshell enabled for RCE.
● Frequently asked questions
What is NTLM Relay Attack?
An adversary-in-the-middle attack (MITRE T1557.001) in which an attacker forwards a victim's NTLM authentication to another service to impersonate them without ever knowing the password. It belongs to the Attacks & Threats category of cybersecurity.
What does NTLM Relay Attack mean?
An adversary-in-the-middle attack (MITRE T1557.001) in which an attacker forwards a victim's NTLM authentication to another service to impersonate them without ever knowing the password.
How does NTLM Relay Attack work?
An NTLM relay attack abuses the challenge-response design of NTLM authentication. The attacker tricks a victim host into authenticating to attacker-controlled infrastructure (for example via WebDAV, file-share UNC paths, or PetitPotam-style coercion), then forwards the victim's NTLM messages to a target service such as LDAP, SMB, ADCS web enrollment, or MSSQL. The target accepts the legitimate challenge response and grants the attacker access in the victim's identity. Because no cleartext password or hash is recovered, only signed and bound protocols stop it. Mitigations include enforcing SMB signing, LDAP signing and channel binding (EPA), disabling NTLM where possible, and patching coercion vectors. Impacket's ntlmrelayx is the canonical tool.
How do you defend against NTLM Relay Attack?
Defences for NTLM Relay Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for NTLM Relay Attack?
Common alternative names include: NTLM relaying, T1557.001.
● Related terms
- attacks№ 1057
SMB Relay Attack
A specific NTLM relay variant in which an attacker forwards a victim's SMB authentication to another SMB server to gain code execution or file access as the victim.
- attacks№ 620
LLMNR Poisoning
An adversary-in-the-middle technique (MITRE T1557.001) that abuses the Link-Local Multicast Name Resolution protocol on UDP/5355 to redirect victims to attacker-controlled hosts.
- attacks№ 715
NBT-NS Poisoning
An adversary-in-the-middle attack that abuses legacy NetBIOS Name Service traffic on UDP/137 to spoof name responses and harvest NTLM authentications.
- attacks№ 924
Responder Attack
An attack that uses Laurent Gaffie's Responder tool to poison LLMNR, NBT-NS, and mDNS, run rogue authentication servers, and capture or relay NTLM credentials on a local network.
- attacks№ 790
Pass-the-Hash
A credential-reuse attack that authenticates to Windows systems using a stolen NTLM password hash instead of the cleartext password.