Relay Attack
What is Relay Attack?
Relay AttackAn attack that forwards an authentication exchange in real time between two parties, so the attacker is authenticated without ever knowing the credentials.
Unlike a replay attack, a relay attack passes messages live between a victim and a target service. Classic examples include NTLM relay (an SMB-signing/LDAP-signing weakness in Windows networks where coerced authentication is forwarded to a privileged service), SIM-swap-style telecom relays, and keyless-entry relay attacks in which two radios bridge a car key fob's signal across a street to a parked vehicle. Relay attacks defeat secret-based authentication because they do not need to extract the secret; only the exchange is needed. Mitigations include channel binding, signing/sealing (SMB, LDAP, EPA), proximity checks/ultra-wide-band ranging, mutual TLS, and time-bounded challenge–response.
● Examples
- 01
NTLM-relay tools (ntlmrelayx, PetitPotam, PrinterBug) coercing Domain Controllers into authenticating to a relay.
- 02
Car-key relay attack: one radio near the keys in the house, another near the parked car, unlocking and starting it.
● Frequently asked questions
What is Relay Attack?
An attack that forwards an authentication exchange in real time between two parties, so the attacker is authenticated without ever knowing the credentials. It belongs to the Attacks & Threats category of cybersecurity.
What does Relay Attack mean?
An attack that forwards an authentication exchange in real time between two parties, so the attacker is authenticated without ever knowing the credentials.
How do you defend against Relay Attack?
Defences for Relay Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Relay Attack?
Common alternative names include: Authentication relay.