Security teams are facing a renewed challenge as NTLM relay attacks are making a significant comeback. While often considered an older technique, these attacks exploit vulnerabilities in the NTLM authentication protocol, which is still widely used, particularly in Windows environments. Attackers can intercept and relay authentication attempts, effectively gaining unauthorized access to systems and services without needing to crack passwords.
The core of an NTLM relay attack involves a malicious actor positioning themselves between a client and a server. When a client attempts to authenticate (e.g., accessing a network share or a web service), the attacker intercepts the NTLM challenge/response. Instead of responding to the challenge, the attacker relays it to another server (like a Domain Controller, file server, or other critical resource) that the attacker wants to access using the client’s credentials. The target server responds with its own challenge, which the attacker relays back to the client. The client, unaware it’s talking to an attacker, generates the legitimate response, which the attacker then relays to the target server, thereby authenticating as the client.
Common vectors for initiating these attacks often involve tricking a user or system into initiating an authentication attempt to an attacker-controlled point. This can happen through malicious web links (exploiting HTTP authentication), compromised network shares (SMB), or even malicious code executed on a vulnerable system. Once authenticated to a critical service like a Domain Controller, an attacker can potentially gain control over the entire network.
The resurgence is partly due to complex network environments, misconfigurations, and the continued prevalence of legacy systems or applications that rely heavily on NTLM. Furthermore, chaining NTLM relay with other attack techniques can lead to devastating outcomes, including data exfiltration and complete network compromise.
Protecting against NTLM relay attacks requires a multi-layered approach. Key mitigations include:
- Enforcing SMB Signing across the network, especially on critical servers and Domain Controllers. This prevents relaying authentication over SMB as the signature check will fail.
- Enabling and enforcing Extended Protection for Authentication (EPA) on web servers and applications that use NTLM over HTTP. EPA binds the authentication to the specific channel, making relaying difficult.
- Disabling NTLM altogether where possible and migrating to more secure protocols like Kerberos. While not always feasible immediately, this is the strongest long-term solution.
- Implementing strict network segmentation to limit where NTLM authentication can reach and restricting outbound NTLM traffic from workstations.
- Ensuring LDAP Signing is enforced on Domain Controllers to protect against relays to LDAP services.
- Regular security audits and configuration reviews to identify and correct weak points where NTLM relay might be possible.
Staying vigilant and implementing these defensive measures is crucial for organizations to effectively counter the renewed threat posed by NTLM relay attacks and protect their valuable assets.
Source: https://www.helpnetsecurity.com/2025/07/04/ntlm-relay-attacks/
