BIPI
BIPI

NTLM Relay: Still the Easiest Path to Domain Compromise

Cybersecurity

NTLM relay attacks bypass the password entirely by forwarding authentication to a target that accepts it. The fix is unglamorous but specific: SMB signing, LDAP channel binding, and a deliberate plan to retire NTLM.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 9, 2024 · 9 min read

#ntlm-relay#active-directory#pentest#network-security

NTLM relay is the attack that refuses to die because the protocol was never designed to bind authentication to a specific target. If a client authenticates to attacker.local using NTLM, the attacker can forward those credentials to dc01.corp.local in real time. There is nothing in the protocol that stops this. The defenses are all bolt-ons: SMB signing, LDAP channel binding, Extended Protection for Authentication. Any one of them missing and the path is open.

How attackers trigger the auth

The first half of any relay attack is coercion: getting a victim machine to authenticate to attacker-controlled infrastructure. The second half is forwarding that auth somewhere useful.

  • Responder -I eth0 -wd poisons LLMNR, NBT-NS, and mDNS. Every Windows host that types a typo in a UNC path or browses a non-existent share triggers an authentication.
  • Coercion via PetitPotam (MS-EFSRPC), PrinterBug (MS-RPRN), or DFSCoerce forces a domain controller to authenticate to an attacker host. None of these require credentials in default configurations.
  • ntlmrelayx.py -t ldaps://dc01 -smb2support --escalate-user pentester relays the captured auth to LDAP and adds DCSync rights to a chosen account.
  • If LDAP signing is enforced but channel binding is not, relay still works against LDAPS. The two settings are separate and both must be enforced.

On a recent assessment we went from no credentials to Domain Admin in 14 minutes: PetitPotam to coerce DC01, relay to ADCS web enrollment (ESC8), get a certificate as DC01$, use it to DCSync. None of the steps needed a password.

Detection signals

Relay activity leaves a specific authentication shape: a logon on a target server where the source IP is not the workstation that owns the account. The signal is in the 4624 IpAddress and Workstation Name fields.

  • Hunt 4624 LogonType=3 where AuthenticationPackage=NTLM and the IpAddress does not match the user's normal workstation. Combine with asset inventory for high-fidelity alerts.
  • Watch for 4624 events on domain controllers using NTLM. Normal admin activity to DCs should be Kerberos. NTLM logons to a DC are almost always either misconfigured or hostile.
  • Network sensors looking for SMB authentication without signing flags from non-server endpoints catch unsigned SMB before relay can complete.
  • 5136 directory service changes following an NTLM 4624 to a DC is the relay-to-LDAP signature for privilege escalation.

Hardening

Each of these settings closes one relay vector. None alone is sufficient, all together kill the attack class.

  1. Enforce SMB signing required on all clients and servers via GPO: Microsoft network client/server: Digitally sign communications (always) = Enabled. Default on Windows 11/Server 2025, but verify.
  2. Enforce LDAP signing on domain controllers: Domain controller: LDAP server signing requirements = Require signing. Then enable LDAP channel binding via the LdapEnforceChannelBinding registry key set to 2.
  3. Enable Extended Protection for Authentication (EPA) on every IIS-based service that uses Windows authentication, especially ADCS web enrollment, Exchange, and ADFS.
  4. Disable WPAD, LLMNR, and NBT-NS via GPO. These are pure attack surface in 2024. mDNS on Windows 11 should also be considered.
  5. Block outbound SMB (445) at the host firewall to anything outside the corporate range. This stops coercion attacks from reaching attacker infrastructure even if Responder lands on the LAN.
  6. Set the NTLM auditing GPO to Enable Auditing for All Accounts and feed the resulting 8001-8004 events into your SIEM. Use the data to scope an NTLM deprecation project. Move toward Disable NTLM in Block mode for users and servers.

The reason this attack is still everywhere is that the controls are fragmented across GPOs, registry keys, and per-application settings. A complete relay-resistant configuration takes a deliberate project, not a single checkbox. But every step you ship removes a relay path that has worked since 2001.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.