Source: Help Net Security
Author: Help Net Security
URL: https://www.helpnetsecurity.com/2025/07/04/ntlm-relay-attacks/
ONE SENTENCE SUMMARY: NTLM relay attacks remain prevalent, simple to execute, and effective at compromising Active Directory environments, requiring proactive mitigation strategies.
MAIN POINTS:
- NTLM relay attacks exploit authentication exchanges without needing password cracking or weak passwords.
- Relay attacks often combine with authentication coercion techniques like Printer Bug or PetitPotam.
- SMB servers, LDAP/LDAPS services, and ADCS web enrollment are primary NTLM relay targets.
- SMB relay attacks can grant attackers access to sensitive shares and enable lateral movement.
- LDAP relay attacks exploit unenforced LDAP signing and channel binding on domain controllers.
- ADCS web enrollment relay attacks enable attackers to impersonate victims using malicious certificates.
- Microsoft is introducing mitigations such as enforced SMB signing and LDAP sealing starting Windows Server 2025.
- NTLM is still widely used due to legacy software hard-coded to use it instead of Kerberos.
- Default configurations often leave older Windows environments highly vulnerable to relay attacks.
- Enforcing signing, channel binding, and regularly evaluating environments are critical for defense.
TAKEAWAYS:
- NTLM relay attacks remain a significant threat, commonly used in real-world attacks.
- Authentication coercion makes relay attacks viable anytime, not relying on victim-initiated authentication.
- Default configurations leave many organizations vulnerable; proactive changes are necessary.
- Upcoming Windows Server 2025 security defaults will help, but organizations shouldn’t wait to implement mitigations.
- Regular security evaluations, SMB/LDAP signing enforcement, and channel binding are essential defensive practices.