The Renaissance of NTLM Relay Attacks: Everything You Need to Know

NTLM relay attacks are still a significant threat, allowing attackers to compromise domain-joined hosts and move laterally. Despite being an old attack, NTLM relay is often underestimated and misunderstood. NTLM is a legacy authentication protocol introduced by Microsoft in 1993, and while Kerberos is the preferred protocol, NTLM is still widely used. NTLM prevents replay attacks using a challenge-response exchange, but it is vulnerable to relay attacks. The NTLM authentication exchange involves a three-message exchange between the client and server. There are two major NTLM response generation algorithm versions: NTLMv1 and NTLMv2. NTLMv1 is an outdated algorithm that uses DES encryption and is susceptible to attacks, while NTLMv2 uses HMAC-MD5 and is still in use today. The LM Compatibility Level registry value controls NTLM version support on Windows hosts, and a lower level can enable NTLMv1, which can have dire consequences. Password cracking is a problem, and an attacker can crack a captured NTLM exchange to recover the password or use the NT hash for Pass the Hash attacks. Relay attacks are the easiest way to compromise domain-joined hosts, allowing attackers to authenticate as the victim to the target without cracking passwords.