MITRE ATT&CK ID: T1557.001

1- Understanding NTLM Authentication

• Challenge–Response Mechanism:

  1. Client sends a negotiate message to server.
  2. Server replies with a challenge (random nonce).
  3. Client responds with an NTLM response: HMAC‑MD5 of the nonce using the user’s NTLM hash as key.
  4. Server verifies by comparing against its own HMAC calculation.

• Why It’s Relayed:

  The NTLM response blob can be forwarded intact no need to know the underlying password or hash.

• Common NTLM Usage:

  • SMB file shares
  • HTTP(S) authentication (e.g. IIS)
  • RPC/LDAP binds

2- Steps of an NTLM Relay Attack

a. Interception

• Objective: Capture the NTLM handshake from a legitimate client.
• Method: Host a rogue service (SMB, HTTP, LDAP) or poison name‑resolution (LLMNR/WPAD) so clients authenticate to you.

b. Relaying

• Objective: Forward the captured NTLM handshake to a target service that accepts NTLM.

• Command Example (Impacket):

  ntlmrelayx.py --smb2support -t smb://dc01.corp.local
  

• Notes:

  • -smb2support ensures compatibility with newer SMB versions.
  • The target can be SMB, LDAP, HTTP, etc.—any service trusting NTLM.

c. Access

• Outcome: If the target accepts the relayed credentials, you obtain an authenticated session as that user.
• Post‑Exploitation: Dump hashes, modify AD objects, dump the SAM, or pivot further.

3- Key Tools for NTLM Relay