Introduction

Modern enterprise networks rely on layered security controls, identity management systems, and endpoint protection tools. However, many organisations still support legacy authentication protocols behind the scenes. One of the most abused among them is NTLM.

NTLM relay attacks exploit this legacy authentication mechanism to gain unauthorised access inside corporate networks. Although NTLM has existed for decades, it remains enabled in many environments for compatibility reasons. As a result, attackers continue to leverage it for lateral movement and privilege escalation.

Understanding how NTLM relay attacks work helps organisations reduce internal exposure before attackers convert authentication trust into compromise.

What Is NTLM?

NTLM (NT LAN Manager) is a Microsoft authentication protocol used to verify user identity within Windows environments.

Instead of sending a password directly, NTLM uses a challenge-response mechanism:

1. The server sends a challenge.
2. The client encrypts the challenge using a password-derived hash.
3. The server validates the response.

Because of this design, the password itself does not travel across the network. However, the authentication response can still be misused under certain conditions.

NTLM was originally designed for older network architectures. Although Kerberos has replaced it in many cases, NTLM remains active in modern networks for legacy compatibility. Read more

What Is an NTLM Relay Attack?

An NTLM relay attack occurs when an attacker intercepts NTLM authentication traffic and forwards (or “relays”) it to another service to authenticate as the victim.

Importantly, this is not password cracking.

Instead:

• The attacker captures a legitimate authentication attempt.
• The attacker forwards it in real time to another system.
• The target system accepts the authentication.

Because the authentication remains valid, the attacker gains access without ever knowing the password.

How NTLM Relay Attacks Work

Although the process sounds technical, the logic is straightforward.

Step 1: The attacker positions inside the network

The attacker gains access to the internal network, often through phishing, malware, or compromised credentials.

Step 2: Authentication is triggered

A user or system attempts to authenticate to a service using NTLM.

Step 3: The attacker intercepts the authentication

Instead of letting the request reach its original destination, the attacker captures the challenge-response exchange.

Step 4: The attacker relays the response

The captured authentication response is forwarded to another service that trusts NTLM authentication.

Step 5: Access is granted

The second service accepts the relayed authentication and grants access under the victim’s identity.

Because the protocol does not verify the intended target, the relay succeeds.

Why NTLM Relay Attacks Still Work in 2026

Many organisations assume legacy risks disappear over time. However, NTLM remains widely enabled for several reasons.

Legacy Application Support

Older systems require NTLM for compatibility.

Misconfigured Environments

Administrators often enable NTLM as a fallback without strict controls.

Mixed Authentication Modes

Networks frequently run Kerberos and NTLM simultaneously.

Internal Network Trust

Security teams sometimes assume internal traffic is safe. Consequently, NTLM traffic flows without strict validation.

Because of these realities, NTLM relay attacks continue to succeed in modern environments.

NTLM Relay vs Kerberoasting: What’s the Difference?

Although both target Active Directory environments, they operate differently.

• NTLM relay attacks forward authentication in real time.
• Kerberoasting extracts service ticket hashes for offline cracking.

NTLM relay does not require password cracking. Instead, it abuses live authentication trust.

Kerberoasting, on the other hand, focuses on weak service account passwords.

Understanding this distinction helps security teams prioritise mitigations correctly.

Real-World Enterprise Scenario

Consider a corporate environment where NTLM remains enabled for file-sharing services.

An attacker compromises a workstation through phishing. While inside the network, the attacker triggers authentication requests from another user’s machine. The authentication traffic passes through the compromised device.

The attacker relays the NTLM authentication to a domain controller or file server that accepts NTLM without additional validation.

Because the authentication appears legitimate, the server grants access. The attacker now performs actions under the victim’s identity, potentially escalating privileges.

No passwords were cracked. No brute-force attempts occurred. Yet access was obtained.

Why NTLM Relay Attacks Are Dangerous

The impact extends beyond a single system.

Lateral Movement

Attackers move from one system to another using relayed credentials.

Privilege Escalation

If privileged accounts authenticate via NTLM, attackers may gain administrative access.

Ransomware Staging

Relayed authentication often serves as a stepping stone before large-scale deployment.

Persistence Establishment

Once inside high-privilege systems, attackers establish backdoors.

Because of these factors, NTLM relay attacks frequently appear in advanced intrusion campaigns.

Why Detection Is Challenging

NTLM relay attacks do not generate obvious anomalies.

Legitimate Authentication Traffic

The authentication appears valid.

No Password Failures

Security tools that monitor failed logins do not trigger alerts.

Internal Traffic Patterns

Network monitoring may not flag relayed authentication inside trusted zones.

Subtle Privilege Changes

Access escalation may appear as normal administrative activity.

Therefore, detection requires focused identity monitoring rather than perimeter-only defence.

Impact on Businesses

For organisations, NTLM relay attacks create operational and financial risk.

• Compromise of sensitive data
• Domain controller exposure
• Regulatory non-compliance
• Incident response costs
• Business disruption

Ultimately, the risk lies in silent privilege abuse rather than loud exploitation.

How to Prevent NTLM Relay Attacks

Mitigation focuses on reducing reliance on NTLM and enforcing stronger controls.

Disable NTLM Where Possible

Modern systems should prioritise Kerberos or stronger protocols.

Enforce SMB Signing

Message signing prevents attackers from modifying or relaying authentication traffic.

Implement Extended Protection for Authentication (EPA)

This binds authentication to specific channels.

Restrict NTLM Usage via Group Policy

Limit NTLM to specific services if full removal is not possible.

Segment Internal Networks

Reduce attacker ability to intercept traffic.

Monitor Authentication Patterns

Identify unusual cross-service authentication flows.

By layering these controls, organisations significantly reduce relay attack exposure.

The Broader Legacy Authentication Problem

NTLM relay attacks highlight a larger issue: legacy systems often remain active long after modern alternatives exist.

Compatibility requirements delay upgrades. Meanwhile, attackers study these environments carefully. Because of this imbalance, legacy authentication becomes a persistent security weakness.

Modern networks require modern identity controls. Otherwise, backward compatibility becomes a forward-facing risk.

Conclusion

NTLM relay attacks exploit legacy authentication mechanisms that many organisations still support. Although NTLM was not designed for today’s threat landscape, it remains active in modern networks. Consequently, attackers continue to abuse it for lateral movement and privilege escalation.

Preventing NTLM relay attacks requires proactive identity hardening, strict configuration policies, and reduced reliance on outdated protocols. At eSHIELD IT Services, we help organisations assess legacy authentication risks and strengthen identity security before attackers exploit them.

Modern infrastructure demands modern authentication discipline.

FAQ

What is an NTLM relay attack?

It relays legitimate NTLM authentication to another service to gain access.

Does NTLM relay require password cracking?

No. It forwards live authentication responses.

Is NTLM still used today?

Yes, especially for legacy compatibility.

How is NTLM different from Kerberos?

Kerberos uses ticket-based authentication, while NTLM uses challenge-response.

Can NTLM relay lead to domain compromise?

Yes, especially if privileged accounts authenticate.

Why is NTLM hard to detect?

Because the authentication appears legitimate.

What is SMB signing?

It ensures authentication messages cannot be tampered with.

Should organisations disable NTLM?

Yes, if operationally possible.

Is NTLM relay linked to ransomware?

Often, it enables lateral movement before ransomware deployment.

Who should address NTLM risks?

Security teams and system administrators must collaborate.