Listen to this Post

Introduction
For years, NTLM relay attacks have been a staple in every penetration tester’s arsenal—allowing unauthenticated attackers to intercept authentication requests and impersonate users against Domain Controllers. Microsoft’s latest Windows Server 2025 introduces an under‑the‑hood change that quietly neuters a well‑known AD relay technique, forcing red teams and defenders alike to reassess their strategies. This article dissects the technical shift, provides hands‑on verification steps, and outlines what this means for the future of Active Directory security.
Learning Objectives
- Understand the mechanics of NTLM relay attacks and why they’ve been so effective.
- Identify the specific architectural change in Windows Server 2025 that breaks a classic relay vector.
- Learn to test and audit NTLM relay protections using real‑world commands and tools.
- Apply hardening measures to older Windows Server versions to emulate the new security level.
- Evaluate remaining attack surfaces and plan for a Kerberos‑first environment.
You Should Know
1. The Anatomy of an NTLM Relay Attack
An NTLM relay attack occurs when an attacker positions themselves between a client and a server, forwarding the client’s authentication attempt to a target server (like a Domain Controller) to gain unauthorized access. Tools like Responder and Impacket’s ntlmrelayx have made this trivial.
Step‑by‑step guide to a classic relay (pre‑Windows Server 2025):
- Set up the relay listener on your attacker machine (Kali Linux):
sudo impacket-ntlmrelayx -t ldap://dc01.corp.local --delegate-access -smb2support
This tells ntlmrelayx to relay incoming NTLM authentications to the LDAP service on the Domain Controller, attempting to add a computer account or perform other privileged operations.
-
Poison LLMNR/NBT‑NS using Responder to capture authentication attempts:
sudo responder -I eth0 -wrf
When a user mistypes a share name, Responder sends a poisoned response, forcing the client to send its NTLM hash to the attacker.
-
Relay the hash – ntlmrelayx automatically forwards the captured authentication to the target DC. If LDAP signing is not enforced, the attacker can now create a domain admin account or perform other malicious LDAP operations.
Why it works: Older Domain Controllers (pre‑2025) often accept NTLM relayed authentications without requiring LDAP signing or channel binding, allowing the attacker to impersonate the victim.
2. What Changed in Windows Server 2025?
Microsoft’s change in Windows Server 2025 goes beyond a simple policy toggle. According to Andrea Pierini’s analysis (decoder.cloud), the modification is baked into the Domain Controller’s Netlogon and LSASS components: NTLM authentication requests relayed to LDAP are now rejected unless they originate from a trusted channel that enforces Extended Protection for Authentication (EPA). In practice, this means that any NTLM relay attempt that does not include a valid channel binding token—something a typical relay tool cannot provide—is silently dropped.
This effectively kills the “LDAP relay” technique that relied on unauthenticated LDAP binds. It is not configurable; it is a fundamental change in how Windows Server 2025 processes NTLM-over-LDAP.
- Verifying the Fix: How to Test If Your DCs Are Protected
To confirm whether a Domain Controller is vulnerable or protected, you can attempt a relay attack against it and observe the result.
Test from a Linux attacker machine:
- Prepare ntlmrelayx to target the Windows Server 2025 DC:
sudo impacket-ntlmrelayx -t ldap://dc2025.target.local --no-validate-privs -smb2support
-
Start Responder in analysis mode (or use a different trigger):
sudo responder -I eth0 -wrf
-
Force a connection (e.g., from a Windows client, try to access a non‑existent share like
\\attacker\test). On the attacker machine, watch the output.
Expected result against Windows Server 2025:
ntlmrelayx will show that a connection was received, but the LDAP relay will fail with an error similar to:
[-] LDAP connection to dc2025.target.local failed: [Errno 104] Connection reset by peer
Or in packet capture, you’ll see the server rejecting the NTLMSSP exchange after the initial handshake.
PowerShell audit command (run on a Domain Controller):
Check if LDAP signing and channel binding are enforced—though on Windows Server 2025, even with these policies not set, the underlying relay protection is active.
Get-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=target,DC=local" -Properties | fl name, ldap
Look for `msDS-Other-Settings` values; however, the new protection is not exposed via AD attributes—it’s hard‑coded.
4. Hardening Older Windows Servers Against NTLM Relay
If you cannot immediately upgrade to Windows Server 2025, you can apply equivalent protections through Group Policy.
Enable LDAP Signing and Channel Binding:
- Open Group Policy Management Console and edit the Default Domain Controllers Policy.
- Navigate to:
Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options.
3. Set the following:
- Domain controller: LDAP server signing requirements → `Require signing`
– Network security: LDAP client signing requirements → `Require signing`
– Domain controller: LDAP server channel binding token requirements → `Always` (or `When supported` if compatibility concerns exist)
- Apply the policy and reboot the Domain Controllers.
Verify settings via registry (on each DC):
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" -Name "LDAPServerIntegrity"
A value of `2` indicates signing required. For channel binding, check:
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" -Name "LdapEnforceChannelBinding"
Value `2` = always, `1` = when supported, `0` = never.
Additionally, enforce SMB signing to prevent SMB relay:
- Set `Microsoft network server: Digitally sign communications (always)` to
Enabled.
5. Beyond NTLM Relay: What Still Works?
While this specific relay vector is closed, Active Directory remains vulnerable to other attacks. Pentesters and adversaries will shift focus to:
- Kerberoasting – Request service tickets and crack them offline.
- AS‑REP roasting – Attack accounts without pre‑authentication required.
- Delegation abuses – Unconstrained, constrained, and resource‑based constrained delegation.
- ACL exploitation – Modifying DACLs to grant privileges via tools like BloodHound.
- SMB relay to other services – Relay to SMB itself on non‑DC targets (if SMB signing is not enforced).
- NTLMv1 downgrade – If legacy clients exist, forcing downgrade to NTLMv1 for easier cracking.
Command to test for SMB signing on a target:
nmap --script smb2-security-mode -p 445 <target_ip>
If message signing is not required, SMB relay may still work.
6. Automating NTLM Relay Audits with PowerShell
To assess your entire domain’s exposure to NTLM relay, use a script that checks each Domain Controller’s LDAP and SMB configuration.
PowerShell snippet:
$DCs = Get-ADDomainController -Filter | Select-Object -ExpandProperty Name
foreach ($dc in $DCs) {
Write-Host "Checking $dc"
$ldapSign = Get-ADObject -Server $dc -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=target,DC=local" -Properties ldapserverintegrity
$signValue = $ldapSign.ldapserverintegrity
Write-Host "LDAP Signing: $signValue" 2 = required, 1 = if supported, 0 = none
Check SMB signing via remote registry (requires admin)
try {
$smbSign = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "RequireSecuritySignature" -ComputerName $dc
Write-Host "SMB Signing Required: $($smbSign.RequireSecuritySignature)"
} catch {
Write-Host "Unable to query SMB signing on $dc"
}
}
7. The Future of NTLM in Active Directory
Microsoft has been steadily deprecating NTLM for years. With Windows Server 2025, the company sends a clear signal: relay attacks will not be tolerated at the protocol level. Future versions may disable NTLM entirely by default, forcing organizations to migrate to Kerberos. For now, administrators should:
- Enable Kerberos‑only authentication where possible.
- Monitor for NTLM usage via `4624` and `4776` event logs.
- Use the `NTLM` audit mode in Group Policy before blocking.
What Undercode Say
- Key Takeaway 1: The Windows Server 2025 NTLM relay fix is a fundamental, non‑configurable change—not a simple registry tweak. It breaks a decade‑old LDAP relay technique that many organizations relied on for penetration testing, and it sets a new baseline for Active Directory security.
-
Key Takeaway 2: Defenders must verify that their Domain Controllers are indeed running Windows Server 2025 or have applied equivalent hardening (LDAP signing + channel binding) on older versions. Automated auditing scripts are essential to maintain visibility across the enterprise.
-
Analysis: This move by Microsoft underscores a shift toward proactive, protocol‑level security rather than relying solely on policy configurations. While it closes a critical attack vector, it also highlights the ongoing cat‑and‑mouse game—attackers will pivot to other methods such as Kerberos abuse or resource‑based constrained delegation. Organizations that have not yet embraced a Zero Trust model or that still permit legacy NTLM authentication will remain at risk until they fully modernize their identity infrastructure.
Prediction
In the next 12–18 months, we will see a surge in Kerberoasting and delegation‑based attacks as adversaries adapt. Simultaneously, security researchers will uncover new relay vectors that bypass Windows Server 2025’s protections—possibly targeting other protocols like RPC or HTTP‑based endpoints. Microsoft will likely continue hardening NTLM across all Windows versions, eventually leading to its complete disablement by default in a future Server release. Red teams should now invest in mastering Kerberos attack techniques, while blue teams must accelerate their migration to Kerberos‑only authentication and deploy continuous monitoring for anomalous authentication patterns.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


