NTLM Relay Attacks in 2025: Why Legacy Authentication Still Breaks Enterprise Security

Overview

Despite years of deprecation efforts, NTLM (NT LAN Manager) continues to exist across enterprise environments as a fallback authentication mechanism. Its persistence has enabled an entire class of attacks—most notably NTLM relay attacks—to remain viable even in modern infrastructures.

NTLM relay attacks do not rely on breaking cryptography. Instead, they exploit the design of challenge-response authentication, allowing attackers to relay legitimate authentication attempts to other services and gain unauthorized access.

In 2025, these attacks remain relevant due to a combination of legacy compatibility, misconfiguration, and incomplete enforcement of modern protections.

Technical Root Cause

NTLM authentication operates as a challenge-response protocol:

  1. Client requests access
  2. Server sends a challenge
  3. Client responds with a hash derived from credentials
  4. Server validates the response

Unlike Kerberos, NTLM:

  • Does not provide mutual authentication
  • Does not bind authentication to a specific target service
  • Allows reuse of authentication responses within certain contexts

This creates a fundamental weakness:

Authentication proves identity, but not the intended destination

This gap enables relay scenarios.

Attack Flow (High-Level)

Victim initiates NTLM authentication

Attacker intercepts or coerces authentication

Attacker relays authentication to target service

Target service accepts authentication

Attacker gains access as victim

Common relay targets include:

  • SMB file shares
  • HTTP-based services
  • LDAP / Active Directory services

Important: The attacker does not need to know the password.

Why This Still Works in Modern Environments

1. NTLM Is Still Enabled by Default

Even in environments using Kerberos:

  • NTLM remains enabled for compatibility
  • Many services silently fall back to NTLM

2. SMB Signing Is Not Universally Enforced

Without SMB signing:

  • Authentication messages can be relayed without integrity protection
  • Many environments still allow unsigned SMB traffic internally

3. Enterprise Protocol Diversity

Modern environments include:

  • Legacy systems
  • Hybrid cloud services
  • Mixed authentication models

This complexity increases the chance of exploitable paths.

4. Authentication Coercion Techniques

Attackers can trigger NTLM authentication using:

  • File share requests
  • Remote procedure calls
  • Various system interactions

This allows attackers to generate authentication attempts on demand.

Enterprise Impact

NTLM relay attacks can lead to:

  • Unauthorized access to file shares
  • Privilege escalation within Active Directory
  • Lateral movement across systems
  • Configuration changes in directory services

Because the authentication is legitimate, detection is significantly more difficult than typical intrusion attempts.

Detection Strategies

1. Monitor NTLM Usage

  • Identify systems still relying on NTLM
  • Track unusual authentication patterns

2. Analyze Authentication Flows

Look for:

  • Authentication to unexpected services
  • Repeated authentication attempts across multiple endpoints

3. Network-Level Monitoring

  • Inspect SMB and HTTP authentication patterns
  • Detect relay-like behavior across services

4. Directory Service Auditing

  • Monitor changes initiated via authenticated sessions
  • Identify suspicious modifications tied to NTLM logins

Mitigation and Hardening

1. Disable NTLM Where Possible

  • Move fully to Kerberos-based authentication
  • Audit and eliminate NTLM dependencies

2. Enforce SMB Signing

  • Require signing on all SMB communications
  • Prevent relay of unsigned authentication messages

3. Enable Extended Protection for Authentication (EPA)

  • Bind authentication to specific services
  • Reduce relay feasibility

4. Restrict NTLM Usage

  • Use group policies to limit NTLM scope
  • Block NTLM across trust boundaries

5. Harden Directory Services

  • Restrict sensitive operations
  • Use least privilege for service accounts

Architect’s Perspective

NTLM relay attacks persist not because they are technically complex, but because they exploit architectural compromises made for backward compatibility.

The core issue is not just NTLM itself—it is the assumption that identity verification alone is sufficient.

Modern systems require:

  • Service-bound authentication
  • Strong identity-to-resource binding
  • Elimination of fallback mechanisms

The continued presence of NTLM in enterprise environments highlights a broader challenge:

Security architecture often prioritizes compatibility over correctness

Until legacy protocols are fully removed or strictly contained, these classes of attacks will continue to exist.

Key Takeaways

  • NTLM relay attacks exploit protocol design, not cryptographic weakness
  • Legacy authentication remains a significant enterprise risk
  • Misconfigurations such as lack of SMB signing enable exploitation
  • Detection requires analysis of authentication behavior, not just failures
  • Long-term mitigation requires reducing or eliminating NTLM usage

References

  • Microsoft documentation on NTLM and authentication
  • Server Message Block security guidance
  • National Vulnerability Database related advisories
  • Public research on NTLM relay techniques and enterprise mitigation strategies

Author

Ankur Kumar is a systems architect with deep expertise in cybersecurity, Windows internals, and protocol-level system design. His work focuses on secure remote access, browser-based protocol clients (RDP/SMB/SSH), and the mechanics of authentication systems including NTLM and Kerberos. He specializes in analyzing how low-level protocol behavior impacts real-world enterprise security.