Cyber Threats

NTLM Relay Attacks: Back from the Dead — and Still Haunting Active Directory

Reading time: 5 Minutes Read
Roy Ludmir
Published on: November 11, 2025
NTLM Relay Attacks: Back from the Dead — and Still Haunting Active Directory

Legacy Defaults Still Expose Domain Controllers to Easy Takeover

Why a group of legacy configurations, some of them dating back in the 1990s Remains One of the Easiest Ways to Compromise Enterprise Networks

NTLM Relay attacks should be history. Yet in 2025, they remain one of the most effective ways to compromise Active Directory.

We first covered this problem back in 2020, when we wrote about a troubling vulnerability that refused to die: NTLM Relay attacks. At the time, many believed NTLM Relay attacks were a relic of the past, an old problem long solved by Kerberos and modern authentication protocols.

Still Using These Five Legacy Protocols? Learn How To Protect Your Network.

Read More

Five years later, in 2025, NTLM Relay hasn’t just survived, it’s thriving.

One red team expert put it bluntly: “NTLM relay attacks are the easiest way to compromise domain-joined hosts.”

Our research and field observations confirm this. NTLM Relay is not just a theoretical threat; it is routinely used in modern attacks and often serves as the first step in lateral movement and privilege escalation.

Why It Still Works

Why does it persist? Because of a problematic configuration of LDAP and NTLM that still exists in most environments. Applications and services continue to invoke it for compatibility, often hard-coded to use NTLM instead of the Negotiate package. Even where Kerberos is available, NTLM quietly stays active in the background, often hardcoded into legacy applications or fallback behaviors.

How NTLM Relay Works (Briefly)

NTLM authentication involves a three-message handshake:

  1. Negotiate – The client initiates the authentication.
  2. Challenge – The server responds with a random challenge.
  3. Authenticate – The client proves it has the valid credentials by responding cryptographically.

Each exchange is unique, designed to prevent replay attacks but unfortunately, not relay attacks.

In a relay attack, the attacker doesn’t need to break encryption or guess passwords. Instead, they relay valid NTLM messages between a client and a target server, tricking the server into establishing a legitimate session for the attacker. This allows full access at the victim’s privilege level. No password cracking required.

And it gets worse. Attackers can force victims to authenticate using coercion techniques like the Printer Bug or PetitPotam, meaning they don’t have to wait for a user to log in naturally. Almost any Authenticated User can initiate this chain, making NTLM Relay a wide-open door in misconfigured domains.

Top Targets: Where NTLM Relay Hits Hardest

Attack Targets – Three Doors for Relaying

NTLM Relay attacks commonly target three service types:

1. SMB Servers

Relaying to SMB allows attackers to establish authenticated sessions to remote systems.
Depending on the victim’s privileges, attackers can:

  • Access administrative shares (C$, ADMIN$)
  • Dump LSA secrets via Remote Registry
  • Move laterally using the Service Control Manager

Windows Server 2025 enables SMB signing by default, but older systems still need manual enforcement.

2. LDAP and LDAPS

Relaying NTLM to LDAP or LDAPS can be devastating, as most domain controllers are still vulnerable when LDAP signing and channel binding are not enforced.

  • LDAP signing verifies message integrity.
  • Channel binding ensures that authentication cannot be reused across different TLS sessions.

Starting with Windows Server 2025, LDAP now enforces encryption (sealing) by default which is a positive step but mixed-domain environments remain highly exposed.

3. ADCS Web Enrollment (ESC8)

Relaying to Active Directory Certificate Services (ADCS) allows attackers to request valid certificates on behalf of victims. With these certificates, they can impersonate machines or users indefinitely.

Why NTLM Relay Is “Always Vulnerable”?

Even NTLMv2 Even NTLMv2 isn’t safe by default. When combined with unsigned LDAP or unsealed SMB, can be abused. The problem isn’t only misconfiguration it’s a fundamental design flaw. NTLM lacks mutual authentication and channel binding by design, making it “always vulnerable” when not wrapped with protective measures.

This explains why NTLM Relay has survived modernization efforts: because backward compatibility and real-world dependencies keep the attack surface alive.

Defending Against NTLM Relay with LDAP Signing, Channel Binding, and Beyond

To stop relay attacks effectively, enterprises must enforce LDAP Signing and Channel Binding — not just enable them.

Insecure example:

  • NTLMv1 enabled
  • LDAP signing: “None” or “Negotiate”
  • Plain LDAP (TCP 389) open

Secure baseline:

  • Disable NTLMv1; enforce NTLMv2 or Kerberos
  • Require LDAP signing (Require Signing in GPO)
  • Require LDAPS (TCP 636) with valid TLS certificates
  • Enable SMB and LDAP channel binding

These controls elevate trust from “best effort” to cryptographically enforced verification.

How CalCom Helps

CalCom’s Role – Detect, Learn, and Enforce Securely

At CalCom, we’ve seen enterprises struggle with one persistent question:
“How can we disable NTLM and enforce LDAP security without breaking production systems?”

That’s where the CalCom Hardening Solution (CHS) shines.

Before enforcing a single configuration, CHS enters Learning Mode — a discovery phase that analyzes live authentication activity across your environment. It identifies where NTLM is still being used, by which applications, and for what purpose.

This pre-enforcement insight prevents outages and false positives by giving IT and security teams the visibility they need to plan safely. Once verified, CHS automatically transitions to Enforcement Mode, applying secure baselines — such as disabling NTLMv1, enabling LDAP signing, and enforcing LDAPS — while continuously monitoring for configuration drift.

The result is a gradual, intelligent hardening process that secures authentication without disrupting operations.

Key Takeaways

  • NTLM relay attacks are still a real threat due to legacy defaults and silent fallback behaviors.
  • Even NTLMv2 is vulnerable without enforced protections like signing, sealing, and channel binding.
  • SMB, LDAP, and ADCS remain high-value targets for attackers using NTLM relay.
  • Secure hardening requires visibility — tools like CalCom CHS help you disable NTLM safely without breaking legacy systems.

FAQs

What is an NTLM relay attack and how does it work?
An NTLM relay attack is a man-in-the-middle technique where attackers intercept NTLM authentication messages and forward them to a legitimate server. This tricks the server into accepting the attacker as an authenticated user — without cracking any passwords. It exploits the fact that NTLM doesn’t verify the identity of the server or bind sessions securely.
Why is NTLM still used in modern environments?
NTLM remains active because many applications and services still rely on it — often hardcoded for compatibility. Even in domains that support Kerberos, NTLM is frequently left enabled as a fallback. This “silent default” keeps the door open for attackers.
How can organizations protect against NTLM relay attacks?
Defense requires enforcement, not just enabling. Key steps include:\n- Disable NTLMv1\n- Require LDAP signing and channel binding\n- Enforce LDAPS (TCP 636) with valid TLS certs\n- Enable SMB signing and secure negotiation These settings harden authentication at the protocol level and reduce relay risk significantly.
Can I disable NTLM without breaking legacy applications?
Yes — but only with visibility. Tools like CalCom’s Hardening Solution (CHS) can analyze your environment in real time to identify what’s using NTLM. This lets you plan and phase in security changes without breaking business-critical systems.
Roy Ludmir
Roy Ludmir is a cybersecurity entrepreneur and CEO with over 15 years of experience driving product innovation and sales growth in the security industry. He is highly skilled in CIS Benchmarks, baseline hardening, and vulnerability management, helping organizations strengthen defenses and meet compliance requirements. With a unique blend of executive leadership and deep technical expertise, he bridges business strategy with practical security solutions.

Related Articles

New SMB Vulnerability opens door to privilege escalation
Cyber Threats

New SMB Vulnerability opens door to privilege escalation

Reading time: 2 Minutes Read
Mitigating Print Spooler Vulnerability
Best Practices

Mitigating Print Spooler Vulnerability

Reading time: 3 Minutes Read
Disable LLMNR for Network Security — Risks, Steps & Best Practices
Protocols

Disable LLMNR for Network Security — Risks, Steps & Best Practices

Reading time: 5 Minutes Read

About Us

Established in 2001, CalCom is the leading provider of server hardening solutions that help organizations address the rapidly changing security landscape, threats, and regulations. CalCom Hardening Suite (CHS) is a security baseline hardening solution that eliminates outages, reduces operational costs, and ensures a resilient, constantly hardened, and monitored server environment.

More about us
Background Shape
About Us

Our Solutions to Strengthen Your Security Posture

CalCom Hardening Suite (CHS)
CalCom Hardening
Suite (CHS)
Secure IIS Server Hardening with CSS
Secure IIS Server
Hardening with CSS
Server Audit & Compliance Analysis Software
Server Audit & Compliance
Analysis Software

Stay Ahead with Our Newsletter

Get the latest insights, security tips, and exclusive resources straight to your inbox every month.

    Explore More Insights & Solutions

    Visit Our Resource Center
    Visit Our Resource Center

    In-depth guides, reports & webinars

    Read Our Latest Blog Posts
    Read Our Latest Blog Posts

    Stay updated with industry insights

    Ready to simplify compliance?

    See automated compliance in action—book your demo today!

    Get a Demo