The NTLM relay attack poses a significant threat to organizations that use Active Directory. This attack exploits the NT LAN Manager (NTLM) authentication protocol, a challenge-response mechanism used in Windows networks for user authentication. NTLM relay attacks are not just a relic of past security concerns but a present and active risk.
Related reading: Active Directory Security Best Practices
Attacks such as PetitPotam use NTLM relay to threaten corporate security. To mitigate this enduring threat, organizations must apply rigorous security measures. Read on to learn more about NTLM relay attacks: how they work, the risks they pose, how to detect them, and how to defend against them.
What is NTLM?
NTLM has long been a mainstay of Windows authentication. Designed for speed and backward compatibility, NTLM facilitates network authentication when Kerberos, a more secure alternative, cannot be used. Many networks still support and use NTLM for backward compatibility and interoperability with legacy systems and applications that do not support newer authentication methods such as Kerberos.
What is an NTLM relay attack?
An NTLM relay attack takes advantage of the NTLM protocol design. NTLM lacks mutual authentication and so is susceptible to man-in-the-middle attacks, including an NTLM relay attack.
In this type of attack, a threat actor captures an NTLM authentication session. The attacker then relays the captured credentials to authenticate to other services, effectively piggybacking on the user’s identity.
The NTLM protocol does not inherently protect against the interception or relay of credentials. Without additional security mechanisms, such as SMB signing or Extended Protection for Authentication, an attacker can relay NTLM messages to other servers and services within the network. The attacker can exploit this behavior to perform unauthorized actions, from accessing sensitive data to executing commands with the privileges of the compromised account.
The prevalence of mixed environments that use both NTLM and more secure protocols only expands the attack surface for adversaries. Once inside your network, attackers can take advantage of AD trust relationships to escalate privileges. This threat increases when network configurations and strict adherence to security policies are inconsistent or overlooked due to operational demands, complexity, or lack of awareness.
Attackers often leverage an NTLM relay attack along with other techniques, such as phishing or malware, to gain initial access or elevate their existing foothold within a system. The combination of these methods can make NTLM relay attacks a component of more sophisticated and targeted attacks.
The threat is also amplified by the ready availability of many automated tools and scripts to exploit NTLM vulnerabilities. As a result, attackers can carry out an NTLM relay attack without needing deep technical knowledge of the underlying protocol.
How does an NTLM relay attack work?
The attack begins with the attacker positioning themselves strategically within the network to monitor and capture authentication traffic between a client and a server. The attack takes advantage of the fact that NTLM authentication does not inherently bind an authentication session to a specific channel. This behavior enables the attacker to redirect the credentials to a different server or service within the network.
An NTLM relay attack typically follows these steps.
Interception. The attacker uses techniques such as ARP poisoning to insert themselves into the communication stream and intercept a client’s attempt to authenticate to a server.
Relay. The attacker actively relays the client’s authentication request to another server or service within the network.
Credential misuse. After receiving the client’s credentials, the target server processes the request as if it were a legitimate attempt from the client. The server returns a session token or access grant, which the attacker captures.
Unauthorized access. Using the session token or access credentials, the attacker accesses the target server or service with the same rights as the victim. These rights might enable the attacker to access file shares, databases, or other sensitive resources.
What risks are associated with an NTLM relay attack?
The potential risks of an NTLM relay attack are profound.
Privilege escalation. Attackers can gain elevated privileges if the relayed credentials have the necessary level of access.
Data breach. Access to sensitive data within the network can lead to data theft or loss.
Lateral movement. Attackers can move laterally within the network, compromising additional systems and setting the stage for further attacks or persistent threats.
Real-life examples include cases where attackers have compromised a user with high privileges and used NTLM relay to execute commands that grant the attackers persistent access to the network.
Who is vulnerable to an NTLM relay attack?
Systems that are particularly vulnerable to an NTLM relay attack include:
Networks that use single sign-on (SSO) and in which NTLM is still in use
Environments in which SMB signing is disabled or unenforced
Servers and applications that do not require channel binding or session protection
How can you detect an NTLM relay attack?
To detect an NTLM Relay attack, security professionals should take the following steps:
Monitor for unusual NTLM traffic patterns.
Look for signs of ARP poisoning or network spoofing.
Use intrusion detection systems to flag anomalous authentication requests.
Employ advanced threat analytics to spot lateral movement or privilege escalation that could indicate a relay attack.
How can you defend against an NTLM relay attack?
By understanding the mechanics of an NTLM relay attack and taking proactive steps to secure your network, you can significantly reduce the threat posed by this enduring vulnerability. Mitigating an NTLM relay attack involves these steps:
Enforce SMB signing to prevent the interception of NTLM authentication messages.
Disable NTLM authentication wherever possible, in favor of more secure protocols such as Kerberos.
Implement network segmentation to limit lateral movement.
Use the Protected Users security group and other Credential Guard features to reduce credential exposure.
Active Directory admins can also take the following steps:
Audit your network to ensure that SMB signing is enabled on all devices.
Configure Active Directory to reject NTLM authentication requests from untrusted networks.
Regularly monitor, patch, and update systems to mitigate known vulnerabilities. Where Active Directory is concerned, a tool like Semperis Directory Services Protector can scan for and close vulnerabilities and even automate remediation of suspicious changes in the Active Directory environment.
Educate users on the importance of not reusing credentials across different access points.
Remain vigilant against cyberattacks
An NTLM relay attack poses a serious threat to networks. Despite its age, NTLM remains in use in many corporate environments, especially in systems that have not been updated to use modern authentication protocols like Kerberos. The persistence of NTLM in networks, often due to legacy applications or devices that require it, leaves a door open for NTLM Relay attacks to exploit inherent weaknesses in the authentication protocol.
Additionally, NTLM relay attacks can be particularly dangerous when combined with other exploits. For instance, an attacker who gains access to a network through a phishing campaign can use NTLM relay tactics to elevate privileges and move laterally within the network, leading to a wide range of malicious activities.
By intercepting and relaying authentication messages, attackers can gain unauthorized access to network resources, escalate their privileges, and potentially cause significant damage. Detection and mitigation require a robust security posture, including network monitoring, user education, and the deployment of secure authentication protocols.
Active Directory administrators must remain especially vigilant. Enforce best practices to protect against vulnerabilities and to ensure the integrity and security of the identity service. And if possible, implement identity threat detection and response (ITDR) solutions that simplify Active Directory monitoring and automate your defense against both human error and stealthy cyberattacks.