Renaissance of NTLM Relay Attacks Overview

This whitepaper provides a comprehensive examination of NTLM relay attacks, detailing their persistence and evolution in modern network environments. It outlines the fundamental concepts of NTLM, a legacy authentication protocol introduced by Microsoft in 1993, and discusses the various attack vectors associated with it. The document explains the mechanics of NTLM relay attacks, emphasizing their complexity and the tools necessary for tracking them. It presents the introduction of NTLM relay edges in BloodHound, which aids in visualizing coercion and relay attacks against domain-joined computers. The paper also contrasts NTLM with Kerberos, highlighting scenarios where NTLM remains in use. Additionally, it discusses the vulnerabilities of NTLMv1 and NTLMv2, including susceptibility to replay and relay attacks, and the implications of password cracking. The whitepaper aims to consolidate essential information about NTLM, providing a resource for security practitioners to better understand and mitigate these risks.