NTLM Relay and Signing Gaps

Description

If NTLM signing (SMB) and LDAP signing/channel binding are not enforced, attackers can capture NTLM authentications on the network and relay them to privileged services. Relays can grant code execution, account creation, RBCD configuration, or directory modifications without knowing any passwords. Coercion techniques (LLMNR/NBNS poisoning, printer bug, WebDAV) supply inbound NTLM that can be relayed.

Examples

Capture and Relay NTLM to LDAP

Use Responder to coerce and capture, then relay with Impacket:

sudo responder -I eth0 -wrf
ntlmrelayx.py -t ldap://dc01.corp.local -escalate-user attacker

On success, attacker is granted elevated privileges (e.g., added to a privileged group).

Relay to SMB for Command Execution

If SMB signing is not required on targets, relay to SMB and execute a command:

ntlmrelayx.py -t smb://fileserver.corp.local -c "whoami"

This demonstrates RCE via NTLM relay.

Relay to LDAP for RBCD persistence

ntlmrelayx.py -t ldap://dc01.corp.local --delegate-access --escalate-user WS01$

On success, the relayed connection writes msDS-AllowedToActOnBehalfOfOtherIdentity on a target computer, enabling RBCD. See: src/active-directory/resource-based-constrained-delegation.md.

Remediation

1. Enforce signing and channel binding
   • Require SMB signing on servers and clients; disable SMBv1.
   • Enable LDAP signing and channel binding on domain controllers.
2. Reduce NTLM surface
   • Prefer Kerberos or certificate‑based auth; disable NTLM where possible.
   • Disable or restrict protocols that can be coerced to authenticate (WebDAV, MS‑RPRN) and patch relevant services.
3. Monitor for relays
   • Alert on unsigned SMB sessions and NTLM authentications to DCs.
   • Purple‑team periodically to validate enforcement and coverage.