NTLM relay attacks have been documented since before some of today’s penetration testers were old enough to use a computer, and they still work in the majority of internal networks. The technique relies on a few stable conditions: a victim that authenticates to a server an attacker controls, an authentication mechanism that allows the credentials to be relayed elsewhere, and a target server that does not enforce signing on the resulting connection. All three conditions remain common enough to keep the attack relevant in 2026.
How the Attack Works in Practice
An attacker positions themselves between two systems on the same network, often using LLMNR poisoning, NBT-NS spoofing, or IPv6 DHCP attacks to lure connections their way. When a victim’s machine attempts to authenticate to the attacker’s listening service, the attacker forwards that authentication onwards to a target server they actually want to access. If the target accepts the relayed authentication, the attacker now has access as the relayed user, often with whatever privileges that user holds.
Why Signing Matters
SMB signing, when enforced, prevents the relayed authentication from being accepted by the target server, because the relay process cannot produce a valid signature without the original credentials. Microsoft has made signing enforcement progressively stricter over the years, but historical settings persist. Domain controllers enforce signing by default. Member servers and workstations often do not. internal network penetration testing that includes relay attempts identifies exactly which targets in your environment remain vulnerable.
Expert Commentary
Name: William Fieldhouse
Title: Director of Aardwolf Security Ltd
Comments: Almost every internal engagement I run includes a successful relay attack of some sort. The technique is mature, the tools are public, and the conditions to exploit it remain common. The fix is well understood: enable SMB signing everywhere, disable LLMNR and NBT-NS, prefer LDAPS over LDAP. The reason it persists is sheer inertia.
LDAP Signing Has Similar Issues
LDAP authentication suffers from a parallel set of relay risks. By default, many LDAP services accept relayed credentials, allowing attackers to authenticate against domain controllers and read sensitive directory information, or in some configurations, modify it. Enforcing LDAP signing and channel binding, along with preferring LDAPS for all directory operations, blocks this attack chain. Microsoft has shipped registry settings and group policies to enforce these controls, but they often remain disabled in environments that have not been recently reviewed.
WebDAV and HTTP Relay Variants
Beyond SMB and LDAP, NTLM authentication can be coerced over HTTP, particularly through WebDAV and certain Microsoft services. Attacks that abuse the printer spooler service, exchange autodiscover endpoints, and various RPC interfaces have featured prominently in research over the past few years. Each new variation has its own conditions, but the underlying pattern stays consistent: coerce authentication, relay to a target, abuse the resulting access.
Detection Helps But Prevention Is Better
Network monitoring for unusual authentication patterns, particularly bursts of authentication attempts from a single source against multiple targets, can catch relay attacks in progress. The detection requires tuning, since noise from legitimate Windows operations is constant, but it provides an additional safety net when prevention has gaps. Centralised authentication logs, monitored carefully, surface anomalies that local logs miss.
What to Do This Quarter
Audit your SMB signing configuration across all servers and workstations. Enforce signing through group policy where it is currently advisory. Disable LLMNR and NetBIOS over TCP/IP at the network level. Enable LDAP signing and channel binding on domain controllers. Test the resulting configuration to confirm coverage rather than trusting that the policy applied cleanly. Engage a best penetration testing company for an internal review and the relay paths through your environment will become visible quickly. The fix is rarely expensive. The discipline of actually applying it is what separates resilient networks from breached ones.
