> responder -I eth0 && hashcat -m 5600 hashes.txt rockyou.txt_
The tester plugs a laptop into a network port in a meeting room. They run a single tool — Responder — and wait. Within ninety seconds, a workstation on the same subnet broadcasts an LLMNR query for a hostname that doesn't exist in DNS. Responder answers the query, pretending to be the requested host. The workstation, trusting the response, sends its authentication attempt — including the logged-in user's NetNTLMv2 hash.
The tester copies the captured hash into hashcat. The password — Summer2025! — cracks in under four minutes against a standard wordlist with common mutations. The tester now has a valid domain credential. They authenticate to the network, enumerate Active Directory, and begin the escalation path that, in 85% of our internal engagements, ends at Domain Admin.
No vulnerability was exploited. No software was compromised. No zero-day was required. The attack worked because the network uses authentication protocols and broadcast resolution mechanisms that were designed decades ago — and never disabled.
NTLM authentication was introduced with Windows NT in 1993. NTLMv2, its stronger successor, arrived in 1998. Both remain enabled by default in modern Windows environments. In 2025, enterprises are protecting their crown jewels with a protocol that predates the widespread adoption of the internet — not because there isn't a better option, but because nobody has turned the old one off.
Understanding why NetNTLMv2 hashes are vulnerable requires understanding the protocol they come from. NTLM is a challenge-response authentication protocol — the server issues a challenge, the client responds with a cryptographic proof derived from the user's password, and the server validates the proof. The password itself never crosses the network.
That sounds secure. The problem isn't in the concept — it's in the implementation details and the ecosystem of protocols that trigger NTLM authentication in the first place.
| Step | What Happens | Where the Weakness Lives |
|---|---|---|
| 1. Negotiate | The client tells the server it wants to authenticate using NTLM. Flags are exchanged indicating supported features. | NTLM is often used as a fallback when Kerberos fails — which happens more often than administrators realise (IP-based access, non-domain-joined devices, misconfigured SPNs). The fallback is silent and automatic. |
| 2. Challenge | The server responds with a randomly-generated 8-byte challenge (the nonce). | The challenge is transmitted in the clear. An attacker monitoring traffic has it. |
| 3. Response | The client computes the NetNTLMv2 hash: an HMAC-MD5 of the server challenge, a client challenge, a timestamp, and the user's NT hash (the MD4 hash of their password). The response is sent to the server. | The NetNTLMv2 response is capturable from the network. It contains enough information to mount an offline brute-force attack. If the underlying password is weak, the hash will crack. |
| 4. Validation | The server (or the domain controller, if the server forwards the authentication) recomputes the expected response using its copy of the user's NT hash and compares it to the client's response. | In a relay attack, the attacker doesn't need to crack the hash at all — they forward the challenge and response to a different server in real time, authenticating as the victim without knowing their password. |
The NetNTLMv2 hash — the response in Step 3 — is not a static password hash like NTLM. It's challenge-specific, so it can't be used directly for pass-the-hash attacks. But it can be cracked offline to recover the plaintext password, and it can be relayed in real time to authenticate to other services. Both attacks are trivially executed with standard tools.
The most common method for capturing NetNTLMv2 hashes on an internal network doesn't require compromising a machine, exploiting a vulnerability, or even having valid credentials. It exploits broadcast name resolution protocols — LLMNR, NBT-NS, and mDNS — that exist for backwards compatibility and are enabled by default in virtually every Windows enterprise environment.
| Protocol | What It Does | Why It's Dangerous |
|---|---|---|
| LLMNR (Link-Local Multicast Name Resolution) | When DNS fails to resolve a hostname, Windows falls back to LLMNR — broadcasting the query to the local subnet. Any device on the subnet can respond. | An attacker running Responder answers the broadcast query, claiming to be the requested host. The querying machine then sends its NTLM authentication to the attacker. The hash is captured without any interaction with the target machine. |
| NBT-NS (NetBIOS Name Service) | An even older fallback protocol. When both DNS and LLMNR fail, Windows broadcasts a NetBIOS name query. Like LLMNR, any device on the subnet can respond. | Same attack as LLMNR — Responder poisons the response and captures the NTLM authentication. NBT-NS is older, less encrypted, and even easier to abuse. |
| mDNS (Multicast DNS) | Used primarily by Apple devices and some Linux services for local name resolution. Broadcasts queries to the multicast group. | Same poisoning principle. In mixed-OS environments, mDNS extends the attack surface beyond Windows machines. |
| WPAD (Web Proxy Auto-Discovery) | Windows machines search for a WPAD server to auto-configure proxy settings. The search follows the DNS → LLMNR → NBT-NS fallback chain. | Responder claims to be the WPAD server, responds with a proxy configuration that forces the machine to authenticate — delivering the hash. WPAD poisoning is especially effective because it triggers automatically on boot and at regular intervals. |
The attack is entirely passive from the target's perspective. No process is injected, no service is exploited, no file is created. The victim machine broadcasts a query, the attacker answers it, and the machine voluntarily sends its credentials. This is not a sophisticated attack — it's a fundamental design consequence of protocols that assume every device on the local network is trustworthy.
Fifteen minutes. Fourteen credentials. Two service accounts — one of which, as the engagement would later reveal, had Backup Operator privileges sufficient to extract the entire Active Directory database from the domain controller.
A captured NetNTLMv2 hash is a cryptographic proof derived from the user's password. To recover the password, the attacker must try candidate passwords until one produces the same hash. This sounds computationally expensive — and it was, in 2003. In 2025, consumer-grade GPUs crack NetNTLMv2 hashes at rates that make all but the strongest passwords trivially recoverable.
| Hardware | NetNTLMv2 Crack Rate | Time to Exhaust 8-Character Alphanumeric |
|---|---|---|
| Single NVIDIA RTX 4090 | ~24 billion HMAC-MD5 attempts/second | Under 1 hour |
| Dual RTX 4090 workstation | ~48 billion attempts/second | Under 30 minutes |
| Cloud GPU cluster (8× A100) | ~150 billion attempts/second | Under 10 minutes |
| Dedicated cracking rig (8× RTX 4090) | ~190 billion attempts/second | Under 8 minutes |
Those numbers are for exhaustive brute-force of every possible 8-character combination. In practice, attackers don't brute-force randomly. They use wordlists compiled from billions of breached passwords, combined with rule sets that apply common mutations: Summer → Summer2025! → $umm3r2025!. A password that meets your complexity policy — uppercase, lowercase, number, special character, 10+ characters — often cracks in seconds because it follows a human-predictable pattern.
Eleven of fourteen hashes cracked. Seven in under 12 seconds. Two service accounts — both with passwords that hadn't changed in years, both following the pattern [Function][Year][Symbol]. A 79% crack rate is not unusual; across our internal engagement portfolio, we typically crack between 60% and 85% of captured NetNTLMv2 hashes within the first hour.
Cracking recovers the plaintext password. But there's an even faster attack: relaying. Instead of capturing the hash and cracking it offline, the attacker forwards the authentication in real time to a different server — authenticating as the victim without ever knowing their password.
| Relay Variant | How It Works | Prerequisite |
|---|---|---|
| SMB relay | The attacker captures the NTLM authentication from the victim (via LLMNR/NBT-NS poisoning) and immediately relays it to an SMB service on another machine. If the victim has local admin on the target, the attacker gains a shell. | SMB signing must be disabled or not required on the target machine. SMB signing is disabled by default on Windows workstations and member servers — only domain controllers require it by default. |
| LDAP/LDAPS relay | The authentication is relayed to the LDAP service on a domain controller. The attacker can then perform AD operations — adding themselves to groups, creating computer accounts, modifying ACLs — as the victim. | LDAP signing and channel binding must not be enforced. Many environments still have LDAP signing set to "not required" — the default prior to recent Windows Server updates. |
| HTTP relay | The authentication is relayed to a web application that accepts NTLM authentication (Exchange, ADFS, internal web apps). The attacker accesses the application as the victim. | The target web application must accept NTLM authentication and not enforce EPA (Extended Protection for Authentication). |
| Cross-protocol relay | The authentication captured via one protocol (e.g. HTTP) is relayed to a different protocol (e.g. LDAP). Tools like ntlmrelayx handle the protocol translation automatically. | The target protocol must not enforce signing or channel binding. Cross-protocol relay extends the attack surface significantly — a hash captured from a browser can compromise Active Directory. |
Relay attacks are instant — no cracking time, no GPU cost, no password complexity consideration. A 40-character randomly-generated password is equally vulnerable to relay as a 6-character dictionary word. The defence against relay is not stronger passwords — it's protocol-level controls: SMB signing, LDAP signing, EPA, and ultimately, eliminating NTLM entirely.
Microsoft has recommended against NTLM authentication for over a decade. Kerberos — the preferred authentication protocol in Active Directory since Windows 2000 — is stronger in every meaningful dimension. So why does NTLM remain enabled in virtually every enterprise we assess?
Every one of these reasons is understandable. None of them is a justification for continuing to expose the organisation to an attack technique that succeeds in under five minutes in the majority of internal pen tests. The reasons explain why NTLM persists. They don't explain why it should.
The path away from NTLM isn't a single switch — it's a layered strategy that addresses the protocol itself, the broadcast resolution mechanisms that enable capture, the signing controls that prevent relay, and the password policies that determine cracking resistance.
| Control | What It Does | Implementation Priority |
|---|---|---|
| Disable LLMNR and NBT-NS | Eliminates the broadcast poisoning vector entirely. Without LLMNR/NBT-NS, the attacker cannot capture hashes by answering broadcast queries. Disable via Group Policy: Computer Configuration → Administrative Templates → Network → DNS Client → Turn Off Multicast Name Resolution. Disable NBT-NS per interface or via DHCP option. | Immediate — this is the single most impactful change. It eliminates the primary hash capture vector with minimal operational impact in environments with functioning DNS. |
| Enforce SMB signing | Requires all SMB communication to be digitally signed, preventing relay attacks against SMB services. Enable via Group Policy: Microsoft network server: Digitally sign communications (always) and Microsoft network client: Digitally sign communications (always). | Immediate — breaks SMB relay, the most common relay variant. Minor performance impact (1–3%) that is negligible on modern hardware. Test with legacy devices and printers first. |
| Enforce LDAP signing and channel binding | Requires LDAP communications to be signed and bound to the TLS channel, preventing LDAP relay attacks. Configure on domain controllers: Domain controller: LDAP server signing requirements → Require signing. Enable channel binding via registry. | High — blocks LDAP relay. Audit LDAP clients first (many legacy applications use unsigned LDAP binds). Microsoft has moved toward requiring this by default in recent Windows Server updates. |
| Enable Extended Protection for Authentication (EPA) | Binds NTLM authentication to the TLS channel, preventing relay to HTTPS services (Exchange, ADFS, web apps). Configure per application. | High — specifically protects Exchange and other HTTPS-authenticated services against relay. Microsoft has enabled EPA by default on Exchange starting with the February 2024 security update. |
| Audit NTLM usage | Enable NTLM auditing via Group Policy: Network security: Restrict NTLM: Audit NTLM authentication in this domain and Audit Incoming NTLM Traffic. Monitor Event IDs 8001–8004 to identify which systems, users, and applications are still using NTLM. | High — visibility is the prerequisite for restriction. Without auditing, you can't safely restrict NTLM because you don't know what depends on it. |
| Restrict and then disable NTLM | Once auditing reveals all NTLM dependencies and they've been remediated (migrated to Kerberos, upgraded, or exempted), restrict NTLM via Group Policy: Network security: Restrict NTLM: NTLM authentication in this domain → Deny all with targeted exceptions. | Medium-term — the ultimate goal. Requires the auditing and remediation steps above. Microsoft has signalled that NTLM will be deprecated in future Windows versions — getting ahead of this is strategic investment. |
| Enforce Kerberos with AES encryption | Ensure Kerberos is the primary authentication protocol and that it uses AES-256 encryption rather than the older RC4 (which uses the same NT hash as NTLM and is vulnerable to Kerberoasting). Disable RC4 via Group Policy: Network security: Configure encryption types allowed for Kerberos — enable AES128 and AES256 only. | High — eliminates the RC4 Kerberoasting path. Test thoroughly: some legacy systems and trusts require RC4. Service accounts must have their passwords reset after AES is enforced to generate AES keys. |
| Implement strong password policies for service accounts | Service accounts should use Group Managed Service Accounts (gMSAs) with 120-character automatically-rotating passwords, or if gMSAs aren't possible, minimum 25-character randomly-generated passwords stored in a PAM vault and rotated annually. | High — service account credentials are the most valuable targets for Kerberoasting and hash cracking. A gMSA password is computationally impossible to crack. A human-chosen password for a service account is almost certainly crackable. |
Disabling NTLM overnight in a production environment is not realistic. But a phased, audited, tested approach is entirely achievable — and the hardening that happens at each phase delivers measurable risk reduction long before the final goal of full NTLM elimination is reached.
Phase 1 alone — achievable in a fortnight with minimal operational risk — eliminates approximately 70% of the hash capture and relay attack surface. It's the highest-return security investment most enterprises can make, and it costs nothing beyond a few hours of Group Policy configuration.
Microsoft has signalled increasingly clearly that NTLM's days are numbered. In 2023, Microsoft announced that NTLM would be deprecated in future versions of Windows. Windows 11 24H2 introduced Kerberos IAKerb and Local KDC extensions specifically to cover scenarios that previously forced NTLM fallback — non-domain-joined devices, IP-based access, and local account authentication.
The trajectory is unmistakable: Microsoft is systematically removing the technical reasons for NTLM's existence. When NTLM is finally disabled by default in a future Windows release, organisations that haven't prepared will face a choice between emergency remediation and disabling the security control — the same pattern that has kept NTLM alive for decades.
| Microsoft Action | What It Means for You |
|---|---|
| NTLM formally deprecated (2024) | Microsoft no longer considers NTLM a supported, recommended protocol. It will receive security patches but no feature development. Begin planning your migration now — not when the deprecation becomes removal. |
| IAKerb extension (Windows 11 24H2) | Kerberos can now authenticate to non-domain-joined devices and in scenarios that previously required NTLM fallback. One of the primary technical excuses for keeping NTLM has been removed. |
| Local KDC for local account authentication | Local accounts can now authenticate via Kerberos using a local KDC on the device, eliminating another NTLM dependency. Windows is being rebuilt to make Kerberos work everywhere NTLM was required. |
| LDAP signing required by default (ongoing rollout) | Recent Windows Server updates have moved toward enforcing LDAP signing by default, closing the relay vector at the protocol level. Organisations that haven't prepared will experience application failures when the update applies. |
| EPA enabled by default on Exchange (2024) | Extended Protection for Authentication is now on by default for Exchange, preventing HTTP-to-LDAP relay via Exchange — the attack path behind ProxyNotShell and similar vulnerabilities. |
NetNTLMv2 hash capture and cracking is not a sophisticated attack. It requires no vulnerabilities, no exploits, and no special access — just a laptop on the network and a few minutes of patience. It works because enterprises run broadcast name resolution protocols that trust every device on the subnet, authentication protocols that expose crackable credentials to anyone listening, and password policies that produce predictable, human-patterned passwords that modern GPUs defeat in seconds.
The defences are available, well-documented, and free: disable LLMNR and NBT-NS, enforce SMB signing, enforce LDAP signing and channel binding, audit NTLM usage, restrict NTLM with exceptions, and ultimately disable it entirely. Phase 1 takes a fortnight and eliminates the majority of the attack surface. The full roadmap takes 6–12 months and removes NTLM entirely.
Microsoft is deprecating NTLM. The replacement protocols are ready. The only question is whether your organisation eliminates the risk proactively — on your timeline, with proper testing and controlled rollout — or reactively, when a pen test demonstrates Domain Admin in 90 minutes, or worse, when an attacker demonstrates it for real.
Our internal penetration tests specifically assess NTLM exposure, broadcast protocol poisoning, relay attack viability, and credential cracking resistance — delivering a clear picture of your authentication risk and a prioritised remediation roadmap.