Old tech, new vulnerabilities - NTLM abuse, ongoing exploitation in 2025

Microsoft’s NTLM authentication protocol, while largely superseded by Kerberos, remains a persistent security risk due to its continued use in legacy systems and ease of configuration. Attackers are still actively exploiting NTLM vulnerabilities, making it critical for security professionals to understand both older and emerging attack techniques.

NTLM relay attacks, where attackers intercept and forward authentication traffic to gain unauthorized access, remain effective despite being a long-standing threat. These attacks often involve techniques like ARP spoofing or compromising machines on the same network segment. Tools such as Responder and ntlmrelayx.py are commonly used to facilitate these relays. Even if relay attacks are thwarted, capturing and cracking NTLM hashes offline using tools like Hashcat or John the Ripper remains a viable attack vector, emphasizing the importance of strong password policies and multi-factor authentication. SMB signing bypass techniques further compound the problem, allowing attackers to manipulate traffic by forcing victims to connect to servers without SMB signing enforcement.

Several mitigation strategies can be employed to defend against NTLM-based attacks. Disabling NTLM altogether in favor of Kerberos is the most effective solution, although it may not be feasible in environments with legacy applications. Enabling SMB signing and Extended Protection for Authentication (EPA) provides additional layers of defense by ensuring data integrity and binding authentication traffic to specific service principal names. Firewalls can also be configured to block NTLM traffic from leaving the network, limiting the scope of potential attacks. Continuous monitoring of network traffic for suspicious NTLM authentication activity is crucial for early detection and response.

Emerging attack techniques, such as NTLM downgrade attacks and exploitation of weak encryption algorithms, pose future threats. Downgrade attacks force clients to use older, less secure versions of NTLM, increasing the likelihood of successful password cracking or relay attacks. Disabling NTLMv1 and requiring NTLMv2, along with disabling weak encryption algorithms, are essential steps to mitigate these risks. The Print Spooler service, historically a source of vulnerabilities like PrintNightmare, remains a potential attack vector that can be exploited over NTLM.

To minimize the attack surface associated with NTLM, organizations should prioritize disabling the Print Spooler service if it is not required, keeping it up to date with the latest security patches, and restricting access to the service. By implementing a combination of these mitigations, organizations can significantly reduce their risk of compromise from NTLM-based attacks, both now and in the future.

To read the complete article see: Securelist 😃