AlphaONE Operations

Twenty-year-old method, an engagement that wrapped up this week, a full pivot across the domain, and not one password cracked.

NTLM relay happens when the network passes a captured authentication off to a destination it was never supposed to reach. The underlying protocol weakness (NTLMSSP doesn't bind to a target SPN) has been documented since the early 2000s. The remedy (SMB signing) has been around almost the entire time. Yet the default has stayed server-side-optional for everything before Server 2025, which is precisely why this attack continues to land on the majority of internal engagements.

Here's the 2026 chain we walked through on a recent client engagement:

- Responder grabs a NetNTLMv2 hash inside of 60 seconds via LLMNR poisoning.
- NetExec `--gen-relay-list` enumerates every host on the segment with signing turned off.
- ntlmrelayx forwards the captured authentication into a file server that doesn't require signing. The relayed user comes through as a local admin.
- ntlmrelayx, by default, auto-dumps the local SAM. We notice matching NT hashes shared between `Administrator` and a `*-adm` secondary admin account, the classic password-reuse-on-the-same-box finding, and also a signal that the same build image has been deployed across the environment.
- `-socks` mode keeps the session resident in memory. proxychains-fronted tooling (secretsdump, evil-winrm, smbclient) runs through it without any password ever being handed to the tool. The SOCKS session itself serves as the credential.

When relay isn't an option (signing enforced across the board), the captured NetNTLMv2 still gets fed to hashcat mode 5600 against rockyou. We've yet to watch that come up empty.

The defender's priority list is short: require SMB signing everywhere, kill LLMNR / NBT-NS / mDNS, kill WPAD, deploy DHCP snooping along with DHCPv6 Guard plus RA Guard, roll out LAPS so local admin accounts aren't uniform, and finally move NTLM into audit-then-block. A single Group Policy change covers most of the relay attack surface.

The complete post, including the Responder.conf pre-flight tweaks, the full ntlmrelayx walkthrough (`-c`, default SAM auto-dump, `-socks` plus `-tf` plus proxychains), the offline-cracking fallback, the defender-side event correlation (4624 / 4625 / 8001 / 5145), and the Defender for Identity rule mapping, is linked in the comments.

If a real relay attempt has never been pointed at your network, the exposure is already running.

We’re all tied to our chargers these days. Learn how to charge effectively with this list of the best charging devices for personal or business use (https://tinyurl.com/3vkek6rn).