NTLM Relay Explained ๐
A quick 1-min reel explaining how NTLM relay works and how attackers exploit it to escalate access from captured credentials.
Hicham El Aaouad
340 views โข Nov 7, 2025
About this video
NTLM Relay Explained โ Quick Reel (under 1 min)
Why NTLM relay still works, and how attackers use it to escalate from a captured authentication to full compromise โ explained in under a minute.
What youโll learn in this reel
โข A short, clear breakdown of how NTLMโs challenge/response works.
โข The core flaw that makes relay attacks possible: the server verifies validity, not origin.
โข A real lab example (KAKAROOT) showing how a captured NTLM response from an Exchange server can be relayed to a CA web enrollment service to obtain a certificate and then authenticate as the machine account.
โข High-level tools & techniques demonstrated for learning purposes only.
Tools & topics mentioned
NTLM, NTLMv2, SMB, Responder, ntlmrelayx, AD CS / certificate templates, web enrollment, ProxyShell (lab context), cert-based auth (certipy). These are referenced as learning toolsโdo not use them against systems you donโt own or have explicit permission to test.
Want to practice this safely?
If youโd like hands-on practice, do it in isolated labs or virtual ranges (your own AD/Exchange lab). I practiced this on the KAKAROOT lab โ check out redsaiyan.com for lab-style content and walkthroughs.
Notes & ethics
This video is for educational and defensive purposes. Never run offensive tools against systems you donโt own or have written authorization to test. Misuse is illegal and unethical.
Like the vid?
If this helped, hit LIKE, SUBSCRIBE, and ring the bell โ I post short, focused security explainers and lab demos regularly. Want a longer walkthrough of this technique? Say so in the comments and Iโll make a deep dive tutorial with a safe lab build.
Follow / Contact
Links & resources are in the pinned comment. If you want me to cover mitigations (how to detect and stop NTLM relay), comment below โ thatโll be the next video.
Stay curious, hack ethically. โ Hicham
Why NTLM relay still works, and how attackers use it to escalate from a captured authentication to full compromise โ explained in under a minute.
What youโll learn in this reel
โข A short, clear breakdown of how NTLMโs challenge/response works.
โข The core flaw that makes relay attacks possible: the server verifies validity, not origin.
โข A real lab example (KAKAROOT) showing how a captured NTLM response from an Exchange server can be relayed to a CA web enrollment service to obtain a certificate and then authenticate as the machine account.
โข High-level tools & techniques demonstrated for learning purposes only.
Tools & topics mentioned
NTLM, NTLMv2, SMB, Responder, ntlmrelayx, AD CS / certificate templates, web enrollment, ProxyShell (lab context), cert-based auth (certipy). These are referenced as learning toolsโdo not use them against systems you donโt own or have explicit permission to test.
Want to practice this safely?
If youโd like hands-on practice, do it in isolated labs or virtual ranges (your own AD/Exchange lab). I practiced this on the KAKAROOT lab โ check out redsaiyan.com for lab-style content and walkthroughs.
Notes & ethics
This video is for educational and defensive purposes. Never run offensive tools against systems you donโt own or have written authorization to test. Misuse is illegal and unethical.
Like the vid?
If this helped, hit LIKE, SUBSCRIBE, and ring the bell โ I post short, focused security explainers and lab demos regularly. Want a longer walkthrough of this technique? Say so in the comments and Iโll make a deep dive tutorial with a safe lab build.
Follow / Contact
Links & resources are in the pinned comment. If you want me to cover mitigations (how to detect and stop NTLM relay), comment below โ thatโll be the next video.
Stay curious, hack ethically. โ Hicham
Tags and Topics
Browse our collection to discover more content in these categories.
Video Information
Views
340
Likes
16
Duration
3:26
Published
Nov 7, 2025