| Offline Cracking |
✅ Yes (hashcat -m 5500) |
✅ Yes (hashcat -m 5600) |
Crack captured hashes using brute-force or wordlist attacks. NTLMv1 is much easier to crack. |
| Pass-the-Hash (PtH) |
✅ Yes (pth-winexe, Mimikatz) |
❌ No |
NTLMv1 hashes can be directly reused for authentication. NTLMv2 requires a challenge-response, preventing PtH. |
| Relay Attack |
✅ Yes (ntlmrelayx.py) |
✅ Yes (ntlmrelayx.py) |
Forward captured hashes to another system for authentication. Fails if SMB signing is enabled. |
| Pass-the-Challenge (PtC) |
❌ No |
✅ Yes (Pass-The-Challenge (PtC)) |
NTLMv2 hashes include a challenge, which can sometimes be replayed in specific environments. |
| SMB Authentication Relay |
✅ Yes |
✅ Yes |
Relay NTLM authentication attempts to another system. Works only if SMB signing is disabled. |
| Cracking with Responder |
✅ Yes |
✅ Yes |
Capture NTLM handshakes and crack them using Hashcat or John the Ripper. |
| MITM Attack (Responder + ntlmrelayx) |
✅ Yes |
✅ Yes |
Redirect NTLM authentication requests and relay them to a target system. |
| Extracting NTDS.dit (Active Directory Hash Dump) |
✅ Yes |
✅ Yes |
If an attacker gets Domain Admin, they can extract NTLM hashes from NTDS.dit and crack them offline. |
| Pass-the-Ticket (PtT) |
❌ No |
❌ No |
NTLM does not use Kerberos tickets. Instead, this applies to Kerberos TGT tickets. |
| Kerberoasting |
❌ No |
❌ No |
NTLM is not used for Kerberos-based attacks. |
| LSASS Dumping |
✅ Yes (mimikatz sekurlsa::logonpasswords) |
✅ Yes (mimikatz sekurlsa::logonpasswords) |
Extract NTLM hashes from memory if you have admin privileges on the machine. |
| NTLM Downgrade Attack |
✅ Yes |
❌ No |
Force a system to use NTLMv1 instead of NTLMv2, making it easier to crack. |