Which protocol is most commonly associated with credential relaying attacks?

The protocol most commonly associated with credential relaying attacks is NTLM (NT LAN Manager). This is primarily due to its design and the way it handles authentication. NTLM is an authentication protocol used in Windows environments, where it has been known to be susceptible to various attacks that exploit how it processes authentication requests.

In a credential relaying attack, an adversary captures NTLM hashes or tokens from one session and then reuses them to authenticate to another service as a different user. This happens because NTLM does not incorporate strong mutual authentication; it allows attackers to send authentication requests with NTLM credentials over the network without needing the original user's password.

Also, because NTLM supports protocols that can be used to perform relay attacks, such as HTTP, SMB, and others, attackers can leverage these protocols to hijack credentials effectively. This highlights the vulnerabilities inherent in NTLM, especially in mixed environments using both NTLM and other more secure protocols.

In contrast, LDAP (Lightweight Directory Access Protocol) is generally used for directory services and lacks the same vulnerabilities in relation to credential relaying. Kerberos, which uses tickets for authentication, provides stronger security features compared to NTLM and is designed to prevent replay attacks. SSL (Secure Sockets Layer) is