Vulnerabilities
NTLM is widely deployed, even on new systems, often for compatibility with older systems. But it remains vulnerable to a credentials forwarding attack, which is a variant on the reflection attack which was addressed by Microsoft security update MS08-068. Both attacks were discovered by Dominique Brezinski in 1997. For example, Metasploit can be used in many cases to obtain credentials from one machine which can be used to gain control of another machine. The Squirtle toolkit can be used to leverage web site cross-site scripting attacks into attacks on nearby assets via NTLM.
In February 2010, Amplia Security discovered several flaws in the Windows implementation of the NTLM authentication mechanism which completely broke the security of the protocol allowing attackers to gain read/write access to files and remote code execution. One of the attacks presented included the ability to predict pseudo-random numbers/challenges/responses generated by the protocol. These flaws had been present in all versions of Windows for 17 years. The security advisory explaining the issues found included different fully working proof-of-concept exploits. All flaws were fixed by MS10-012.
Read more about this topic: NTLM