Since NTLM is a challenge-response protocol, if an attacker can position themselves between a client and a server (Man-in-the-Middle), they can capture the authentication traffic and "relay" it to a target server.
A widely used extension for web application testing that automatically decodes NTLM headers found in HTTP requests/responses. ntlm decoder
The server sends back a 16-byte random number (nonce). Since NTLM is a challenge-response protocol, if an
By decoding the Type 1 and Type 3 messages, an observer can extract valuable information without knowing the password: Since NTLM is a challenge-response protocol