Repository files navigation

A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through many methods.

To build a binary for Windows, download theinstaller.ps1 script from this repository. Run it simply with no arguments to create a binary in the working directory. Use-h or--help for the help menu with options.

• Core:
  • Lists open SMB pipes on the remote machine (in modesscan authenticated andfuzz authenticated)
  • Tries to connect on a list of known SMB pipes on the remote machine (in modesscan unauthenticated andfuzz unauthenticated)
  • Calls one by one all the vulnerable RPC functions to coerce the server to authenticate on an arbitrary machine.
  • Random UNC paths generation to avoid caching failed attempts (all modes)
  • Configurable delay between attempts with--delay
• Options:
  • Filter by method name with--filter-method-name, by protocol name with--filter-protocol-name or by pipe name with--filter-pipe-name (all modes)
  • Target a single machine--target or a list of targets from a file with--targets-file
  • Specify IP address OR interface to listen on for incoming authentications. (modesscan andfuzz)
• Exporting results
  • Export results in SQLite format (modesscan andfuzz)
  • Export results in JSON format (modesscan andfuzz)
  • Export results in XSLX format (modesscan andfuzz)

You can now install it from pypi (latest version is) with this command:

sudo python3 -m pip install coercer

Coercer usesargcomplete to autogenerate tab completions for your shell (bash, zsh, fish, ...).See theargcomplete README for how to enable tab completions.

• You want toassess the Remote Procedure Calls listening on a machine to see if they can be leveraged to coerce an authentication?

  • Usescan mode, example:
  demo-scan.mp4

• You want toexploit the Remote Procedure Calls on a remote machine to coerce an authentication to ntlmrelay or responder?

  • Usecoerce mode, example:
  demo-coerce.mp4

• You are doingresearch and want to fuzz Remote Procedure Calls listening on a machine with various paths?

  • Usefuzz mode, example:
  demo-fuzz.mp4

Pull requests are welcome. Feel free to open an issue if you want to add other features.

• @tifkin_ and@elad_shamir for finding and implementingPrinterBug onMS-RPRN
• @topotam77 for finding and implementingPetitPotam onMS-EFSR
• @topotam77 for finding and@_nwodtuhs for implementingShadowCoerce onMS-FSRVP
• @filip_dragovic for finding and implementingDFSCoerce onMS-DFSNM
• @evilashz for finding and implementingCheeseOunce onMS-EVEN