A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through many methods.
- Core:
- Lists open SMB pipes on the remote machine (in modes scan authenticated and fuzz authenticated)
- Tries to connect on a list of known SMB pipes on the remote machine (in modes scan unauthenticated and fuzz unauthenticated)
- Calls one by one all the vulnerable RPC functions to coerce the server to authenticate on an arbitrary machine.
- Random UNC paths generation to avoid caching failed attempts (all modes)
- Configurable delay between attempts with
--delay
- Options:
- Filter by method name with
--filter-method-name, by protocol name with--filter-protocol-nameor by pipe name with--filter-pipe-name(all modes) - Target a single machine
--targetor a list of targets from a file with--targets-file - Specify IP address OR interface to listen on for incoming authentications. (modes scan and fuzz)
- Filter by method name with
- Exporting results
You can now install it from pypi (latest version is
sudo python3 -m pip install coercer
-
You want to assess the Remote Procedure Calls listening on a machine to see if they can be leveraged to coerce an authentication?
- Use scan mode, example:
demo-scan.mp4
-
You want to exploit the Remote Procedure Calls on a remote machine to coerce an authentication to ntlmrelay or responder?
- Use coerce mode, example:
demo-coerce.mp4
-
You are doing research and want to fuzz Remote Procedure Calls listening on a machine with various paths?
- Use fuzz mode, example:
demo-fuzz.mp4
Pull requests are welcome. Feel free to open an issue if you want to add other features.
- @tifkin_ and @elad_shamir for finding and implementing PrinterBug on MS-RPRN
- @topotam77 for finding and implementing PetitPotam on MS-EFSR
- @topotam77 for finding and @_nwodtuhs for implementing ShadowCoerce on MS-FSRVP
- @filip_dragovic for finding and implementing DFSCoerce on MS-DFSNM
- @evilashz for finding and implementing CheeseOunce on MS-EVEN
