A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through many methods.
Features
- Core:
- [x] Lists open SMB pipes on the remote machine (in modes scan authenticated and fuzz authenticated)
- [x] Tries to connect on a list of known SMB pipes on the remote machine (in modes scan unauthenticated and fuzz unauthenticated)
- [x] Calls one by one all the vulnerable RPC functions to coerce the server to authenticate on an arbitrary machine.
- [x] Random UNC paths generation to avoid caching failed attempts (all modes)
- [x] Configurable delay between attempts with
--delay
- Options:
- [x] Filter by method name with
--filter-method-name, by protocol name with--filter-protocol-nameor by pipe name with--filter-pipe-name(all modes) - [x] Target a single machine
--targetor a list of targets from a file with--targets-file - [x] Specify IP address OR interface to listen on for incoming authentications. (modes scan and fuzz)
- [x] Filter by method name with
- Exporting results
Installation
You can now install it from pypi (latest version is
sudo python3 -m pip install coercerQuick start
-
You want to assess the Remote Procedure Calls listening on a machine to see if they can be leveraged to coerce an authentication?
- Use scan mode, example:
-
You want to exploit the Remote Procedure Calls on a remote machine to coerce an authentication to ntlmrelay or responder?
- Use coerce mode, example:
-
You are doing research and want to fuzz Remote Procedure Calls listening on a machine with various paths?
- Use fuzz mode, example:
Contributing
Pull requests are welcome. Feel free to open an issue if you want to add other features.
Credits
- @tifkin_ and @elad_shamir for finding and implementing PrinterBug on MS-RPRN
- @topotam77 for finding and implementing PetitPotam on MS-EFSR
- @topotam77 for finding and @_nwodtuhs for implementing ShadowCoerce on MS-FSRVP
- @filip_dragovic for finding and implementing DFSCoerce on MS-DFSNM