Coercer

A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 12 methods.

2024

201

Python

A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through many methods.
PyPI GitHub release (latest by date)

Windows Support

To build a binary for Windows, download the installer.ps1 script from this repository. Run it simply with no arguments to create a binary in the working directory. Use -h or --help for the help menu with options.

Features

Core:
- [x] Lists open SMB pipes on the remote machine (in modes scan authenticated and fuzz authenticated)
- [x] Tries to connect on a list of known SMB pipes on the remote machine (in modes scan unauthenticated and fuzz unauthenticated)
- [x] Calls one by one all the vulnerable RPC functions to coerce the server to authenticate on an arbitrary machine.
- [x] Random UNC paths generation to avoid caching failed attempts (all modes)
- [x] Configurable delay between attempts with --delay
Options:
- [x] Filter by method name with --filter-method-name, by protocol name with --filter-protocol-name or by pipe name with --filter-pipe-name (all modes)
- [x] Target a single machine --target or a list of targets from a file with --targets-file
- [x] Specify IP address OR interface to listen on for incoming authentications. (modes scan and fuzz)
Exporting results
- [x] Export results in SQLite format (modes scan and fuzz)
- [x] Export results in JSON format (modes scan and fuzz)
- [x] Export results in XSLX format (modes scan and fuzz)

Installation

You can now install it from pypi (latest version is PyPI ) with this command:

sudo python3 -m pip install coercer

Shell Completions

Coercer uses argcomplete to autogenerate tab completions for your shell (bash, zsh, fish, …).
See the argcomplete README for how to enable tab completions.

Quick start

You want to assess the Remote Procedure Calls listening on a machine to see if they can be leveraged to coerce an authentication?
- Use scan mode, example:
https://user-images.githubusercontent.com/79218792/204374471-bc5094a3-8539-4df7-842e-faadcaf9c945.mp4
You want to exploit the Remote Procedure Calls on a remote machine to coerce an authentication to ntlmrelay or responder?
- Use coerce mode, example:
https://user-images.githubusercontent.com/79218792/204372851-4ba461ed-6812-4057-829d-0af6a06b0ecc.mp4
You are doing research and want to fuzz Remote Procedure Calls listening on a machine with various paths?
- Use fuzz mode, example:
https://user-images.githubusercontent.com/79218792/204373310-64f90835-b544-4760-b0a3-3071429b3940.mp4

Contributing

Pull requests are welcome. Feel free to open an issue if you want to add other features.

Credits

@tifkin_ and @elad_shamir for finding and implementing PrinterBug on MS-RPRN
@topotam77 for finding and implementing PetitPotam on MS-EFSR
@topotam77 for finding and @_nwodtuhs for implementing ShadowCoerce on MS-FSRVP
@filip_dragovic for finding and implementing DFSCoerce on MS-DFSNM
@evilashz for finding and implementing CheeseOunce on MS-EVEN