Awesome
<p align="center"> A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through many methods. <br> <img alt="PyPI" src="https://img.shields.io/pypi/v/coercer"> <img alt="GitHub release (latest by date)" src="https://img.shields.io/github/v/release/p0dalirius/Coercer"> <a href="https://twitter.com/intent/follow?screen_name=podalirius_" title="Follow"><img src="https://img.shields.io/twitter/follow/podalirius_?label=Podalirius&style=social"></a> <a href="https://www.youtube.com/c/Podalirius_?sub_confirmation=1" title="Subscribe"><img alt="YouTube Channel Subscribers" src="https://img.shields.io/youtube/channel/subscribers/UCF_x5O7CSfr82AfNVTKOv_A?style=social"></a> <br> </p>Features
- Core:
- Lists open SMB pipes on the remote machine (in modes scan authenticated and fuzz authenticated)
- Tries to connect on a list of known SMB pipes on the remote machine (in modes scan unauthenticated and fuzz unauthenticated)
- Calls one by one all the vulnerable RPC functions to coerce the server to authenticate on an arbitrary machine.
- Random UNC paths generation to avoid caching failed attempts (all modes)
- Configurable delay between attempts with
--delay
- Options:
- Filter by method name with
--filter-method-name
, by protocol name with--filter-protocol-name
or by pipe name with--filter-pipe-name
(all modes) - Target a single machine
--target
or a list of targets from a file with--targets-file
- Specify IP address OR interface to listen on for incoming authentications. (modes scan and fuzz)
- Filter by method name with
- Exporting results
Installation
You can now install it from pypi (latest version is <img alt="PyPI" src="https://img.shields.io/pypi/v/coercer">) with this command:
sudo python3 -m pip install coercer
Quick start
-
You want to assess the Remote Procedure Calls listening on a machine to see if they can be leveraged to coerce an authentication?
- Use scan mode, example:
-
You want to exploit the Remote Procedure Calls on a remote machine to coerce an authentication to ntlmrelay or responder?
- Use coerce mode, example:
-
You are doing research and want to fuzz Remote Procedure Calls listening on a machine with various paths?
- Use fuzz mode, example:
Contributing
Pull requests are welcome. Feel free to open an issue if you want to add other features.
Credits
- @tifkin_ and @elad_shamir for finding and implementing PrinterBug on MS-RPRN
- @topotam77 for finding and implementing PetitPotam on MS-EFSR
- @topotam77 for finding and @_nwodtuhs for implementing ShadowCoerce on MS-FSRVP
- @filip_dragovic for finding and implementing DFSCoerce on MS-DFSNM
- @evilashz for finding and implementing CheeseOunce on MS-EVEN