coercing-authentication-with-coercer-petitpotam
Coercing Authentication with Coercer and PetitPotam
Legal Notice: This skill is for authorized security testing and educational purposes only. Authentication coercion combined with NTLM relay can yield domain compromise. Use only against systems you own or have explicit written authorization to test. Unauthorized use is illegal.
Overview
Many Windows RPC interfaces expose methods that take a UNC path and cause the receiving server to authenticate to that path using its machine account. An attacker who can reach these interfaces can force a target (commonly a Domain Controller) to authenticate to an attacker-controlled host. On its own this is "Forced Authentication"; combined with an NTLM relay, the coerced machine credential is relayed to a service that does not enforce signing/EPA, most famously AD CS Web Enrollment (ESC8), yielding a certificate for the Domain Controller and ultimately domain compromise.
PetitPotam (Gilles Lionel / topotam) abuses the MS-EFSR (Encrypting File System Remote Protocol) EfsRpcOpenFileRaw / EfsRpcEncryptFileSrv methods. Coercer (p0dalirius) generalizes the technique: it is a Python tool that automatically coerces a Windows server to authenticate to an arbitrary machine through 12 methods spanning multiple protocols — MS-EFSR (PetitPotam), MS-RPRN (PrinterBug/SpoolSample), MS-DFSNM (DFSCoerce), MS-FSRVP (ShadowCoerce), MS-EVEN, and more. Coercer operates in three modes: scan (probe which RPC methods are reachable/coercible), coerce (trigger authentication), and fuzz (research path variations). Sources: p0dalirius/Coercer, topotam/PetitPotam, The Hacker Recipes — Forced Authentications.
When to Use
- To complete an ESC8/ESC11 chain by forcing a DC to authenticate to a relay
- To trigger machine authentication for NTLM relay to LDAP (RBCD) or SMB
- When a relay target is identified but no inbound authentication is occurring naturally
- During detection engineering to generate coercion telemetry for blue-team tuning
- To validate that DCs/servers are patched and that relay mitigations (signing/EPA) hold