A python script to robotically coerce a Home windows server to authenticate on an arbitrary machine by 9 strategies.
Options
- Robotically detects open SMB pipes on the distant machine.
- Calls one after the other all of the weak RPC capabilities to coerce the server to authenticate on an arbitrary machine.
- Analyze mode with
--analyze, which solely lists the weak protocols and capabilities listening, with out performing a coerced authentication. - Carry out coerce assault on an inventory of targets from a file with
--targets-file - Coerce to a WebDAV goal with
--webdav-hostand--webdav-port
Utilization
$ ./Coercer.py -h ______
/ ____/___ ___ _____________ _____
/ / / __ / _ / ___/ ___/ _ / ___/
/ /___/ /_/ / __/ / / /__/ __/ / v1.6
____/____/___/_/ ___/___/_/ by @podalirius_
utilization: Coercer.py [-h] [-u USERNAME] [-p PASSWORD] [-d DOMAIN] [--hashes [LMHASH]:NTHASH] [--no-pass] [-v] [-a] [-k] [--dc-ip ip address] [-l LISTENER] [-wh WEBDAV_HOST] [-wp WEBDAV_PORT]
(-t TARGET | -f TARGETS_FILE) [--target-ip ip address]
Computerized home windows authentication coercer over numerous RPC calls.
choices:
-h, --help present this assist message and exit
-u USERNAME, --username USERNAME
Username to authenticate to the endpoint.
-p PASSWORD, --password PASSWORD
Password to authenticate to the endpoint. (if omitted, will probably be requested until -no-pass is specified)
-d DOMAIN, --domain DOMAIN
Home windows area identify to authenticate to the endpoint.
--hashes [LMHASH]:NTHASH
NT/LM hashes (LM hash could be empty)
--no-pass Do not ask for password (helpful for -k)
-v, --verbose Verbose mode (default: False)
-a, --analyze Analyze mode (default: Assault mode)
-k, --kerberos Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based mostly on the right track parameters. If legitimate credentials can't be discovered, it's going to use those specified within the
command line
--dc-ip ip deal with IP Deal with of the area controller. If omitted it's going to use the area half (FQDN) specified within the goal parameter
-t TARGET, --target TARGET
IP deal with or hostname of the goal machine
-f TARGETS_FILE, --targets-file TARGETS_FILE
IP deal with or hostname of the goal machine
--target-ip ip deal with
IP Deal with of the goal machine. If omitted it's going to use no matter was specified as goal. That is helpful when goal is the NetBIOS identify or Kerberos identify and you can't resolve it
-l LISTENER, --listener LISTENER
IP deal with or hostname of the listener machine
-wh WEBDAV_HOST, --webdav-host WEBDAV_HOST
WebDAV IP of the server to authenticate to.
-wp WEBDAV_PORT, --webdav-port WEBDAV_PORT
WebDAV port of the server to authenticate to.
Instance output
In assault mode (with out --analyze possibility) you get the next output:
After all of the RPC calls, you get loads of authentications in Responder:
Contributing
Pull requests are welcome. Be happy to open a problem if you wish to add different options.
Credit
