Coercer vs PetitPotam
GitHub Stats
About Coercer
Coercer is an automated tool designed to locate and exploit Windows authentication coercion vulnerabilities. It specifically targets vulnerabilities such as PetitPotam and PrinterBug, which can be exploited to relay NTLM authentication requests. By automating the discovery and exploitation process, Coercer assists attackers and security testers in assessing the security posture of Active Directory environments against these types of threats.
About PetitPotam
PetitPotam is a tool that coerces Windows hosts into authenticating to an attacker-controlled server by abusing the Encrypting File System Remote Protocol (MS-EFSRPC). By sending specially crafted requests to the EfsRpcOpenFileRaw function (and similar EFS functions), PetitPotam forces the target machine to initiate an NTLM authentication to an arbitrary server specified by the attacker. When combined with NTLM relay attacks (via tools like ntlmrelayx from Impacket), this can be used to relay the authentication to Active Directory Certificate Services (AD CS) to obtain certificates, or to other services for privilege escalation. PetitPotam was a significant discovery because it works unauthenticated against domain controllers in many configurations, making it a critical vector for Active Directory domain compromise. Microsoft has issued patches, but many environments remain vulnerable.
Platform Support
Tags
Shared
Coercer only
PetitPotam only