Coercer Versions Save

This completely refactored release of Coercer is published alongside with the talk Searching for RPC Functions to Coerce Authentications in Microsoft Protocols presented at BlackHat Europe 2022 by Remi GASCOU (Podalirius)

Features:

• Core:
  • Lists open SMB pipes on the remote machine (in modes scan authenticated and fuzz authenticated)
  • Tries to connect on a list of known SMB pipes on the remote machine (in modes scan unauthenticated and fuzz unauthenticated)
  • Calls one by one all the vulnerable RPC functions to coerce the server to authenticate on an arbitrary machine.
  • Random UNC paths generation to avoid caching failed attempts (all modes)
  • Configurable delay between attempts with --delay
• Options:
  • Filter by method name with --filter-method-name, by protocol name with --filter-protocol-name or by pipe name with --filter-pipe-name (all modes)
  • Target a single machine --target or a list of targets from a file with --targets-file
  • Specify IP address OR interface to listen on for incoming authentications. (modes scan and fuzz)
• Exporting results
  • Export results in SQLite format (modes scan and fuzz)
  • Export results in JSON format (modes scan and fuzz)
  • Export results in XSLX format (modes scan and fuzz)

Changelog:

• Various bug fixes
• Added MS-EVEN::ElfrOpenBELW (CheeseOunce) in https://github.com/p0dalirius/Coercer/commit/a8fd0373b0ae41999f4337304558e9ad4b1611fe
• Complete refactor of the code base
• Created new modes scan, coerce and fuzz

This completely refactored release of Coercer is published alongside with the talk Searching for RPC Functions to Coerce Authentications in Microsoft Protocols presented at BlackHat Europe 2022 by Remi GASCOU (Podalirius)

Features:

• Core:
  • Lists open SMB pipes on the remote machine (in modes scan authenticated and fuzz authenticated)
  • Tries to connect on a list of known SMB pipes on the remote machine (in modes scan unauthenticated and fuzz unauthenticated)
  • Calls one by one all the vulnerable RPC functions to coerce the server to authenticate on an arbitrary machine.
  • Random UNC paths generation to avoid caching failed attempts (all modes)
  • Configurable delay between attempts with --delay
• Options:
  • Filter by method name with --filter-method-name or by protocol name with --filter-protocol-name (all modes)
  • Target a single machine --target or a list of targets from a file with --targets-file
  • Specify IP address OR interface to listen on for incoming authentications. (modes scan and fuzz)
• Exporting results
  • Export results in SQLite format (modes scan and fuzz)
  • Export results in JSON format (modes scan and fuzz)
  • Export results in XSLX format (modes scan and fuzz)

Changelog:

• Various bug fixes
• Added MS-EVEN::ElfrOpenBELW (CheeseOunce) in https://github.com/p0dalirius/Coercer/commit/a8fd0373b0ae41999f4337304558e9ad4b1611fe
• Complete refactor of the code base
• Created new modes scan, coerce and fuzz

This completely refactored release of Coercer is published alongside with the talk Searching for RPC Functions to Coerce Authentications in Microsoft Protocols presented at BlackHat Europe 2022 by Remi GASCOU (Podalirius)

Features:

• Core:
  • Lists open SMB pipes on the remote machine (in modes scan authenticated and fuzz authenticated)
  • Tries to connect on a list of known SMB pipes on the remote machine (in modes scan unauthenticated and fuzz unauthenticated)
  • Calls one by one all the vulnerable RPC functions to coerce the server to authenticate on an arbitrary machine.
  • Random UNC paths generation to avoid caching failed attempts (all modes)
  • Configurable delay between attempts with --delay
• Options:
  • Filter by method name with --filter-method-name or by protocol name with --filter-protocol-name (all modes)
  • Target a single machine --target or a list of targets from a file with --targets-file
  • Specify IP address OR interface to listen on for incoming authentications. (modes scan and fuzz)
• Exporting results
  • Export results in SQLite format (modes scan and fuzz)
  • Export results in JSON format (modes scan and fuzz)
  • Export results in XSLX format (modes scan and fuzz)

Changelog:

• Various bug fixes
• Added MS-EVEN::ElfrOpenBELW (CheeseOunce) in https://github.com/p0dalirius/Coercer/commit/a8fd0373b0ae41999f4337304558e9ad4b1611fe
• Complete refactor of the code base
• Created new modes scan, coerce and fuzz

This completely refactored release of Coercer is published alongside with the talk Searching for RPC Functions to Coerce Authentications in Microsoft Protocols presented at BlackHat Europe 2022 by Remi GASCOU (Podalirius)

Features:

• Core:
  • Lists open SMB pipes on the remote machine (in modes scan authenticated and fuzz authenticated)
  • Tries to connect on a list of known SMB pipes on the remote machine (in modes scan unauthenticated and fuzz unauthenticated)
  • Calls one by one all the vulnerable RPC functions to coerce the server to authenticate on an arbitrary machine.
  • Random UNC paths generation to avoid caching failed attempts (all modes)
  • Configurable delay between attempts with --delay
• Options:
  • Filter by method name with --filter-method-name or by protocol name with --filter-protocol-name (all modes)
  • Target a single machine --target or a list of targets from a file with --targets-file
  • Specify IP address OR interface to listen on for incoming authentications. (modes scan and fuzz)
• Exporting results
  • Export results in SQLite format (modes scan and fuzz)
  • Export results in JSON format (modes scan and fuzz)
  • Export results in XSLX format (modes scan and fuzz)

Changelog:

• Complete refactor of the code base
• Created new modes scan, coerce and fuzz

This completely refactored release of Coercer is published alongside with the talk Searching for RPC Functions to Coerce Authentications in Microsoft Protocols presented at BlackHat Europe 2022 by Remi GASCOU (Podalirius)

Features:

• Core:
  • Lists open SMB pipes on the remote machine (in modes scan authenticated and fuzz authenticated)
  • Tries to connect on a list of known SMB pipes on the remote machine (in modes scan unauthenticated and fuzz unauthenticated)
  • Calls one by one all the vulnerable RPC functions to coerce the server to authenticate on an arbitrary machine.
  • Random UNC paths generation to avoid caching failed attempts (all modes)
  • Configurable delay between attempts with --delay
• Options:
  • Filter by method name with --filter-method-name or by protocol name with --filter-protocol-name (all modes)
  • Target a single machine --target or a list of targets from a file with --targets-file
  • Specify IP address OR interface to listen on for incoming authentications. (modes scan and fuzz)
• Exporting results
  • Export results in SQLite format (modes scan and fuzz)
  • Export results in JSON format (modes scan and fuzz)
  • Export results in XSLX format (modes scan and fuzz)

Changelog:

• Complete refactor of the code base
• Created new modes scan, coerce and fuzz

• Fixed #10

Added Added MS-RPRN 'PrinterBug' MS-RPRN:RpcRemoteFindFirstPrinterChangeNotificationEx()