Skip to content

cbev0x/impel

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Impel — RPC Coercion Surface Mapper

Linux-native, impacket-based scanner for RPC authentication-coercion surface in Active Directory environments. Fingerprints which coercion-capable interfaces are reachable, fires triggers at a listener you control to confirm coercion, generates ready-to-deploy mitigations, and provides a research harness for hunting undiscovered primitives.

Scope. impel drives a machine account into authenticating to a listener you control and confirms it happened. It never relays. Relaying a coerced auth is ntlmrelayx's job and is deliberately out of scope — that separation is what keeps impel a surface-assessment and research tool.

The built-in connectback listener detects the inbound connection and fingerprints it as SMB or HTTP from the first 16 bytes, then drops the socket. It never completes NTLM negotiation and never reads or emits a hash. If you want the account name or a crackable hash, point the trigger at your own Responder with validate --external.


Install

pip install impacket rich
git clone https://github.com/cbev0x/impel
cd impel

No additional dependencies. wsp_packets.py bundles the WSP packet builders inline (adapted from RedTeam Pentesting's wspcoerce) so there are no external git dependencies.


Modules

enum — Coercion Surface Fingerprinting

Probes a nine-vector knowledge base across all candidate named pipes. Classifies each outcome as REACHABLE, denied, no-iface, or absent. The MS-WSP probe uses a raw SMB pipe open rather than a DCERPC bind since WSP is not a DCERPC protocol.

# Single host
python3 -m impel enum DC01.corp.lab -u user -p 'pass' -d corp.lab

# Subnet sweep
python3 -m impel enum 10.0.0.0/24 -u user -p 'pass' -d corp.lab

# Specific vectors only
python3 -m impel enum DC01.corp.lab --vector MS-DFSNM --vector MS-EVEN \
    -u user -p 'pass' -d corp.lab

# JSON output for piping into defend
python3 -m impel enum DC01.corp.lab -u user -p 'pass' -d corp.lab --json \
    > surface.json

# Pass the hash
python3 -m impel enum DC01.corp.lab -u user -H :<nthash> -d corp.lab

# Kerberos
python3 -m impel enum DC01.corp.lab -k --dc-ip 10.0.0.1 -d corp.lab

validate — Trigger and Connectback Confirmation

Fires a coercion trigger at a listener you control and waits for the connectback. Eight triggers implemented across the known coercion corpus.

# Built-in listener on :445 (needs root)
sudo python3 -m impel validate DC01.corp.lab -L 10.10.10.50 \
    -u user -p 'pass' -d corp.lab

# Specific vector
sudo python3 -m impel validate DC01.corp.lab -L 10.10.10.50 \
    --vector MS-DFSNM -u user -p 'pass' -d corp.lab

# High port, no root needed
python3 -m impel validate DC01.corp.lab -L 10.10.10.50 \
    --http --http-port 8080 --bind-port 8080 \
    -u user -p 'pass' -d corp.lab

# External listener (Responder / ntlmrelayx); impel fires only
python3 -m impel validate DC01.corp.lab -L 10.10.10.50 --external \
    -u user -p 'pass' -d corp.lab

defend — Mitigations, netsh Scripts, and Sigma Rules

Takes enum output (via --from-json) or runs enum internally. Produces a per-vector mitigation report, a ready-to-deploy netsh rpc filter script per host, and Sigma YAML rules for each detected vector family.

# Pipe enum JSON directly into defend
python3 -m impel enum DC01.corp.lab -u user -p 'pass' -d corp.lab --json | \
    python3 -m impel defend --from-json - \
    --netsh ./filters/ --sigma ./sigma/

# Run enum internally
python3 -m impel defend DC01.corp.lab -u user -p 'pass' -d corp.lab \
    --netsh ./filters/ --sigma ./sigma/

# Apply generated filter on target (run on Windows)
# netsh -f DC01_corp_lab_rpc_filter.txt

The netsh scripts use layer=um actiontype=block per interface UUID and are applied with netsh -f <file>.txt. MS-WSP is excluded from netsh scripts intentionally — it is not DCERPC and has no UUID-based endpoint on the um layer; the correct mitigation is service disablement, which the tool documents in the per-vector output.

Sigma output covers three rule types per vector family: Sysmon 18 (named pipe connection), Sysmon 3 (outbound network connection from the coercing process), and Security 4624 (machine account network logon).

research — EPM Dump and Primitive Discovery

# Full EPM interface dump — cross-referenced against vector DB and KNOWN_UUIDS
python3 -m impel research dump DC01.corp.lab

# Heuristic candidate flagging (unknown UUIDs on named pipes score highest)
python3 -m impel research flag DC01.corp.lab --json

# Probe a candidate interface across an opnum range
# Fires each opnum with a UNC parameter and waits for connectback
sudo python3 -m impel research probe DC01.corp.lab \
    --uuid <UUID> --pipe <pipe> --opnums 0-20 \
    -L 10.10.10.50 -u user -p 'pass' -d corp.lab

Vector Knowledge Base

python3 -m impel vectors
Vector Family Pipe Coercion Method Status on Server 2025
MS-RPRN PrinterBug spoolss RpcRemoteFindFirstPrinterChangeNotificationEx Pipe gated by default
MS-PAR PrinterBug (async) spoolss RpcAsyncOpenPrinter Pipe gated by default
MS-EFSR PetitPotam lsarpc/efsrpc/samr/netlogon/lsass EfsRpcOpenFileRaw Patched — CVE-2021-36942, interface removed
MS-EFSR-alt PetitPotam efsrpc/lsarpc EfsRpcOpenFileRaw Patched — same
MS-DFSNM DFSCoerce netdfs NetrDfsRemoveStdRoot Live — no CVE, unpatched
MS-FSRVP ShadowCoerce FssagentRpc IsPathShadowCopied Patched — CVE-2022-30154
MS-EVEN EventLog coercion eventlog ElfrOpenBELW Fires, no outbound auth
MS-EVEN6 EventLog coercion v6 eventlog EvtRpcOpenLogHandle Fires, no outbound auth
MS-WSP WSPCoerce MsFteWds CPMCreateQueryIn Live (admin, Windows Search enabled)

Output Convention

Human output goes to stderr (rich terminal). --json output goes to stdout (clean, pipeable). Exit codes: 0 = surface found / coercion confirmed, 1 = nothing found, 2 = usage error.

Binding :445 for the SMB connectback listener requires root. Use --external, --http on a high port, or sudo as alternatives.


Windows Server 2025 Findings

Validated against a fully patched Windows Server 2025 domain (build 26100). Two coercion primitives survive in the default configuration:

  • MS-DFSNM (DFSCoerce) — confirmed coercing with domain user credentials. No CVE assigned, Microsoft has not patched authenticated coercion of this class.
  • MS-WSP (WSPCoerce) — confirmed coercing with administrative credentials. Windows Search is disabled by default on Server 2025; the pipe ACL restricts access to admin accounts.

All other vectors are patched, gated by default, or blocked at the service level. The full analysis is in the accompanying writeup on cbev0x.github.io.


Acknowledgements

  • Gilles Lionel (@topotam77) — PetitPotam / MS-EFSR
  • Filip Dragovic (@Wh04m1001) — DFSCoerce / MS-DFSNM
  • Lee Christensen and Elad Shamir — PrinterBug / MS-RPRN
  • p0dalirius — Coercer and systematic coercion corpus research
  • RedTeam Pentesting GmbH — wspcoerce, whose WSP packet builders are adapted in wsp_packets.py
  • Impacket — RPC transport, NDR, and SMB layers throughout

Licence

MIT

About

Linux-native RPC coercion surface scanner for Windows Active Directory environments. Enumerates, validates, and mitigates authentication coercion vectors (PrinterBug, PetitPotam, DFSCoerce, ShadowCoerce, WSPCoerce and more).

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages