Hi,

I like coercer a lot, in particular for identifying DCs which have NTLMv1 enabled. What I always do is run responder in analyze mode and then coercer in coerce mode to see if I get NTLMv1 hashes.

Unfortunately, this doesn't scale well. In some cases there are 50 DCs and finding the one that has NTLMv1 enabled takes quite a long time, because I cannot automatically tell coercer to stop after receiving one SMB connection.

Would you be interested in bringing this feature to coercer? I'd be open to contributing a PR if you tell me a rough outline of what it should look like. Maybe add a --ntlmv1 flag to the scan subcommand?

It would make sense to use the code from responder, but unfortunately the project isn't packaged, so we cannot import it. We could include it as a git submodule, but then you wouldn't be able to package it. We could also just copy the code, but since responder is GPL licensed, coercer would also need to be GPL licensed. I don't see any license information for coercer yet, so this doesn't seem like a deal breaker.

What do you think?