netexec
NetExec (a.k.a nxc) is a network service exploitation tool that helps automate assessing the security of large networks.
Name:netexec
Category:Network
Publisher:trickest-mhmdiaa
Created:7/18/2024
Container:
quay.io/trickest/netexec:3a5c109
Output Type:
License:Unknown
Source:View Source
Parameters
-id
database credential ID(s) to use for authentication--ls
List files in the directory--lsa
dump LSA secrets from target systems--pvk
DPAPI option. File with domain backupkey--sam
dump SAM hashes from target systems--wmi
issues the specified WMI query--gmsa
Enumerate GMSA passwords--hash
NTLM hash(es)-6
Enable force IPv6--ntds
dump the NTDS.dit from target DCs using the specifed method (drsuapi,vss)--port
Target port--sccm
dump SCCM secrets from target systems (wmi,disk)--user
Dump selected user from DC--codec
Set encoding used (codec) from the target's output. If errors are detected, run chcp.com at the target & map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute again with --codec and the corresponding codec (default: utf-8)--debug
enable debug level information--depth
max spider recursion depth--disks
enumerate disks--dpapi
dump DPAPI secrets from target systems, can dump cookies if you add 'cookies', will not dump SYSTEM dpapi if you add nosystem (cookies,nosystem)--query
execute the specfied query against the target--regex
regex(s) to search for in folders, filenames and file content--users
enumerate domain users, if a user is specified than only its information is queried.-d
domain to authenticate to--groups
enumerate domain groups, if a group is specified than its members are enumerated--hash
file containing NTLM hashes--jitter
sets a random delay between each authentication--mkfile
DPAPI option. File with masterkeys in form of {GUID}:SHA1--module
module to use--no-smb
No smb connection--server
use the selected server (default: https)--shares
enumerate shares and access--spider
share to spider
the target IP, range, CIDR, hostname, or FQDN--aesKey
AES key to use for Kerberos Authentication (128 or 256 bits)-x
execute the specified command--content
enable file content searching--dns-tcp
Use TCP instead of UDP for DNS queries--enabled
Only dump enabled targets from DC--get-sid
Get domain sid--pattern
pattern(s) to search for in folders, filenames and file content
a list of target IP(s), range(s), CIDR(s), hostname(s), FQDN(s), NMap XML or .Nessus file(s)'--threads
set how many concurrent threads to use--timeout
max timeout in seconds of each thread--verbose
enable verbose output--kerberos
Use Kerberos authentication--pass-pol
dump password policy--password
password
the network protocol to assess (available protocols: ldap, mssql, smb, wmi, ssh, vnc, ftp, winrm, rdp)--sessions
enumerate active sessions--username
username--computers
enumerate computer user--password
file containing passwords--username
file containing usernames--bloodhound
Perform a Bloodhound scan--collection
Which information to collect. Supported: Group, LocalAdmin, Session, Trusts, Default, DCOnly, DCOM, RDP, PSRemote, LoggedOn, Container, ObjectProps, ACL, All. You can specify more than one by separating them with a comma (default: Default)--dns-server
Specify DNS server (default: Use hosts file & System DNS)--force-ps32
Force the PowerShell command to run in a 32-bit process via a job; WARNING: depends on the job completing quickly, so you may have to increase the timeout--interfaces
enumerate network interfaces--local-auth
authenticate locally to each target--only-files
only spider files--use-kcache
Use Kerberos authentication from ccache file (KRB5CCNAME)--admin-count
Get objets that had the value adminCount=1--amsi-bypass
File with a custom AMSI bypass--dns-timeout
DNS query timeout in seconds--dump-method
Select shell type in hashes dump (default: cmd) (cmd,powershell)--exec-method
method to execute the command. Ignored if in MSSQL mode (default: wmiexec) (smbexec,wmiexec,atexec,mmcexec)--no-progress
do not displaying progress bar during scan--server-host
IP to bind the server to (default: 0.0.0.0)--server-port
start the server on the specified port--active-users
Get Active Domain Users Accounts--dcom-timeout
DCOM connection timeout (default: 5)--exclude-dirs
directories to exclude from spidering--list-modules
list available modules--local-groups
enumerate local groups, if a group is specified then its members are enumerated--filter-shares
Filter share by access, option 'read' 'write' or 'read,write'--mssql-timeout
SQL server connection timeout (default: 5)--no-bruteforce
No spray when using file for username and password (user1 => password1, user2 => password2)--rid-brute
specify max RID to enumerate users by bruteforcing RIDs--spider-folder
folder to spider (default: .)--wmi-namespace
WMI Namespace (default: rootcimv2)--loggedon-users
enumerate logged on users-o
module options--no-write-check
Skip write check on shares (avoid leaving traces when missing delete permissions)--gmsa-convert-id
Get the secret name of specific gmsa or all gmsa if no gmsa provided--fail-limit
max number of failed login attempts per host--connectback-host
IP for the remote system to connect back to--get-output-tries
Number of times atexec/smbexec/mmcexec tries to get results (default: 10)--gmsa-decrypt-lsa
Decrypt the gmsa encrypted value from LSA--gfail-limit
max number of global failed login attempts--no-output
do not retrieve command output--ignore-pw-decoding
Ignore non UTF-8 characters when decoding the password file-X
execute the specified PowerShell command--continue-on-success
continues authentication attempts even after successes--ufail-limit
max number of failed login attempts per username--no-encode
Do not encode the PowerShell command ran on target--obfs
Obfuscate PowerShell ran on target; WARNING: Defender will almost certainly trigger on this--options
display module options--loggedon-users-filter
only search for specific user, works with regex--password-not-required
Get the list of users with flag PASSWD_NOTREQD--trusted-for-delegation
Get the list of users and computers with flag TRUSTED_FOR_DELEGATION--dc-list
Enumerate Domain Controllers--clear-obfscripts
Clear all cached obfuscated PowerShell scripts--kdcHost
FQDN of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter