netexec

Command: -id - database credential ID(s) to use for authentication

Command: --ls - List files in the directory

Command: --lsa - dump LSA secrets from target systems

Command: --pvk - DPAPI option. File with domain backupkey

Command: --sam - dump SAM hashes from target systems

Command: --wmi - issues the specified WMI query

Command: --gmsa - Enumerate GMSA passwords

Command: --hash - NTLM hash(es)

Command: -6 - Enable force IPv6

Command: --ntds - dump the NTDS.dit from target DCs using the specifed method (drsuapi,vss)

Command: --port - Target port

Command: --sccm - dump SCCM secrets from target systems (wmi,disk)

Command: --user - Dump selected user from DC

Command: --codec - Set encoding used (codec) from the target's output. If errors are detected, run chcp.com at the target & map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute again with --codec and the corresponding codec (default: utf-8)

Command: --debug - enable debug level information

Command: --depth - max spider recursion depth

Command: --disks - enumerate disks

Command: --dpapi - dump DPAPI secrets from target systems, can dump cookies if you add 'cookies', will not dump SYSTEM dpapi if you add nosystem (cookies,nosystem)

Command: --query - execute the specfied query against the target

Command: --regex - regex(s) to search for in folders, filenames and file content

Command: --users - enumerate domain users, if a user is specified than only its information is queried.

Command: -d - domain to authenticate to

Command: --groups - enumerate domain groups, if a group is specified than its members are enumerated

Command: --hash - file containing NTLM hashes

Command: --jitter - sets a random delay between each authentication

Command: --mkfile - DPAPI option. File with masterkeys in form of {GUID}:SHA1

Command: --module - module to use

Command: --no-smb - No smb connection

Command: --server - use the selected server (default: https)

Command: --shares - enumerate shares and access

Command: --spider - share to spider

Command: - the target IP, range, CIDR, hostname, or FQDN

Command: --aesKey - AES key to use for Kerberos Authentication (128 or 256 bits)

Command: -x - execute the specified command

Command: --content - enable file content searching

Command: --dns-tcp - Use TCP instead of UDP for DNS queries

Command: --enabled - Only dump enabled targets from DC

Command: --get-sid - Get domain sid

Command: --pattern - pattern(s) to search for in folders, filenames and file content

Command: - a list of target IP(s), range(s), CIDR(s), hostname(s), FQDN(s), NMap XML or .Nessus file(s)'

Command: --threads - set how many concurrent threads to use

Command: --timeout - max timeout in seconds of each thread

Command: --verbose - enable verbose output

Command: --kerberos - Use Kerberos authentication

Command: --pass-pol - dump password policy

Command: --password - password

Command: - the network protocol to assess (available protocols: ldap, mssql, smb, wmi, ssh, vnc, ftp, winrm, rdp)

Command: --sessions - enumerate active sessions

Command: --username - username

Command: --computers - enumerate computer user

Command: --password - file containing passwords

Command: --username - file containing usernames

Command: --bloodhound - Perform a Bloodhound scan

Command: --collection - Which information to collect. Supported: Group, LocalAdmin, Session, Trusts, Default, DCOnly, DCOM, RDP, PSRemote, LoggedOn, Container, ObjectProps, ACL, All. You can specify more than one by separating them with a comma (default: Default)

Command: --dns-server - Specify DNS server (default: Use hosts file & System DNS)

Command: --force-ps32 - Force the PowerShell command to run in a 32-bit process via a job; WARNING: depends on the job completing quickly, so you may have to increase the timeout

Command: --interfaces - enumerate network interfaces

Command: --local-auth - authenticate locally to each target

Command: --only-files - only spider files

Command: --use-kcache - Use Kerberos authentication from ccache file (KRB5CCNAME)

Command: --admin-count - Get objets that had the value adminCount=1

Command: --amsi-bypass - File with a custom AMSI bypass

Command: --dns-timeout - DNS query timeout in seconds

Command: --dump-method - Select shell type in hashes dump (default: cmd) (cmd,powershell)

Command: --exec-method - method to execute the command. Ignored if in MSSQL mode (default: wmiexec) (smbexec,wmiexec,atexec,mmcexec)

Command: --no-progress - do not displaying progress bar during scan

Command: --server-host - IP to bind the server to (default: 0.0.0.0)

Command: --server-port - start the server on the specified port

Command: --active-users - Get Active Domain Users Accounts

Command: --dcom-timeout - DCOM connection timeout (default: 5)

Command: --exclude-dirs - directories to exclude from spidering

Command: --list-modules - list available modules

Command: --local-groups - enumerate local groups, if a group is specified then its members are enumerated

Command: --filter-shares - Filter share by access, option 'read' 'write' or 'read,write'

Command: --mssql-timeout - SQL server connection timeout (default: 5)

Command: --no-bruteforce - No spray when using file for username and password (user1 => password1, user2 => password2)

Command: --rid-brute - specify max RID to enumerate users by bruteforcing RIDs

Command: --spider-folder - folder to spider (default: .)

Command: --wmi-namespace - WMI Namespace (default: rootcimv2)

Command: --loggedon-users - enumerate logged on users

Command: -o - module options

Command: --no-write-check - Skip write check on shares (avoid leaving traces when missing delete permissions)

Command: --gmsa-convert-id - Get the secret name of specific gmsa or all gmsa if no gmsa provided

Command: --fail-limit - max number of failed login attempts per host

Command: --connectback-host - IP for the remote system to connect back to

Command: --get-output-tries - Number of times atexec/smbexec/mmcexec tries to get results (default: 10)

Command: --gmsa-decrypt-lsa - Decrypt the gmsa encrypted value from LSA

Command: --gfail-limit - max number of global failed login attempts

Command: --no-output - do not retrieve command output

Command: --ignore-pw-decoding - Ignore non UTF-8 characters when decoding the password file

Command: -X - execute the specified PowerShell command

Command: --continue-on-success - continues authentication attempts even after successes

Command: --ufail-limit - max number of failed login attempts per username

Command: --no-encode - Do not encode the PowerShell command ran on target

Command: --obfs - Obfuscate PowerShell ran on target; WARNING: Defender will almost certainly trigger on this

Command: --options - display module options

Command: --loggedon-users-filter - only search for specific user, works with regex

Command: --password-not-required - Get the list of users with flag PASSWD_NOTREQD

Command: --trusted-for-delegation - Get the list of users and computers with flag TRUSTED_FOR_DELEGATION

Command: --dc-list - Enumerate Domain Controllers

Command: --clear-obfscripts - Clear all cached obfuscated PowerShell scripts

Command: --kdcHost - FQDN of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter