Name:netexec
Category:Network
Publisher:trickest-mhmdiaa
Created:7/18/2024
Container:quay.io/trickest/netexec:3a5c109
Output Type:
License:Unknown

Parameters

id
string
-iddatabase credential ID(s) to use for authentication
ls
string
--lsList files in the directory
lsa
boolean
--lsadump LSA secrets from target systems
pvk
file
--pvkDPAPI option. File with domain backupkey
sam
boolean
--samdump SAM hashes from target systems
wmi
string
--wmiissues the specified WMI query
gmsa
boolean
--gmsaEnumerate GMSA passwords
hash
string
--hashNTLM hash(es)
ipv6
boolean
-6Enable force IPv6
ntds
string
--ntdsdump the NTDS.dit from target DCs using the specifed method (drsuapi,vss)
port
string
--portTarget port
sccm
string
--sccmdump SCCM secrets from target systems (wmi,disk)
user
string
--userDump selected user from DC
codec
string
--codecSet encoding used (codec) from the target's output. If errors are detected, run chcp.com at the target & map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute again with --codec and the corresponding codec (default: utf-8)
debug
boolean
--debugenable debug level information
depth
string
--depthmax spider recursion depth
disks
boolean
--disksenumerate disks
dpapi
string
--dpapidump DPAPI secrets from target systems, can dump cookies if you add 'cookies', will not dump SYSTEM dpapi if you add nosystem (cookies,nosystem)
query
string
--queryexecute the specfied query against the target
regex
string
--regexregex(s) to search for in folders, filenames and file content
users
string
--usersenumerate domain users, if a user is specified than only its information is queried.
domain
string
-ddomain to authenticate to
groups
string
--groupsenumerate domain groups, if a group is specified than its members are enumerated
hashes
file
--hashfile containing NTLM hashes
jitter
string
--jittersets a random delay between each authentication
mkfile
file
--mkfileDPAPI option. File with masterkeys in form of {GUID}:SHA1
module
string
--modulemodule to use
no-smb
boolean
--no-smbNo smb connection
server
string
--serveruse the selected server (default: https)
shares
boolean
--sharesenumerate shares and access
spider
string
--spidershare to spider
target
string
required
the target IP, range, CIDR, hostname, or FQDN
aes-key
string
--aesKeyAES key to use for Kerberos Authentication (128 or 256 bits)
command
string
-xexecute the specified command
content
boolean
--contentenable file content searching
dns-tcp
boolean
--dns-tcpUse TCP instead of UDP for DNS queries
enabled
boolean
--enabledOnly dump enabled targets from DC
get-sid
boolean
--get-sidGet domain sid
pattern
string
--patternpattern(s) to search for in folders, filenames and file content
targets
file
required
a list of target IP(s), range(s), CIDR(s), hostname(s), FQDN(s), NMap XML or .Nessus file(s)'
threads
string
--threadsset how many concurrent threads to use
timeout
string
--timeoutmax timeout in seconds of each thread
verbose
boolean
--verboseenable verbose output
kerberos
boolean
--kerberosUse Kerberos authentication
pass-pol
boolean
--pass-poldump password policy
password
string
--passwordpassword
protocol
string
required
the network protocol to assess (available protocols: ldap, mssql, smb, wmi, ssh, vnc, ftp, winrm, rdp)
sessions
boolean
--sessionsenumerate active sessions
username
string
--usernameusername
computers
string
--computersenumerate computer user
passwords
file
--passwordfile containing passwords
usernames
file
--usernamefile containing usernames
bloodhound
boolean
--bloodhoundPerform a Bloodhound scan
collection
string
--collectionWhich information to collect. Supported: Group, LocalAdmin, Session, Trusts, Default, DCOnly, DCOM, RDP, PSRemote, LoggedOn, Container, ObjectProps, ACL, All. You can specify more than one by separating them with a comma (default: Default)
dns-server
string
--dns-serverSpecify DNS server (default: Use hosts file & System DNS)
force-ps32
boolean
--force-ps32Force the PowerShell command to run in a 32-bit process via a job; WARNING: depends on the job completing quickly, so you may have to increase the timeout
interfaces
boolean
--interfacesenumerate network interfaces
local-auth
boolean
--local-authauthenticate locally to each target
only-files
boolean
--only-filesonly spider files
use-kcache
boolean
--use-kcacheUse Kerberos authentication from ccache file (KRB5CCNAME)
admin-count
boolean
--admin-countGet objets that had the value adminCount=1
amsi-bypass
file
--amsi-bypassFile with a custom AMSI bypass
dns-timeout
string
--dns-timeoutDNS query timeout in seconds
dump-method
string
--dump-methodSelect shell type in hashes dump (default: cmd) (cmd,powershell)
exec-method
string
--exec-methodmethod to execute the command. Ignored if in MSSQL mode (default: wmiexec) (smbexec,wmiexec,atexec,mmcexec)
no-progress
boolean
--no-progressdo not displaying progress bar during scan
server-host
string
--server-hostIP to bind the server to (default: 0.0.0.0)
server-port
string
--server-portstart the server on the specified port
active-users
string
--active-usersGet Active Domain Users Accounts
dcom-timeout
string
--dcom-timeoutDCOM connection timeout (default: 5)
exclude-dirs
string
--exclude-dirsdirectories to exclude from spidering
list-modules
boolean
--list-moduleslist available modules
local-groups
string
--local-groupsenumerate local groups, if a group is specified then its members are enumerated
filter-shares
string
--filter-sharesFilter share by access, option 'read' 'write' or 'read,write'
mssql-timeout
string
--mssql-timeoutSQL server connection timeout (default: 5)
no-bruteforce
boolean
--no-bruteforceNo spray when using file for username and password (user1 => password1, user2 => password2)
rid-brute-max
string
--rid-brutespecify max RID to enumerate users by bruteforcing RIDs
spider-folder
string
--spider-folderfolder to spider (default: .)
wmi-namespace
string
--wmi-namespaceWMI Namespace (default: rootcimv2)
loggedon-users
boolean
--loggedon-usersenumerate logged on users
module-options
string
-omodule options
no-write-check
boolean
--no-write-checkSkip write check on shares (avoid leaving traces when missing delete permissions)
gmsa-convert-id
string
--gmsa-convert-idGet the secret name of specific gmsa or all gmsa if no gmsa provided
host-fail-limit
string
--fail-limitmax number of failed login attempts per host
connectback-host
string
--connectback-hostIP for the remote system to connect back to
get-output-tries
string
--get-output-triesNumber of times atexec/smbexec/mmcexec tries to get results (default: 10)
gmsa-decrypt-lsa
string
--gmsa-decrypt-lsaDecrypt the gmsa encrypted value from LSA
global-fail-limit
string
--gfail-limitmax number of global failed login attempts
no-command-output
boolean
--no-outputdo not retrieve command output
ignore-pw-decoding
boolean
--ignore-pw-decodingIgnore non UTF-8 characters when decoding the password file
powershell-command
string
-Xexecute the specified PowerShell command
continue-on-success
boolean
--continue-on-successcontinues authentication attempts even after successes
username-fail-limit
string
--ufail-limitmax number of failed login attempts per username
no-powershell-encode
boolean
--no-encodeDo not encode the PowerShell command ran on target
obfuscate-powershell
boolean
--obfsObfuscate PowerShell ran on target; WARNING: Defender will almost certainly trigger on this
disply-module-options
boolean
--optionsdisplay module options
loggedon-users-filter
string
--loggedon-users-filteronly search for specific user, works with regex
password-not-required
boolean
--password-not-requiredGet the list of users with flag PASSWD_NOTREQD
trusted-for-delegation
boolean
--trusted-for-delegationGet the list of users and computers with flag TRUSTED_FOR_DELEGATION
domain-controllers-list
boolean
--dc-listEnumerate Domain Controllers
clear-obfuscated-scripts
boolean
--clear-obfscriptsClear all cached obfuscated PowerShell scripts
kerberos-domain-controller-host
string
--kdcHostFQDN of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter