Pentesting Quick Reference OSCP and Beyond
  • Basic Tools & Techniques
  • Linux Basics
  • Windows Basics
  • Shells
  • Uploading Shells/ Transferring Files
  • FootPrinting
  • Host Discovery
  • Scanning
  • Vulnerability assessment
  • Metasploit and Meterpreter
    • Payloads
  • Brute Forcing/ Password Cracking
    • Attacking LSASS Passwords
    • Credentials Hunting Windows
    • Credential Hunting in Linux
    • Passwd, Shadow & Opasswd
    • Pass the Hash (PtH)
    • Protected Files
    • Protected Archives
    • Password Policies
    • Password Managers
    • Breached Credentials
    • Mimikatz
  • Linux Remote Management Protocols
  • Windows Remote Management Protocols
  • Port 20/21 - FTP Pentesting
  • Port 23 Telnet
  • Port 25 - SMTP
  • IMAP/ POP3
  • Port 53 DNS
  • Port 445 - SMB
  • Port 111 -RPC Bind
  • Port 135 - RPC
  • Port 137 NetBios
  • Port 161 SNMP
  • Port 1433 - MSSQL
  • Port 1521 Oracle TNS
  • Port 1833 - MQTT
  • Port 2049 - NFS
  • Port 3306 MySQL
  • Port 3389 - RDP
  • Port 5985 - Winrm
  • Port 632 (UDP) IPMI
  • Redis (6379)
  • Port 10000 Webmin
  • Privilege Escalation
    • Windows Priv esc
    • Linux Priv esc
  • Active Directory
    • AD Basics
      • AD Management Basics
    • Initial Enumeration of AD
      • Enumerating AD Users
    • Password Spraying
      • Enumerating & Retrieving Password Policies
      • Password Spraying - Making a Target User List
      • Internal Password Spraying - from Linux
      • Internal Password Spraying - from Windows
      • Enumerating Security Controls
    • LLMNR Poisoning
    • SMB/ NTLM Relay Attacks
    • IPv6 Attacks
      • IPV6 DNS takeover
      • WPAD
    • Passback Attacks
    • AS-REP roasting
    • AD Shell
    • AD Enumeration
      • Credentialed Enumeration - from Linux
      • Credentialed Enumeration - from Windows
      • Living off the Land
      • BloodHound
      • Plumhound
      • Bloodhound CE
      • ldapdomaindump
      • PingCastle
    • Post Compromise
      • Kerberosting
        • Kerberos "Double Hop" Problem
      • Pass Attacks
        • Pass the Hash
        • Pass the Ticket
          • Pass the Ticket (PtT) from Windows
          • Pass the Ticket (PtT) from Linux
      • Token Impersonation
      • LNK File Attacks
      • Miscellaneous Misconfigurations
    • Access Control List (ACL) Abuse Primer
      • ACL Enumeration
      • ACL Abuse Tactics
      • DCSync
        • DCSync Example Forest HTB
    • Post Owning Domain
      • Attacking Active Directory & NTDS.dit 1
      • Golden Ticket Attacks
    • Privilege Escaltion
    • Bleeding Edge Vulnerabilities
    • Domain Trusts
      • Attacking Domain Trusts - Child -> Parent Trusts - from Windows
      • Attacking Domain Trusts - Child -> Parent Trusts - from Linux
      • Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows
      • Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux
    • Hardening Active Directory
    • Additional AD Auditing Techniques
    • HTB AD Enumeration & Attacks - Skills Assessment Part I
  • Web Pentesting
    • Subdomains, directories and Vhost listing
    • Command Injection
    • XSS
    • SQL Injection
    • Authentication Bypass
  • Cryptography
  • More Resources
  • Forensics
  • IoT Security
  • API Security
  • Binary Exploitation
    • Assembly Cheatsheat for Hackers
    • Malware Analysis
      • Basic Static Malware Analysis
  • Boxes/ Machines
    • Try Hack Me
      • Vulnversity
      • Basic Pentesting
      • Kenobi
      • Steel Mountain
    • Vulnhub
      • Tiki
    • HTB
      • Beep
      • Active
      • Forest
      • Devel
    • Metasploitable 2
    • PWN.COLLEGE Talking Web
    • PWN COLLGE Web Hacking
  • Private Challenges
    • Pwn
    • Forensics
  • Misc tools
    • NetExec
  • SOC Analyst Resources
  • OSCP Tips and Misc
  • Mobile Hacking
  • Buffer Overflow
  • Wordpress
  • Web3 and Blockchain Security
  • WIFI Hacking
    • WPS Hacking
    • Misc Tools
Powered by GitBook
On this page
  • Introduction
  • Enumerating host with smb and Netexec
  • Enumerating SMB shares
  • Finding Users
  1. Misc tools

NetExec

crack map exec alternative

PreviousMisc toolsNextSOC Analyst Resources

Last updated 1 year ago

Introduction

is a tool for assisting in network service exploitation. It has tons of different modules for exploiting different kinds of network protocols, like RPC, SMB, and others like LDAP, WMI, SSH and FTP. πŸ’₯

You can find it online on , and the :

Their documentation includes this note:

This tool is based on CrackMapExec and was originally created by bytebleeder and maintained by over the years, shout out to them! With the retirement of mpgn, we (, and ) decided to maintain the tool NetExec, formerly known as CrackMapExec, as a completely free open source tool.

As mentioned, has support for a lot of different protocols:

  • SMB

  • SSH

  • LDAP

  • FTP

  • WMI

  • WINRM

  • RDP

  • VNC

  • MSSQL

Often times, you'll interact with these using different sets of credentials, either with username or password pairing that you already know authenticate, or bruteforcing to uncover new access.

you should be able to run

NetExec

or more simply:

nxc

Enumerating host with smb and Netexec

β”Œβ”€β”€(kaliγ‰Ώkali)-[~]
└─$ nxc smb hosts.txt 

SMB         10.0.26.40      445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:netexec.lab) (signing:True) (SMBv1:False)
SMB         10.0.29.182     445    FS01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:FS01) (domain:netexec.lab) (signing:False) (SMBv1:False)
SMB         10.0.21.207     445    SQL01            [*] Windows Server 2016 Datacenter 14393 (name:SQL01) (domain:netexec.lab) (signing:False) (SMBv1:True)
Running nxc against 3 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

Enumerating SMB shares

NULL Logon Sessions

└─$ nxc smb hosts.txt -u '' -p '' --shares

SMB         10.0.26.40      445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:netexec.lab) (signing:True) (SMBv1:False)
SMB         10.0.29.182     445    FS01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:FS01) (domain:netexec.lab) (signing:False) (SMBv1:False)
SMB         10.0.26.40      445    DC01             [+] netexec.lab\: 
SMB         10.0.26.40      445    DC01             [-] Error enumerating shares: STATUS_ACCESS_DENIED
SMB         10.0.29.182     445    FS01             [+] netexec.lab\: 
SMB         10.0.29.182     445    FS01             [-] Error enumerating shares: STATUS_ACCESS_DENIED
SMB         10.0.21.207     445    SQL01            [*] Windows Server 2016 Datacenter 14393 (name:SQL01) (domain:netexec.lab) (signing:False) (SMBv1:True)
SMB         10.0.21.207     445    SQL01            [-] netexec.lab\: STATUS_ACCESS_DENIED 
SMB         10.0.21.207     445    SQL01            [-] Error enumerating shares: Error occurs while reading from remote(104)

Trying Guest or Anonymous Sessions

β”Œβ”€β”€(kaliγ‰Ώkali)-[~]
└─$ nxc smb ./hosts.txt -u 'guest' -p '' --shares

SMB         10.0.26.40      445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:netexec.lab) (signing:True) (SMBv1:False)
SMB         10.0.29.182     445    FS01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:FS01) (domain:netexec.lab) (signing:False) (SMBv1:False)
SMB         10.0.26.40      445    DC01             [-] netexec.lab\guest: STATUS_ACCOUNT_DISABLED 
SMB         10.0.29.182     445    FS01             [+] netexec.lab\guest: 
SMB         10.0.29.182     445    FS01             [*] Enumerated shares
SMB         10.0.29.182     445    FS01             Share           Permissions     Remark
SMB         10.0.29.182     445    FS01             -----           -----------     ------
SMB         10.0.29.182     445    FS01             ADMIN$                          Remote Admin
SMB         10.0.29.182     445    FS01             C$                              Default share
SMB         10.0.29.182     445    FS01             Everyone        READ            Everyone can access
SMB         10.0.29.182     445    FS01             IPC$            READ            Remote IPC
SMB         10.0.29.182     445    FS01             Secret                          This share stores secrets. No peeking
SMB         10.0.21.207     445    SQL01            [*] Windows Server 2016 Datacenter 14393 (name:SQL01) (domain:netexec.lab) (signing:False) (SMBv1:True)
SMB         10.0.21.207     445    SQL01            [-] netexec.lab\guest: STATUS_ACCOUNT_DISABLED                                                                                                                                                           
β”Œβ”€β”€(kaliγ‰Ώkali)-[~]
└─$ nxc smb ./hosts.txt -u 'anonymous' -p '' --shares

SMB         10.0.26.40      445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:netexec.lab) (signing:True) (SMBv1:False)
SMB         10.0.29.182     445    FS01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:FS01) (domain:netexec.lab) (signing:False) (SMBv1:False)
SMB         10.0.26.40      445    DC01             [-] netexec.lab\anonymous: STATUS_LOGON_FAILURE 
SMB         10.0.29.182     445    FS01             [+] netexec.lab\anonymous: 
SMB         10.0.29.182     445    FS01             [*] Enumerated shares
SMB         10.0.29.182     445    FS01             Share           Permissions     Remark
SMB         10.0.29.182     445    FS01             -----           -----------     ------
SMB         10.0.29.182     445    FS01             ADMIN$                          Remote Admin
SMB         10.0.29.182     445    FS01             C$                              Default share
SMB         10.0.29.182     445    FS01             Everyone        READ            Everyone can access
SMB         10.0.29.182     445    FS01             IPC$            READ            Remote IPC
SMB         10.0.29.182     445    FS01             Secret                          This share stores secrets. No peeking
SMB         10.0.21.207     445    SQL01            [*] Windows Server 2016 Datacenter 14393 (name:SQL01) (domain:netexec.lab) (signing:False) (SMBv1:True)
SMB         10.0.21.207     445    SQL01            [-] netexec.lab\anonymous: STATUS_LOGON_FAILURE 
Running nxc against 3 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

Dumping shares

We can use NetExec and its supported modules to dump or download all the files present on the share.

β”Œβ”€β”€(kaliγ‰Ώkali)-[~]
└─$ nxc smb 10.0.29.182 -u 'anonymous' -p '' -M spider_plus -o DOWNLOAD_FLAG=True

SMB         10.0.29.182     445    FS01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:FS01) (domain:netexec.lab) (signing:False) (SMBv1:False)
SMB         10.0.29.182     445    FS01             [+] netexec.lab\anonymous: 
SPIDER_P... 10.0.29.182     445    FS01             [*] Started module spidering_plus with the following options:
SPIDER_P... 10.0.29.182     445    FS01             [*]  DOWNLOAD_FLAG: True
SPIDER_P... 10.0.29.182     445    FS01             [*]     STATS_FLAG: True
SPIDER_P... 10.0.29.182     445    FS01             [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_P... 10.0.29.182     445    FS01             [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_P... 10.0.29.182     445    FS01             [*]  MAX_FILE_SIZE: 50 KB
SPIDER_P... 10.0.29.182     445    FS01             [*]  OUTPUT_FOLDER: /tmp/nxc_spider_plus
SMB         10.0.29.182     445    FS01             [*] Enumerated shares
SMB         10.0.29.182     445    FS01             Share           Permissions     Remark
SMB         10.0.29.182     445    FS01             -----           -----------     ------
SMB         10.0.29.182     445    FS01             ADMIN$                          Remote Admin
SMB         10.0.29.182     445    FS01             C$                              Default share
SMB         10.0.29.182     445    FS01             Everyone        READ            Everyone can access
SMB         10.0.29.182     445    FS01             IPC$            READ            Remote IPC
SMB         10.0.29.182     445    FS01             Secret                          This share stores secrets. No peeking
SPIDER_P... 10.0.29.182     445    FS01             [+] Saved share-file metadata to "/tmp/nxc_spider_plus/10.0.29.182.json".
SPIDER_P... 10.0.29.182     445    FS01             [*] SMB Shares:           5 (ADMIN$, C$, Everyone, IPC$, Secret)
SPIDER_P... 10.0.29.182     445    FS01             [*] SMB Readable Shares:  2 (Everyone, IPC$)
SPIDER_P... 10.0.29.182     445    FS01             [*] SMB Filtered Shares:  1
SPIDER_P... 10.0.29.182     445    FS01             [*] Total folders found:  0
SPIDER_P... 10.0.29.182     445    FS01             [*] Total files found:    0

Finding Users

We may try with guest user or null session

nxc smb ./hosts.txt -u 'guest' -p '' --users
nxc smb ./hosts.txt -u '' -p '' --users
NetExec
Github
official documentation website
https://github.com/Pennyw0rth/NetExec
https://www.netexec.wiki/
@mpgn
@zblurx
@Marshall
@NeffIsBack
NetExec