NetExec

crack map exec alternative

Introduction

NetExec is a tool for assisting in network service exploitation. It has tons of different modules for exploiting different kinds of network protocols, like RPC, SMB, and others like LDAP, WMI, SSH and FTP. πŸ’₯

You can find it online on Github, and the official documentation website:

Their documentation includes this note:

This tool is based on CrackMapExec and was originally created by bytebleeder and maintained by @mpgn over the years, shout out to them! With the retirement of mpgn, we (@zblurx, @Marshall and @NeffIsBack) decided to maintain the tool NetExec, formerly known as CrackMapExec, as a completely free open source tool.

As mentioned, NetExec has support for a lot of different protocols:

  • SMB

  • SSH

  • LDAP

  • FTP

  • WMI

  • WINRM

  • RDP

  • VNC

  • MSSQL

Often times, you'll interact with these using different sets of credentials, either with username or password pairing that you already know authenticate, or bruteforcing to uncover new access.

you should be able to run

NetExec

or more simply:

nxc

Enumerating host with smb and Netexec

β”Œβ”€β”€(kaliγ‰Ώkali)-[~]
└─$ nxc smb hosts.txt 

SMB         10.0.26.40      445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:netexec.lab) (signing:True) (SMBv1:False)
SMB         10.0.29.182     445    FS01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:FS01) (domain:netexec.lab) (signing:False) (SMBv1:False)
SMB         10.0.21.207     445    SQL01            [*] Windows Server 2016 Datacenter 14393 (name:SQL01) (domain:netexec.lab) (signing:False) (SMBv1:True)
Running nxc against 3 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

Enumerating SMB shares

NULL Logon Sessions

└─$ nxc smb hosts.txt -u '' -p '' --shares

SMB         10.0.26.40      445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:netexec.lab) (signing:True) (SMBv1:False)
SMB         10.0.29.182     445    FS01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:FS01) (domain:netexec.lab) (signing:False) (SMBv1:False)
SMB         10.0.26.40      445    DC01             [+] netexec.lab\: 
SMB         10.0.26.40      445    DC01             [-] Error enumerating shares: STATUS_ACCESS_DENIED
SMB         10.0.29.182     445    FS01             [+] netexec.lab\: 
SMB         10.0.29.182     445    FS01             [-] Error enumerating shares: STATUS_ACCESS_DENIED
SMB         10.0.21.207     445    SQL01            [*] Windows Server 2016 Datacenter 14393 (name:SQL01) (domain:netexec.lab) (signing:False) (SMBv1:True)
SMB         10.0.21.207     445    SQL01            [-] netexec.lab\: STATUS_ACCESS_DENIED 
SMB         10.0.21.207     445    SQL01            [-] Error enumerating shares: Error occurs while reading from remote(104)

Trying Guest or Anonymous Sessions

β”Œβ”€β”€(kaliγ‰Ώkali)-[~]
└─$ nxc smb ./hosts.txt -u 'guest' -p '' --shares

SMB         10.0.26.40      445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:netexec.lab) (signing:True) (SMBv1:False)
SMB         10.0.29.182     445    FS01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:FS01) (domain:netexec.lab) (signing:False) (SMBv1:False)
SMB         10.0.26.40      445    DC01             [-] netexec.lab\guest: STATUS_ACCOUNT_DISABLED 
SMB         10.0.29.182     445    FS01             [+] netexec.lab\guest: 
SMB         10.0.29.182     445    FS01             [*] Enumerated shares
SMB         10.0.29.182     445    FS01             Share           Permissions     Remark
SMB         10.0.29.182     445    FS01             -----           -----------     ------
SMB         10.0.29.182     445    FS01             ADMIN$                          Remote Admin
SMB         10.0.29.182     445    FS01             C$                              Default share
SMB         10.0.29.182     445    FS01             Everyone        READ            Everyone can access
SMB         10.0.29.182     445    FS01             IPC$            READ            Remote IPC
SMB         10.0.29.182     445    FS01             Secret                          This share stores secrets. No peeking
SMB         10.0.21.207     445    SQL01            [*] Windows Server 2016 Datacenter 14393 (name:SQL01) (domain:netexec.lab) (signing:False) (SMBv1:True)
SMB         10.0.21.207     445    SQL01            [-] netexec.lab\guest: STATUS_ACCOUNT_DISABLED                                                                                                                                                           
β”Œβ”€β”€(kaliγ‰Ώkali)-[~]
└─$ nxc smb ./hosts.txt -u 'anonymous' -p '' --shares

SMB         10.0.26.40      445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:netexec.lab) (signing:True) (SMBv1:False)
SMB         10.0.29.182     445    FS01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:FS01) (domain:netexec.lab) (signing:False) (SMBv1:False)
SMB         10.0.26.40      445    DC01             [-] netexec.lab\anonymous: STATUS_LOGON_FAILURE 
SMB         10.0.29.182     445    FS01             [+] netexec.lab\anonymous: 
SMB         10.0.29.182     445    FS01             [*] Enumerated shares
SMB         10.0.29.182     445    FS01             Share           Permissions     Remark
SMB         10.0.29.182     445    FS01             -----           -----------     ------
SMB         10.0.29.182     445    FS01             ADMIN$                          Remote Admin
SMB         10.0.29.182     445    FS01             C$                              Default share
SMB         10.0.29.182     445    FS01             Everyone        READ            Everyone can access
SMB         10.0.29.182     445    FS01             IPC$            READ            Remote IPC
SMB         10.0.29.182     445    FS01             Secret                          This share stores secrets. No peeking
SMB         10.0.21.207     445    SQL01            [*] Windows Server 2016 Datacenter 14393 (name:SQL01) (domain:netexec.lab) (signing:False) (SMBv1:True)
SMB         10.0.21.207     445    SQL01            [-] netexec.lab\anonymous: STATUS_LOGON_FAILURE 
Running nxc against 3 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

Dumping shares

We can use NetExec and its supported modules to dump or download all the files present on the share.

β”Œβ”€β”€(kaliγ‰Ώkali)-[~]
└─$ nxc smb 10.0.29.182 -u 'anonymous' -p '' -M spider_plus -o DOWNLOAD_FLAG=True

SMB         10.0.29.182     445    FS01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:FS01) (domain:netexec.lab) (signing:False) (SMBv1:False)
SMB         10.0.29.182     445    FS01             [+] netexec.lab\anonymous: 
SPIDER_P... 10.0.29.182     445    FS01             [*] Started module spidering_plus with the following options:
SPIDER_P... 10.0.29.182     445    FS01             [*]  DOWNLOAD_FLAG: True
SPIDER_P... 10.0.29.182     445    FS01             [*]     STATS_FLAG: True
SPIDER_P... 10.0.29.182     445    FS01             [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_P... 10.0.29.182     445    FS01             [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_P... 10.0.29.182     445    FS01             [*]  MAX_FILE_SIZE: 50 KB
SPIDER_P... 10.0.29.182     445    FS01             [*]  OUTPUT_FOLDER: /tmp/nxc_spider_plus
SMB         10.0.29.182     445    FS01             [*] Enumerated shares
SMB         10.0.29.182     445    FS01             Share           Permissions     Remark
SMB         10.0.29.182     445    FS01             -----           -----------     ------
SMB         10.0.29.182     445    FS01             ADMIN$                          Remote Admin
SMB         10.0.29.182     445    FS01             C$                              Default share
SMB         10.0.29.182     445    FS01             Everyone        READ            Everyone can access
SMB         10.0.29.182     445    FS01             IPC$            READ            Remote IPC
SMB         10.0.29.182     445    FS01             Secret                          This share stores secrets. No peeking
SPIDER_P... 10.0.29.182     445    FS01             [+] Saved share-file metadata to "/tmp/nxc_spider_plus/10.0.29.182.json".
SPIDER_P... 10.0.29.182     445    FS01             [*] SMB Shares:           5 (ADMIN$, C$, Everyone, IPC$, Secret)
SPIDER_P... 10.0.29.182     445    FS01             [*] SMB Readable Shares:  2 (Everyone, IPC$)
SPIDER_P... 10.0.29.182     445    FS01             [*] SMB Filtered Shares:  1
SPIDER_P... 10.0.29.182     445    FS01             [*] Total folders found:  0
SPIDER_P... 10.0.29.182     445    FS01             [*] Total files found:    0

Finding Users

We may try with guest user or null session

nxc smb ./hosts.txt -u 'guest' -p '' --users
nxc smb ./hosts.txt -u '' -p '' --users

Last updated