Netexec

Viewing Available Protocols

Running nxc --help will list general options and protocols that are available (Notice the 'protocols' section below):

#~ nxc --help
usage: nxc [-h] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--no-progress] [--verbose] [--debug] [--version] {smb,ssh,ldap,ftp,wmi,winrm,rdp,vnc,mssql} ...

    <-- Banner -->   

options:
  -h, --help            show this help message and exit
  -t THREADS            set how many concurrent threads to use (default: 100)
  --timeout TIMEOUT     max timeout in seconds of each thread (default: None)
  --jitter INTERVAL     sets a random delay between each connection (default: None)
  --no-progress         Not displaying progress bar during scan
  --verbose             enable verbose output
  --debug               enable debug level information
  --version             Display nxc version

protocols:
  available protocols

  {smb,ssh,ldap,ftp,wmi,winrm,rdp,vnc,mssql,nfs}
    smb                 own stuff using SMB
    ssh                 own stuff using SSH
    ldap                own stuff using LDAP
    ftp                 own stuff using FTP
    wmi                 own stuff using WMI
    winrm               own stuff using WINRM
    rdp                 own stuff using RDP
    vnc                 own stuff using VNC
    mssql               own stuff using MSSQL
    nfs                 own stuff using NFS

Target Formats

Every protocol supports targets by CIDR notation(s), IP address(s), IP range(s), hostname(s), a file containing a list of targets or combination of all of the latter:

Using Credentials

Every protocol supports using credentials in one form or another. For details on using credentials with a specific protocol, see the appropriate wiki section.

Generally speaking, to use credentials, you can run the following commands:

Code execution results in a (Pwn3d!) added after the login confirmation. With SMB protocol, most likely your compromised users are in the local administrators group.

When using usernames or passwords that contain special symbols (especially exclaimation points!), wrap them in single quotes to make your shell interpret them as a string.

Example:

Due to a bug in Python's argument parsing library, credentials beginning with a dash (-) will throw an expected at least one argument error message. To get around this, specify the credentials by using the 'long' argument format (note the = sign):

Using a Credential Set From the Database

By specifying a credential ID (or multiple credential IDs) with the -id flag nxc will automatically pull that credential from the back-end database and use it to authenticate (saves a lot of typing):

Multi-Domain Environment

You can use nxc with mulitple domain environment

Where FILE is a file with usernames in this format

Brute Forcing & Password Spraying

All protocols support brute-forcing and password spraying. For details on brute-forcing/password spraying with a specific protocol, see the appropriate wiki section.

By specifying a file or multiple values nxc will automatically brute-force logins for all targets using the specified protocol:

Examples:

Password Spraying Without Bruteforce

Can be usefull for protocols like WinRM and MSSQL. This option avoid the bruteforce when you use files (-u file -p file)

By default nxc will exit after a successful login is found. Using the --continue-on-success flag will continue spraying even after a valid password is found. Usefull for spraying a single password against a large user list. The --continue-on-success flag is incompatible with command execution.

Throttling Authentication Requests

Authentication throttling works on a per-host basis! Keep this in mind if you are spraying credentials against multiple hosts.

If there is a need to throttle authentications during brute forcing, you can use the jitter functionality. The length of the timeout (in seconds) between requests is randomly selected from an interval unless otherwise specified. If you want to hardcode the timeout, set the upper and lower bounds of the interval to the same value. The syntax is as follows:

Using Kerberos

nxc does support Kerberos authentication There is two option, directly using a password/hash or using a ticket and using the KRB5CCNAME env name to specify the ticket.

when using the option -k or--use-kcache, you need to specify the same hostname (FQDN) as the one from the kerberos ticket

Or, using --use-kcache

Example with LDAP and option --kdcHost

Using Modules

Viewing Available Modules for a Protocol

Run nxc <protocol> -L to view available modules for the specified protocol.

For example to view all modules for the SMB protocol:

Using a Module

Run nxc <protocol> <target(s)> -M <module name>.

For example to run the SMB Mimikatz module:

Viewing Module Options

Run nxc <protocol> -M <module name> --options to view a modules supported options, e.g:

Using Module Options

Module options are specified with the -o flag. All options are specified in the form of KEY=value (msfvenom style)

Example:

🆕 Running Multiple Modules

Simply define all the modules you want, each proceeded by a -M option flag:

nxc <protocol> <target(s)> -u Administrator -p 'P@ssw0rd' -M spooler -M printnightmare -M shadowcoerce -M petitpotam

Scan for Vulnerabilities

When you start your internal pentest, these are the first modules you should try:

ZeroLogon

noPAC

You need a credential for noPAC vulnerability check.

PrintNightmare

SMBGhost

MS17-010 (Not tested outside LAB environment)

Or, try them all at once! Just list each one: -M zerologon -M printnightmare

Scan for Coerce Vulnerabilities

You can check for coerce vulnerabilities such as PetitPotam, DFSCoerce, PrinterBug, MSEven and ShadowCoerce using the coerce_plus module. You can also use credentials to check for these vulnerabilities. By default the LISTENER ip will be set to localhost, so no traffic will appear on the network.

If a vulnerability is found, you can set a LISTENER ip to coerce the connection.

To run all exploit methods at once, add the ALWAYS=true option, otherwise it will stop if the underlying RPC connection reports a successful coercion.

You can also check for a specific coerce method by specifying it:

Instead of using the METHOD option, you can use its short form M. Similarly, the argument LISTENER can be shortened to L.

This also applies to the names of the vulnerabilities when specifying a method.

M=p // Invalid, as both petitpotam and printerbug start with ‘p’ so modules gives error

M=pr // Matches printerbug

M=pe // Matches petitpotam

M=dfs // Matches dfscoerce

Check out what other modules are available via nxc <protocol> -L

Map Network Hosts

Returns a list of live hosts

Expected Results:

Enumerate Null Sessions

Check if Null Session, also known as Anonymous session, is enabled on the network. Can be very useful on a Domain Controller to enumerate users, groups, password policies, etc.

You can also reproduce this behavior with smbclient or rpcclient

Network access: Shares that can be accessed anonymouslydocsmsft

Example

Forest or Monteverde machines are good examples to test null session authentication with NetExec

https://www.hackthebox.eu/home/machines/profile/212www.hackthebox.euhttps://www.hackthebox.eu/home/machines/profile/223www.hackthebox.eu

Enumerate Guest Logon

Using a random username and password you can check if the target accepts guest logon. If so, it means that either the domain guest account or the local guest account of the server you're targetting is enabled.

Make sure the password is empty

Note that if the domain guest account is available you will be able to use to launch attacks such as Coerces.

Guest vs Null session on Windows

Example

Nest machine is a good example of guest logon with NetExec

https://www.hackthebox.eu/home/machines/profile/225www.hackthebox.eu

Enumerate Hosts with SMB Signing Not Required

Maps the network of live hosts and saves a list of only the hosts that don't require SMB signing. List format is one IP per line

Expected Results:

Alternative with nmap

You can also list only the hosts that don't require SMB signing using nmap

Enumerate Active Sessions

Enumerate active sessions on the remote target

Enumerate Shares and Access

Enumerate permissions on all shares

By far one of the most useful feature of nxc

If you want to filter only by readable or writable share

Enumerate Network Interfaces

You need at least local admin privilege on the remote target, use option --local-auth if your user is a local account

Enumerate network interfaces on a host:

Example output of the interface enumeration

Enumerate Disks

Enumerate disks on the remote target

Enumerate Logged on Users

Enumerate logged users on the remote target

Enumerate Domain Users

Enumerate domain users on the remote target

Enumerate Users by Bruteforcing RID

Enumerate users by bruteforcing the RID on the remote target

Enumerate Domain Groups

Enumerate domain groups on the remote target

Enumerate Local Groups

Enumerate local groups on the remote target

Enumerate Domain Password Policy

Using the option --pass-pol you can get the password policy of the domain

Enumerate Anti-Virus & EDR

Enumerate antivirus installed using NetExec

You don't need to be a privileged user to do this action

Password Spraying

Using NetExec for password spraying

Using Username/Password Lists

You can use multiple usernames or passwords by separating the names/passwords with a space.

nxc accepts txt files of usernames and passwords. One user/password per line. Watch out for account lockout!

By default nxc will exit after a successful login is found. Using the --continue-on-success flag, it will continue spraying even after a valid password is found. Useful for spraying a single password against a large user list. This is incompatible with command execution.

Usage example:

Checking 'username == password' using wordlist

Checking multiple usernames/passwords using wordlist

The result will be:

• user1 => password1

• user1 => password2

• user2 => password1

• user2 => password2

Be careful to not lock accounts using this technique

Checking one login equal one password using wordlist

No bruteforce possible with this one as 1 user = 1 password

The result will be:

• user1 => password1

• user2 => password2

Avoid range or a list of IPs when using the --no-bruteforce option

Checking Credentials (Domain)

Authentication

• Failed logins result in a [-]

• Successful logins result in a [+] Domain\Username:Password

Code execution results in a (Pwn3d!) added after the login confirmation. With SMB protocol, most likely your compromised user is in the local administrators group.

The following checks will attempt authentication to the entire /24 though a single target may also be used.

If NTLM authentication is not available, Kerberos requires the hostname and domain name instead of an IP address.

User/Password

User/Hash

After obtaining credentials such as Administrator:500:aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c::: you can use both the full hash or just the nt hash (second half)

Checking Credentials (Local)

User/Password/Hashes

Adding --local-auth to any of the authentication commands with attempt to logon locally.

Results will display the hostname next to the user:password

Delegation

Resource Based Constrained Delegation (RBCD) and

RBCD

If you have an object with the msDS-AllowedToActOnBehalfOfOtherIdentity attribute set to an account you control you can use the impersonate flag inside NetExec to automatically execute the Resource Based Constrained Delegation and impersonate any user:

RBCD with NetExec

S4U2Self

If you have a computer account you can (nearly) always get local administrator with the s4u2self extension:

S4U2Self abuse using NetExecs delegation feature

Resources:

(RBCD) Resource-based constrained | The Hacker RecipesS4U2self abuse | The Hacker RecipesResource-based Constrained DelegationHackTricks

Executing Remote Commands

Command Execution

Executing commands on a windows system requires Administrator credentials.

nxc automatically tells you if the credential set you're using has admin access to a host by appending "(Pwn3d!)" (or whatever value you've set in the config) to the output when authentication is successful.

Execution Methods

nxc has three different command execution methods:

• wmiexec executes commands via WMI

• atexec executes commands by scheduling a task with windows task scheduler

• smbexec executes commands by creating and running a service

By default nxc will fail over to a different execution method if one fails. It attempts to execute commands in the following order:

1. wmiexec

2. atexec

3. smbexec

If you want to force nxc to use only one execution method you can specify which one using the --exec-method flag.

Executing Commands

In the following example, we try to execute whoami on the target using the -x flag:

You can also directly execute PowerShell commands using the -X flag:

Bypass AMSI

Getting Shells 101

Getting Shells 101

We all love shells and that's why nxc makes it as easy as possible to get them! There really is something magical about shelling a /24

Empire Agent

Use the new Empire in Python3 https://github.com/BC-SECURITY/Empire

We can use the empire_exec module to execute an Empire Agent's initial stager. In the background, the module connects to Empire's RESTful API, generates a launcher for the specified listener and executes it.

• First setup the rest API:

• Second setup a listener:

The username and password that nxc uses to authenticate to Empire's RESTful API are stored in the nxc.conf file located at ~/.nxc/nxc.conf:

• Then just run the empire_exec module and specify the listener name:

Meterpreter

We can use the metinject module launch a meterpreter using Invoke-MetasploitPayload Invoke-MetasploitPayload.ps1 script.

On your Metasploit instance, run the following commands

The SRVHOST and SRVPORT variables are used for running the webserver to host the script

The target variable determines what type of script we're using. 2 is for PowerShell

Pick your payload. In this case, we'll use a reverse https meterpreter payload

Run the exploit

Once run, the web_delivery module will spin up the webserver to host the script and reverse listener for our meterpreter session.

• Then just run the met_inject module and specify the LHOST and LPORT values:

Spidering Shares

Spidering shares with NetExec

Using Default Option --spider

Options for spidering shares of remote systems. Example, Spider the C drive for files with txt in the name (finds both sometxtfile.html and somefile.txt)

Notice the '$' character has to be escaped. (example shown can be used as-is in a kali linux terminal)

Using Module "spider_plus"

The module spider_plus allows you to list and dump all files from all readable shares thanks to @vincd

List all readable files

Dumping All Files

Using the option -o DOWNLOAD_FLAG=True all files will be copied on the host

Get and Put Files

Get a remote file or send a remote file using NetExec

Send a File to the Remote Target

Send a local file to the remote target

Get a File From the Remote Target

Get a remote file on the remote target