v1.2.0 - ItsAlwaysDNS
NetExec v1.2.0 feature rundown
Last updated
Was this helpful?
NetExec v1.2.0 feature rundown
Last updated
Was this helpful?
Hello everyone!
It has been quite a while since the last release. We now have so many great features that a new release was long overdue. But first of all, a big thank you to all the contributors and people who have contributed ideas, submitted issues and participated on the discord server. So let us dive into the long list of amazing new modules and features and start with our first big announcement.
If you want to read about all changes in detail or download the latest standalone binaries check out the github page:
The biggest news first, thanks to the great help of this release is also available on kali. After about 3 months of package updates on the Kali side everything is ready for the launch. So now you can just install the latest release with apt:
... and that's why we now have fully integrated DNS options, thanks to ! You can specify a DNS server with --dns-server or force TCP to be used for DNS with --dns-tcp. This also allows you to force IPv6 with -6 and set a DNS timeout with --dns-timeout.
Ever heard of SCCM? You can now dump all SCCM credentials stored by the DPAPI with the new flag --sccm. Also there are a ton of new modules that loot various software which can store credentials like MobaXterm, mRemoteNG, some vnc server software and Google Refresh Tokens, thanks to !
Also credentials and RSA private keys stored in PuTTY can be looted thanks to an addition by .
With the new LDAP module -M obsolete you can query for obsolete operating systems in LDAP! Made by .
The new LDAP Flag --active-users serves the same purpose as --users, but filters out deactivated accounts. Made by .
The well-known coercion technique using Printerbug can now be exploited with NetExec, abusing MS-RPRN! Made by .
A new SMB module is now available, that enumerates DCERPC endpoints for certsrv.exe, indicating that the server is a CA. It also enumerates whether the CA is vulnerable against ESC8. Made by .
There is software that will populate the LDAP attributes userPassword and unixUserPassword potentially with credentials in plaintext. The new LDAP modules -M get-userPasswsord and -M get-unixUserPassword will query all users for these attributes. Made by .
Windows allows to configure user that will automatically log on to a machine on startup. With the new SMB module by you can now retrieve the content of the keys DefaultDomainName, DefaultPassword, DefaultUserName, AutoAdminLogon stored in the registry HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, which are used for that logon process.
There is now a new LDAP flag --query "(Object)" "Filter" with the standard ldapsearch syntax to be able to quickly look up attributes in LDAP. Made by .
SMB/LDAP --users and LDAP --active-users flags now allow filtering for specific users! Thanks to .
updated the pso module which retrieves all fine-grained password policies in the domain, giving the module a fresh new look and fixing a critical bug, where a policy wasn't displayed if it was attached to multiple obejcts.
The old --jitter option got reworked to enable throttling of authentications. Super useful if you want to be a bit more stealthy or bypass lock out mechanisms. Made by .
Thanks to NetExec now supports tab-completion if installed with pipx! Check out the Installation page for the setup.
A major overhaul of the powershell functionality within NetExec has taken place, fixing most bugs and improving overall usability and stability. Obfuscation and Amsi bypasses have also been set to non-default, as they were often flagged even by AVs. A nice side effect is that the ps32 downgrade now bypasses Windows Defender😄
Made by .
Notes by
