NetExec Github
Page cover image

📡v1.2.0 - ItsAlwaysDNS

NetExec v1.2.0 feature rundown

Hello everyone!

It has been quite a while since the last release. We now have so many great features that a new release was long overdue. But first of all, a big thank you to all the contributors and people who have contributed ideas, submitted issues and participated on the discord server. So let us dive into the long list of amazing new modules and features and start with our first big announcement.

Woop woop

NetExec is available on Kali🚀

The biggest news first, thanks to the great help of @arszilla this release is also available on kali. After about 3 months of package updates on the Kali side everything is ready for the launch. So now you can just install the latest release with apt:

Installing NetExec with apt

It's Always DNS ...

... and that's why we now have fully integrated DNS options, thanks to @XiaoliChan! You can specify a DNS server with --dns-server or force TCP to be used for DNS with --dns-tcp. This also allows you to force IPv6 with -6 and set a DNS timeout with --dns-timeout.

Specifying a dns server

It's Credential Looting Time💰

Ever heard of SCCM? You can now dump all SCCM credentials stored by the DPAPI with the new flag --sccm. Also there are a ton of new modules that loot various software which can store credentials like MobaXterm, mRemoteNG, some vnc server software and Google Refresh Tokens, thanks to @zblurx!

Looting SCCM
Looting MobaXterm
Looting mRemoteNG
Looting VNC

Looting PuTTY

Also credentials and RSA private keys stored in PuTTY can be looted thanks to an addition by @NeffIsBack.

Looting RSA private keys and proxy credentials stored by PuTTY

Extract obsolete operating systems from LDAP

With the new LDAP module -M obsolete you can query for obsolete operating systems in LDAP! Made by @Shad0wC0ntr0ller.

image

New LDAP flag for retrieving active Users on the Domain

The new LDAP Flag --active-users serves the same purpose as --users, but filters out deactivated accounts. Made by @termanix.

New SMB Module Printerbug

The well-known coercion technique using Printerbug can now be exploited with NetExec, abusing MS-RPRN! Made by @lodos2005.

Coercing authentications using NetExec and the new Printerbug module
Relaying the incoming connection
LogoMS-RPRN abuse (PrinterBug)The Hacker Recipes

Hunt for the ADCS using SMB

A new SMB module is now available, that enumerates DCERPC endpoints for certsrv.exe, indicating that the server is a CA. It also enumerates whether the CA is vulnerable against ESC8. Made by @0xjbb.

Hunting for ADCS using SMB DCERPC

New LDAP Module Enumerate userPassword and unixUserPassword Attribute

There is software that will populate the LDAP attributes userPassword and unixUserPassword potentially with credentials in plaintext. The new LDAP modules -M get-userPasswsord and -M get-unixUserPassword will query all users for these attributes. Made by @Syzik.

image

New Winlogon Autologon Module

Windows allows to configure user that will automatically log on to a machine on startup. With the new SMB module by @swisskyrepo you can now retrieve the content of the keys DefaultDomainName, DefaultPassword, DefaultUserName, AutoAdminLogon stored in the registry HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, which are used for that logon process.

Retrieve autologon credentials from the registry
LogoConfigure Windows to automate logon - Windows ServerMicrosoftLearn

Raw LDAP queries

There is now a new LDAP flag --query "(Object)" "Filter" with the standard ldapsearch syntax to be able to quickly look up attributes in LDAP. Made by @NeffIsBack.

image

Updated LDAP and SMB User enumeration

SMB/LDAP --users and LDAP --active-users flags now allow filtering for specific users! Thanks to @Marshall-Hallenbeck.

Updated PSO Module

@sebrink updated the pso module which retrieves all fine-grained password policies in the domain, giving the module a fresh new look and fixing a critical bug, where a policy wasn't displayed if it was attached to multiple obejcts.

Authentication throttling

The old --jitter option got reworked to enable throttling of authentications. Super useful if you want to be a bit more stealthy or bypass lock out mechanisms. Made by @NeffIsBack.

Tab-completion

Thanks to @Adamkadaban NetExec now supports tab-completion if installed with pipx! Check out the Installation page for the setup.

Tab-completion with NetExec

Rework of the Powershell command execution

A major overhaul of the powershell functionality within NetExec has taken place, fixing most bugs and improving overall usability and stability. Obfuscation and Amsi bypasses have also been set to non-default, as they were often flagged even by AVs. A nice side effect is that the ps32 downgrade now bypasses Windows Defender😄 Made by @Marshall-Hallenbeck.

Bypassing Windows Defender with --force-ps32

Outro

If you want to read about all changes in detail or download the latest standalone binaries check out the github page:

LogoRelease v1.2.0 · Pennyw0rth/NetExecGitHub
Previousv1.1.0 - nxc4uNextv1.3.0 - NeedForSpeed

Last updated