search
NetExec GithubNetexec Lab
Page cover
githubEdit

📡v1.2.0 - ItsAlwaysDNS

NetExec v1.2.0 feature rundown

Hello everyone!

It has been quite a while since the last release. We now have so many great features that a new release was long overdue. But first of all, a big thank you to all the contributors and people who have contributed ideas, submitted issues and participated on the Discord serverarrow-up-right. So let us dive into the long list of amazing new modules and features and start with our first big announcement.

Woop woop

hashtag
NetExec is available on Kali🚀

The biggest news first, thanks to the great help of @arszilla arrow-up-rightthis release is also available on kali. After about 3 months of package updates on the Kali side everything is ready for the launch. So now you can just install the latest release with apt:

Installing NetExec with apt

hashtag
It's Always DNS ...

... and that's why we now have fully integrated DNS options, thanks to @XiaoliChanarrow-up-right! You can specify a DNS server with --dns-server or force TCP to be used for DNS with --dns-tcp. This also allows you to force IPv6 with -6 and set a DNS timeout with --dns-timeout.

Specifying a dns server

hashtag
It's Credential Looting Time💰

Ever heard of SCCM? You can now dump all SCCM credentials stored by the DPAPI with the new flag --sccm. Also there are a ton of new modules that loot various software which can store credentials like MobaXterm, mRemoteNG, some vnc server software and Google Refresh Tokens, thanks to @zblurxarrow-up-right!

Looting SCCM
Looting MobaXterm
Looting mRemoteNG
Looting VNC

hashtag
Looting PuTTY

Also credentials and RSA private keys stored in PuTTY can be looted thanks to an addition by @NeffIsBackarrow-up-right.

Looting RSA private keys and proxy credentials stored by PuTTY

hashtag
Extract obsolete operating systems from LDAP

With the new LDAP module -M obsolete you can query for obsolete operating systems in LDAP! Made by @Shad0wC0ntr0llerarrow-up-right.

image

hashtag
New LDAP flag for retrieving active Users on the Domain

The new LDAP Flag --active-users serves the same purpose as --users, but filters out deactivated accounts. Made by @termanixarrow-up-right.

image

hashtag
New SMB Module Printerbug

The well-known coercion technique using Printerbug can now be exploited with NetExec, abusing MS-RPRN! Made by @lodos2005arrow-up-right.

Coercing authentications using NetExec and the new Printerbug module
Relaying the incoming connection
LogoMS-RPRN abuse (PrinterBug) | The Hacker Recipeswww.thehacker.recipeschevron-right

hashtag
Hunt for the ADCS using SMB

A new SMB module is now available, that enumerates DCERPC endpoints for certsrv.exe, indicating that the server is a CA. It also enumerates whether the CA is vulnerable against ESC8. Made by @0xjbbarrow-up-right.

Hunting for ADCS using SMB DCERPC

hashtag
New LDAP Module Enumerate userPassword and unixUserPassword Attribute

There is software that will populate the LDAP attributes userPassword and unixUserPassword potentially with credentials in plaintext. The new LDAP modules -M get-userPasswsord and -M get-unixUserPassword will query all users for these attributes. Made by @Syzikarrow-up-right.

image

hashtag
New Winlogon Autologon Module

Windows allows to configure user that will automatically log on to a machine on startup. With the new SMB module by @swisskyrepoarrow-up-right you can now retrieve the content of the keys DefaultDomainName, DefaultPassword, DefaultUserName, AutoAdminLogon stored in the registry HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, which are used for that logon process.

Retrieve autologon credentials from the registry
LogoConfigure Windows to automate logon - Windows ServerMicrosoftLearnchevron-right

hashtag
Raw LDAP queries

There is now a new LDAP flag --query "(Object)" "Filter" with the standard ldapsearch syntax to be able to quickly look up attributes in LDAP. Made by @NeffIsBackarrow-up-right.

image

hashtag
Updated LDAP and SMB User enumeration

SMB/LDAP --users and LDAP --active-users flags now allow filtering for specific users! Thanks to @Marshall-Hallenbeckarrow-up-right.

hashtag
Updated PSO Module

@sebrinkarrow-up-right updated the pso module which retrieves all fine-grained password policies in the domain, giving the module a fresh new look and fixing a critical bug, where a policy wasn't displayed if it was attached to multiple obejcts.

The new pso module

hashtag
Authentication throttling

The old --jitter option got reworked to enable throttling of authentications. Super useful if you want to be a bit more stealthy or bypass lock out mechanisms. Made by @NeffIsBackarrow-up-right.

hashtag
Tab-completion

Thanks to @Adamkadabanarrow-up-right NetExec now supports tab-completion if installed with pipx! Check out the Installation page for the setup.

Tab-completion with NetExec

hashtag
Rework of the Powershell command execution

A major overhaul of the powershell functionality within NetExec has taken place, fixing most bugs and improving overall usability and stability. Obfuscation and Amsi bypasses have also been set to non-default, as they were often flagged even by AVs. A nice side effect is that the ps32 downgrade now bypasses Windows Defender😄 Made by @Marshall-Hallenbeckarrow-up-right.

Bypassing Windows Defender with --force-ps32

hashtag
Outro

If you want to read about all changes in detail or download the latest standalone binaries check out the github page:

LogoRelease v1.2.0 · Pennyw0rth/NetExecGitHubchevron-right

Notes by [Alex](https://x.com/al3x_n3ff)

Previousv1.1.0 - nxc4uNextv1.3.0 - NeedForSpeed

Last updated

Was this helpful?