🏎️v1.3.0 - NeedForSpeed
Last updated
Last updated
Hello everyone!
Recently, a lot of incredible Pull Requests have been submitted. Over 22 PRs in 2 weeks! This community activity is incredible, so be prepared for a lot of upcoming features, even if not all of them are included in this release.
Therefore, a big thank you to all the contributors in the past months. Of course, also a big thank you to people who have been submitting issues on github and our Discord Server. This is very important to improve the stability and to ensure everything is working as expected.
After quite some time, a new protocol has been added: NFS! This provides the ability to detect NFS servers, enumerate shares recursively. You can also download and upload files with the commands --get-file
and --put-file
respectively. Big thanks to @termanix for implementing this protocol, with the help of @Marshall-Hallenbeck and @NeffIsBack.
There has been a lot of recent research into Microsoft's System Center Configuration Manager (SCCM), also known as Microsoft Endpoint Configuration Manager (MECM). Therefore, @NeffIsBack developed a module to detect an SCCM environment in Active directory via LDAP! This will find SCCM Site-Servers, SCCM Sites, SCCM Management Points and Users, Computers or Groups related to SCCM.
The new coerce_plus module combines all 5 coercion methods (PetitPotam, DFSCoerce, MSEven, ShadowCoerce and PrinterBug). You can now check all these vulnerabilities with a single module, rather than one by one! If you want to coerce authentications with one of these techniques, just set a LISTENER ip. Made by @lodos2005.
Pre-WIndows 2000 computer accounts are valuable targets during engagements, as by default the password is set to the computer name. @Shad0wC0ntr0ller developed a module to identify these accounts and save a ccache for accounts, where the password was not changed. If you want to learn more, check out this great article at TrustedSec: https://trustedsec.com/blog/diving-into-pre-created-computer-accounts
The Powershell History can be a goldmine for credentials. If admins forget to clear their history and passwords are typed in the console, they can be easily extracted. Thanks to @357384n we have a new module, which will check the history of all users on the target for keywords that might get you plaintext credentials.
Unsure about the anonymous authentication? NetExec now has a new flag to detect, if the guest session is active! Thanks to @Marshall-Hallenbeck for nice idea.
The new SMB flag --interfaces
will enumerate all interfaces on the target. Very useful to find subnets and servers for pivoting! Made by @Sant0rryu.
The new BitLocker module -M bitlocker
is checking the BitLocker status on all drives. Also this module is available in both WMI and SMB! Made by @termanix.
This SMB module will dump security questions and answers for all users on the machine. Made by Adamkabadan.
Hyper-V saves the Hostname of the hypervisor in the registry. With this module you can query that information from any target VMs. Made by @joaovarelask
The WCC module got some new checks regarding Windows Defender settings. E.g. you can check if Defender has exclusions set for specific paths or file extensions. Made by @jubeaz.
With the new SMB module -M smbghost
, you can check for prerequisits that have to be enabled for the SMBGhost vulnerability. Made by @r4anan.
If you want to read about all changes in detail or download the latest standalone binaries check out the github page: