v1.4.0 - SmoothOperator
Last updated
Was this helpful?
Last updated
Was this helpful?
Hello everyone!
It has been almost half a year since the last release and a lot of new features have been added since then. Besides the most dominant protocol, SMB, other protocols like NFS, LDAP, and MSSQL have seen some love with new modules and improvements.
Thank you to everyone who contributed over the past months, and of course, a big thank you to everyone who has been reporting issues on GitHub and helping to troubleshoot or taking part in discussions on Discord. If you want to join our Discord, follow the .
In case you didn't know, this wiki is open source too and you can contribute to it. If you would like to add missing content or improve existing content, please feel free to do so. Any help is much appreciated! You can find the wiki's source code on GitHub .
As the name suggest, the new module -M backup_operator can leverage the Backup Operator privileges to dump the SAM / SECURITY of the DC. This ultimately leads to a full compromise of the domain with the dump of the NTDS.dit. Huge thanks to for this module.
Recent research has shown that the default NFS configuration on Linux systems is often insecure. In short: The NFS server does not check if a requested file is inside the exported directory. This means that if a user has access to the NFS share, they can access any file on the system. In combination with write access, this can lead to a full compromise of the system.
Finding credentials in text files never happens, right? Right??
enum_impersonate: List users that can be impersonated (similar to the mssql_priv module)
enum_logins: Enumerate active MSSQL logins
enum_links: Enumerate linked MSSQL servers
exec_on_link: Execute SQL queries on a linked server
link_enable_cmdshell: Enable/Disable the cmd shell on a linked server
link_xpcmd: Execute shell commands on the linked server
If you want to read about all changes in detail or download the latest standalone binaries check out the GitHub release page:
NetExec now also supports certificate authentication, thanks to the integration of 's authentication mechanisms into NetExec, by .
The details of the attack can be found on our wiki page or on the great blog post by the guys from .
An implementation of the attack is now available in NetExec, indicating the vulnerability by a new flag in the host banner. The implementation was done by .
Note: With this update, the semantics of the file download and upload flags have been changed. Don't forget to check at the new .
One of NetExec's most prominent features is dumping the local account database (SAM) and the SECURITY registry hive (LSA secrets). Previously, Impacket achieved this by writing the SAM and SECURITY hives to a temporary file on disk, which was then deleted. However, this has now changed, as has implemented a method that retrieves the data directly from the registry hives via the remote registry service, which he has contributed to Impacket. Thanks to 's integration, this method is now the default in NetExec and should offer much greater stealth. However, if you need to use the old method for some reason, you can still switch back with --sam/--lsa secdump.
The Timeroast attack has been added as a module to NetExec. This attack allows an attacker on the network to request a hashed & salted version of any computer account NT hash in the domain without the need for authentication. If you would like to know more about the attack, check out from . Module by .
While the --loggedon-users flag is very useful if you don't have administrative privileges yet, if you do have control over the host it can be very useful to know where users are connecting from. Thanks to , NetExec uses the native qwinsta protocol implementation from Impacket to enumerate RDP sessions on the target, providing information such as the connecting IP address and session state.
One of the best ways to trigger an EDR is to run the command -x 'tasklist /v /fo csv | findstr /i "lsass"'. However, listing tasks can be very useful for finding out what PID lsass.exe has or for checking which services are running with which privileges. Thanks to , NetExec now has a native implementation of the tasklist command that uses a native Windows protocol to query this information, which makes it less likely for EDRs to detect.
You can now list SMB shares directories with new --dir SMB flag! Created by .
The NFS protocol has a build in share listing option as well. Without specifying a share it will try to use the and list the root of the file system. Made by .
On the hunt for Entry ID or M365 access tokens? The new wam module by dumps you these tokens from the local Token Broker Cache. You can find a great article by if you want to learn more.
It is now easier to enumerate miss configured delegation privileges, thanks to the integration by of impackets findDelegation.py tool. With the new LDAP flag --find-delegation any delegation can be found in the domain, including information about the user/computer object and the delegation details.
The new integration of LDAP Channel Binding is now available in Impacket, which means hardened environments are not a problem anymore. The LDAP protocol automatically picks up the required security options and will work out of the box without user interaction. Thanks to who took care of the Pull Request in Impacket.
You probably know the --rid-brute feature of the , but do you also know that this is possible with the as well? Well, now you can do it with NetExec, thanks to the work of !
Coercing connections with SMB is a well-known technique that can be achieved by using the coerce_plus module in NetExec. However, it is now also possible to coerce connections using MSSQL and the new mssql_coerce module by !
The new shadowrdp module allows you to enable or disable , which can be used to eavesdrop on a specific RDP session. Module by .
Well, even typing in sensible content into unsaved notepad++ documents can be dangerous, as they still leave traces on the system. With the new notepad++ module by you can automatically dump this information
added six new modules for the MSSQL protocol! That includes a few enumeration modules, as well as modules to perform actions on linked servers:
By default, Windows creates LNK files for recently accessed objects and stores them in the AppData\Roaming\Microsoft\Windows\Recent directory. This module retrieves and parses these LNK files in order to extract the source files, which can be useful during internal assessments for retrieving recently modified and potentially juicy files. Module by .
Admins, think twice before taking screenshots of sensitive data! With the new snipped module you can automatically dump all screenshots done by the Windows Snipping Tool. Module by .
The SSH protocol now also has --get-file and --put-file flags, to enable the easy upload and download of files with an authenticated session. Made by .
This module enables you to disable, or more realistically re-enable, the remote UAC. This might be useful after manual exploitation, for example, to restore the system's original security (never leave a system more vulnerable than when you found it!). Module by .
The is known for quite some time, but still really powerful if you find an outdated host. Relaying SMB traffic to LDAP? No Problem!
With the new module remove-mic made by you can easily check if the target is vulnerable to CVE-2019-1040, aka drop the MIC
Interested in dumping DPAPI hashes? This module, dpapi_hash, extracts DPAPI 'hashes' based on the user's protected master key, which can then be brute-forced with Hashcat (modes 15310 or 15900). Module by .
NetExec now creates host files for machines enumerated over SMB with --generate-hosts-file <filename>, making it easier to add/remove the /etc/hosts in CTFs and in real life. Made by .
The new SMB flag --generate-krb5-file <filename> generates a valid krb5.conf file, similar to --generate-hosts-file, to enable Kerberos authentication with other tools. Made by .
Notes by and , copyedit by
