🧈v1.4.0 - SmoothOperator

Hello everyone!

It has been almost half a year since the last release and a lot of new features have been added since then. Besides the most dominant protocol, SMB, other protocols like NFS, LDAP, and MSSQL have seen some love with new modules and improvements.

Thank you to everyone who contributed over the past months, and of course, a big thank you to everyone who has been reporting issues on GitHub and helping to troubleshoot or taking part in discussions on Discord. If you want to join our Discord, follow the link.

In case you didn't know, this wiki is open source too and you can contribute to it. If you would like to add missing content or improve existing content, please feel free to do so. Any help is much appreciated! You can find the wiki's source code on GitHub here.

Backup Operator to Domain Admin

As the name suggest, the new module -M backup_operator can leverage the Backup Operator privileges to dump the SAM / SECURITY of the DC. This ultimately leads to a full compromise of the domain with the dump of the NTDS.dit. Huge thanks to @mpgn for this module.

Certificate Authentication

NetExec now also supports certificate authentication, thanks to the integration of @dirkjanm's PKINITtools authentication mechanisms into NetExec, by @mpgn.

--pfx-cert/--pfx-base64 with --pfx-pass for PFX certificates
--pem-cert with --pem-key for PEM certificates

NFS Escape to Root File System

Recent research has shown that the default NFS configuration on Linux systems is often insecure. In short: The NFS server does not check if a requested file is inside the exported directory. This means that if a user has access to the NFS share, they can access any file on the system. In combination with write access, this can lead to a full compromise of the system.

The details of the attack can be found on our wiki page here or on the great blog post by the guys from HvS Consulting.

An implementation of the attack is now available in NetExec, indicating the vulnerability by a new flag in the host banner. The implementation was done by @NeffIsBack.

Note: With this update, the semantics of the file download and upload flags have been changed. Don't forget to check at the new flag usage.

Dumping SAM and LSA

One of NetExec's most prominent features is dumping the local account database (SAM) and the SECURITY registry hive (LSA secrets). Previously, Impacket achieved this by writing the SAM and SECURITY hives to a temporary file on disk, which was then deleted. However, this has now changed, as @laxaa has implemented a method that retrieves the data directly from the registry hives via the remote registry service, which he has contributed to Impacket. Thanks to @mpgn's integration, this method is now the default in NetExec and should offer much greater stealth. However, if you need to use the old method for some reason, you can still switch back with --sam/--lsa secdump.

Timeroasting the Domain

The Timeroast attack has been added as a module to NetExec. This attack allows an attacker on the network to request a hashed & salted version of any computer account NT hash in the domain without the need for authentication. If you would like to know more about the attack, check out this article from @SecuraBV. Module by @Disgame_.

QWINSTA

While the --loggedon-users flag is very useful if you don't have administrative privileges yet, if you do have control over the host it can be very useful to know where users are connecting from. Thanks to @Defte, NetExec uses the native qwinsta protocol implementation from Impacket to enumerate RDP sessions on the target, providing information such as the connecting IP address and session state.

Tasklist

One of the best ways to trigger an EDR is to run the command -x 'tasklist /v /fo csv | findstr /i "lsass"'. However, listing tasks can be very useful for finding out what PID lsass.exe has or for checking which services are running with which privileges. Thanks to @Defte, NetExec now has a native implementation of the tasklist command that uses a native Windows protocol to query this information, which makes it less likely for EDRs to detect.

You can now list SMB shares directories with new --dir SMB flag! Created by @y0no.

The NFS protocol has a build in share listing option as well. Without specifying a share it will try to use the escape-to-root-fs and list the root of the file system. Made by @NeffIsBack.

WAM Module

On the hunt for Entry ID or M365 access tokens? The new wam module by @zblurx dumps you these tokens from the local Token Broker Cache. You can find a great article by @xpn here if you want to learn more.

Enumerate Delegation Configurations in the Domain

It is now easier to enumerate miss configured delegation privileges, thanks to the integration by @termanix of impackets findDelegation.py tool. With the new LDAP flag --find-delegation any delegation can be found in the domain, including information about the user/computer object and the delegation details.

LDAPS Channel Binding now Supported

The new integration of LDAP Channel Binding is now available in Impacket, which means hardened environments are not a problem anymore. The LDAP protocol automatically picks up the required security options and will work out of the box without user interaction. Thanks to @NeffIsBack who took care of the Pull Request in Impacket.

RID Brute Force on MSSQL

You probably know the --rid-brute feature of the SMB protocol, but do you also know that this is possible with the MSSQL protocol as well? Well, now you can do it with NetExec, thanks to the work of @Adamkadaban!

Coercing with MSSQL

Coercing connections with SMB is a well-known technique that can be achieved by using the coerce_plus module in NetExec. However, it is now also possible to coerce connections using MSSQL and the new mssql_coerce module by @lodos!

Shadow RDP Module

The new shadowrdp module allows you to enable or disable Shadow RDP, which can be used to eavesdrop on a specific RDP session. Module by @Dfte.

Notepad++ Module

Finding credentials in text files never happens, right? Right??

Well, even typing in sensible content into unsaved notepad++ documents can be dangerous, as they still leave traces on the system. With the new notepad++ module by @Dfte you can automatically dump this information 🚀

New Modules on MSSQL

@deathflamingo added six new modules for the MSSQL protocol! That includes a few enumeration modules, as well as modules to perform actions on linked servers:

enum_impersonate: List users that can be impersonated (similar to the mssql_priv module)
enum_logins: Enumerate active MSSQL logins
enum_links: Enumerate linked MSSQL servers
exec_on_link: Execute SQL queries on a linked server
link_enable_cmdshell: Enable/Disable the cmd shell on a linked server
link_xpcmd: Execute shell commands on the linked server

Enumerate Recently Accessed Files

By default, Windows creates LNK files for recently accessed objects and stores them in the AppData\Roaming\Microsoft\Windows\Recent directory. This module retrieves and parses these LNK files in order to extract the source files, which can be useful during internal assessments for retrieving recently modified and potentially juicy files. Module by @Defte.

Snipping Tool Module

Admins, think twice before taking screenshots of sensitive data! With the new snipped module you can automatically dump all screenshots done by the Windows Snipping Tool. Module by @Yeeb1.

Uploading and Downloading files with SSH

The SSH protocol now also has --get-file and --put-file flags, to enable the easy upload and download of files with an authenticated session. Made by @jdholtz.

Remote UAC

This module enables you to disable, or more realistically re-enable, the remote UAC. This might be useful after manual exploitation, for example, to restore the system's original security (never leave a system more vulnerable than when you found it!). Module by @Defte.

Detect drop-the-MIC

The drop-the-MIC attack is known for quite some time, but still really powerful if you find an outdated host. Relaying SMB traffic to LDAP? No Problem!

With the new module remove-mic made by @XiaoliChan you can easily check if the target is vulnerable to CVE-2019-1040, aka drop the MIC 🔥

DPAPI Hash

Interested in dumping DPAPI hashes? This module, dpapi_hash, extracts DPAPI 'hashes' based on the user's protected master key, which can then be brute-forced with Hashcat (modes 15310 or 15900). Module by @nikaiw.

Automatically Generate Hosts File

NetExec now creates host files for machines enumerated over SMB with --generate-hosts-file <filename>, making it easier to add/remove the /etc/hosts in CTFs and in real life. Made by @mpgn.

Automatically Generate KRB5 File

The new SMB flag --generate-krb5-file <filename> generates a valid krb5.conf file, similar to --generate-hosts-file, to enable Kerberos authentication with other tools. Made by @mpgn.

Outro

If you want to read about all changes in detail or download the latest standalone binaries check out the GitHub release page:

Release v1.4.0 · Pennyw0rth/NetExecGitHub

Notes by [Alex](https://x.com/al3x_n3ff)and @termanix, copyedit by Marshall Hallenbeck

Previousv1.3.0 - NeedForSpeed NextLogo & Banner

Last updated 7 months ago

Was this helpful?

hashtagBackup Operator to Domain Admin

hashtagCertificate Authentication

hashtagNFS Escape to Root File System

hashtagDumping SAM and LSA

hashtagTimeroasting the Domain

hashtagQWINSTA

hashtagTasklist

hashtagSMB Share Listing Option

hashtagNFS Share Listing Option

hashtagWAM Module

hashtagEnumerate Delegation Configurations in the Domain

hashtagLDAPS Channel Binding now Supported

hashtagRID Brute Force on MSSQL

hashtagCoercing with MSSQL

hashtagShadow RDP Module

hashtagNotepad++ Module

hashtagNew Modules on MSSQL

hashtagEnumerate Recently Accessed Files

hashtagSnipping Tool Module

hashtagUploading and Downloading files with SSH

hashtagRemote UAC

hashtagDetect drop-the-MIC

hashtagDPAPI Hash

hashtagAutomatically Generate Hosts File

hashtagAutomatically Generate KRB5 File

hashtagOutro