Name:netexec
Category:Network
Publisher:trickest-mhmdiaa
Created:7/18/2024
Container:
quay.io/trickest/netexec:3a5c109Output Type:
License:Unknown
Source:View Source
Parameters
-iddatabase credential ID(s) to use for authentication--lsList files in the directory--lsadump LSA secrets from target systems--pvkDPAPI option. File with domain backupkey--samdump SAM hashes from target systems--wmiissues the specified WMI query--gmsaEnumerate GMSA passwords--hashNTLM hash(es)-6Enable force IPv6--ntdsdump the NTDS.dit from target DCs using the specifed method (drsuapi,vss)--portTarget port--sccmdump SCCM secrets from target systems (wmi,disk)--userDump selected user from DC--codecSet encoding used (codec) from the target's output. If errors are detected, run chcp.com at the target & map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute again with --codec and the corresponding codec (default: utf-8)--debugenable debug level information--depthmax spider recursion depth--disksenumerate disks--dpapidump DPAPI secrets from target systems, can dump cookies if you add 'cookies', will not dump SYSTEM dpapi if you add nosystem (cookies,nosystem)--queryexecute the specfied query against the target--regexregex(s) to search for in folders, filenames and file content--usersenumerate domain users, if a user is specified than only its information is queried.-ddomain to authenticate to--groupsenumerate domain groups, if a group is specified than its members are enumerated--hashfile containing NTLM hashes--jittersets a random delay between each authentication--mkfileDPAPI option. File with masterkeys in form of {GUID}:SHA1--modulemodule to use--no-smbNo smb connection--serveruse the selected server (default: https)--sharesenumerate shares and access--spidershare to spider--aesKeyAES key to use for Kerberos Authentication (128 or 256 bits)-xexecute the specified command--contentenable file content searching--dns-tcpUse TCP instead of UDP for DNS queries--enabledOnly dump enabled targets from DC--get-sidGet domain sid--patternpattern(s) to search for in folders, filenames and file content--threadsset how many concurrent threads to use--timeoutmax timeout in seconds of each thread--verboseenable verbose output--kerberosUse Kerberos authentication--pass-poldump password policy--passwordpassword--sessionsenumerate active sessions--usernameusername--computersenumerate computer user--passwordfile containing passwords--usernamefile containing usernames--bloodhoundPerform a Bloodhound scan--collectionWhich information to collect. Supported: Group, LocalAdmin, Session, Trusts, Default, DCOnly, DCOM, RDP, PSRemote, LoggedOn, Container, ObjectProps, ACL, All. You can specify more than one by separating them with a comma (default: Default)--dns-serverSpecify DNS server (default: Use hosts file & System DNS)--force-ps32Force the PowerShell command to run in a 32-bit process via a job; WARNING: depends on the job completing quickly, so you may have to increase the timeout--interfacesenumerate network interfaces--local-authauthenticate locally to each target--only-filesonly spider files--use-kcacheUse Kerberos authentication from ccache file (KRB5CCNAME)--admin-countGet objets that had the value adminCount=1--amsi-bypassFile with a custom AMSI bypass--dns-timeoutDNS query timeout in seconds--dump-methodSelect shell type in hashes dump (default: cmd) (cmd,powershell)--exec-methodmethod to execute the command. Ignored if in MSSQL mode (default: wmiexec) (smbexec,wmiexec,atexec,mmcexec)--no-progressdo not displaying progress bar during scan--server-hostIP to bind the server to (default: 0.0.0.0)--server-portstart the server on the specified port--active-usersGet Active Domain Users Accounts--dcom-timeoutDCOM connection timeout (default: 5)--exclude-dirsdirectories to exclude from spidering--list-moduleslist available modules--local-groupsenumerate local groups, if a group is specified then its members are enumerated--filter-sharesFilter share by access, option 'read' 'write' or 'read,write'--mssql-timeoutSQL server connection timeout (default: 5)--no-bruteforceNo spray when using file for username and password (user1 => password1, user2 => password2)--rid-brutespecify max RID to enumerate users by bruteforcing RIDs--spider-folderfolder to spider (default: .)--wmi-namespaceWMI Namespace (default: rootcimv2)--loggedon-usersenumerate logged on users-omodule options--no-write-checkSkip write check on shares (avoid leaving traces when missing delete permissions)--gmsa-convert-idGet the secret name of specific gmsa or all gmsa if no gmsa provided--fail-limitmax number of failed login attempts per host--connectback-hostIP for the remote system to connect back to--get-output-triesNumber of times atexec/smbexec/mmcexec tries to get results (default: 10)--gmsa-decrypt-lsaDecrypt the gmsa encrypted value from LSA--gfail-limitmax number of global failed login attempts--no-outputdo not retrieve command output--ignore-pw-decodingIgnore non UTF-8 characters when decoding the password file-Xexecute the specified PowerShell command--continue-on-successcontinues authentication attempts even after successes--ufail-limitmax number of failed login attempts per username--no-encodeDo not encode the PowerShell command ran on target--obfsObfuscate PowerShell ran on target; WARNING: Defender will almost certainly trigger on this--optionsdisplay module options--loggedon-users-filteronly search for specific user, works with regex--password-not-requiredGet the list of users with flag PASSWD_NOTREQD--trusted-for-delegationGet the list of users and computers with flag TRUSTED_FOR_DELEGATION--dc-listEnumerate Domain Controllers--clear-obfscriptsClear all cached obfuscated PowerShell scripts--kdcHostFQDN of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter