Netexec (former CME)

A swiss army knife for pentesting networks

Detect Windows hosts

netexec smb 192.168.1.0/24

Validate Credentials

Credentials can be quickly checked using CME, either plaintext passwords or hashes

netexec smb 192.168.1.2 -u Administrator -p 'password123'
netexec smb 172.16.229.188 -u Joe -H 77f944ff6e0c0ed0c83dcef57bdf9298

Make sure to also check discovered local account credentials

netexec smb 172.16.229.188 -u Administrator -p 'password123' --local-auth

--local-auth signifies a local account, otherwise CME will default to domain user

Brute

Try a single password against all users, write console + write to file

netexec smb 192.168.0.1 -u users_enabled.txt -p pass123 --continue-on-success | tee -a brute.txt

Try username same as password, write console + write to file

netexec smb 192.168.0.1 -u users_enabled.txt -p users_enabled.txt --continue-on-success --no-bruteforce | tee -a same_brute.txt

(note --no-bruteforce)

Can also authenticate against ldap instead of smb

Password Spraying

Can brute against multitude of services

netexec winrm internal.txt -u joe -p Password123
netexec rdp internal.txt -u joe -p Password123
netexec mssql internal.txt -u joe -p Password123
netexec wmi internal.txt -u joe -p Password123
netexec ftp internal.txt -u joe -p Password123
netexec smb internal.txt -u joe -p Password123 --shares
netexec ssh internal.txt -u joe -p Password123

--local-auth signifies a local account, otherwise CME will default to domain user

CME's RDP password spraying module seems inconsistent, use -> RDP Password Spraying

Last updated 3 months ago