SUMMARY.md

Table of contents

• Welcome
• News
  • 🕷️ v1.0.0 Release!
  • 🔧 v1.1.0 - nxc4u
  • 📡 v1.2.0 - ItsAlwaysDNS
  • 🏎️ v1.3.0 - NeedForSpeed
  • 🧈 v1.4.0 - SmoothOperator
• Logo & Banner
• Netexec Lab

Getting Started

• Installation
  • 🐧 Installation for Unix
  • 🪟 Installation for Windows
  • 🍎 Installation for Mac
  • 🛠️ Manually building the binary
  • ➡️ Post Installation Setup
• Selecting & Using a Protocol
• Target Formats
• Using Credentials
• Using Kerberos
• Using Certificates
• Using Modules
• DNS options
• Database General Usage
• BloodHound Integration
• Audit Mode
• Ignore OpSec Warnings
• Logging

SMB protocol

• Generate hosts file
• Generate krb5.conf file
• Generate TGT
• Scan for Vulnerabilities
• Enumeration
  • Enumerate Hosts
  • Enumerate Null Sessions
  • Enumerate Guest Logon
  • Enumerate Hosts with SMB Signing Not Required
  • 🆕 Enumerate Active Windows Sessions
  • 🆕 Enumerate Logged-On Users with the Remote Registry Service
  • Enumerate Logged-On Users with the Workstation Service
  • Enumerate Shares and Access
  • 🆕 Enumerate Network Interfaces
  • Enumerate Disks
  • Enumerate Bitlocker
  • Enumerate Domain Users
  • Enumerate Users by Bruteforcing RID
  • Enumerate Domain Groups
  • Enumerate Local Groups
  • Enumerate Domain Password Policy
  • Enumerate Anti-Virus & EDR
  • Enumerate remote processes
  • 🆕 Enumerate changed lockscreen executables
  • 🆕 Enumerate Primary Site Server and Distribution Point via recon6
• Password Spraying
• Authentication
  • Checking Credentials (Domain)
  • Checking Credentials (Local)
  • 🆕 Delegation
• Command Execution
  • Executing Remote Commands
    • Process Injection (pi module)
  • Getting Shells 101
• Spidering Shares
• Get and Put Files
• Obtaining Credentials
  • Dump SAM
  • Dump LSA
  • Dump NTDS.dit
  • Dump LSASS
  • Dump DPAPI
  • 🆕 Dump with BackupOperator Priv
  • 🆕 Dump SCCM
  • 🆕 Dump Token Broker Cache
  • Dump WIFI password
  • Dump KeePass
  • Dump Veeam
  • Dump WinSCP
  • 🆕 Dump PuTTY
  • 🆕 Dump VNC
  • 🆕 Dump mRemoteNG
  • 🆕 Dump Notepad
  • 🆕 Dump Notepad++
  • 🆕 Dump Remote Desktop Credential Manager
  • 🆕 Dump Event Log Creds(4688)
• Defeating LAPS
• Checking for Spooler & WebDav
• Steal Microsoft Teams Cookies
• Impersonate logged-on Users
• Change User Password
• Dump User Local Security Questions

LDAP protocol

• Authentication
• Enumerate Domain Users
• Enumerate Domain Groups
• 🆕 Query LDAP
• ASREPRoast
• Find Domain SID
• Kerberoasting
• 🆕 Find Misconfigured Delegation
• Unconstrained Delegation
• Admin Count
• Machine Account Quota
• Get User Descriptions
• Dump gMSA
• Exploit ESC8 (ADCS)
• Extract Subnet
• Check LDAP Signing
• Read DACL Rights
• Extract gMSA Secrets
• Bloodhound Ingestor
• 🆕 List DC IP / Enum Trust
• Enumerate Domain Trusts
• 🆕 Enumerate SCCM
• 🆕 Enumerate Entra ID

---

• 🆕 Dump PSO

WINRM protocol

• Password Spraying
• Authentication
• Command Execution
• Defeating LAPS
• Obtaining Credentials
  • Dump SAM
  • Dump LSA
  • 🆕 Dump DPAPI

MSSQL protocol

• Password Spraying
• Authentication
• MSSQL PrivEsc
• MSSQL Command Execution
• MSSQL Upload & Download
• Execute via xp_cmdshell
• 🆕 Enumerate Users by Bruteforcing RID

SSH protocol

• Password Spraying
• Authentication
• Command Execution
• Get and Put Files

FTP protocol

• Password Spraying
• 🆕 File Listing, etc
• 🆕 File Upload & Download

RDP Protocol

• Password Spraying
• Screenshot (connected)
• Screenshot Without NLA (not connected)
• 🆕 Command Execution

WMI Protocol

• Password Spraying
• Authentication
• Command Execution

NFS Protocol

• 🆕 Enumeration
• Download and Upload Files
• 🆕 Escape to root file system