🏎️v1.3.0 - NeedForSpeed

Hello everyone!

Recently, a lot of incredible Pull Requests have been submitted. Over 22 PRs in 2 weeks! This community activity is incredible, so be prepared for a lot of upcoming features, even if not all of them are included in this release.

Therefore, a big thank you to all the contributors in the past months. Of course, also a big thank you to people who have been submitting issues on github and our Discord Server. This is very important to improve the stability and to ensure everything is working as expected.

NeedForSpeed - NFS

After quite some time, a new protocol has been added: NFS! This provides the ability to detect NFS servers, enumerate shares recursively. You can also download and upload files with the commands --get-file and --put-file respectively. Big thanks to @termanix for implementing this protocol, with the help of @Marshall-Hallenbeck and @NeffIsBack.

SCCM LDAP Reconnaissance

There has been a lot of recent research into Microsoft's System Center Configuration Manager (SCCM), also known as Microsoft Endpoint Configuration Manager (MECM). Therefore, @NeffIsBack developed a module to detect an SCCM environment in Active directory via LDAP! This will find SCCM Site-Servers, SCCM Sites, SCCM Management Points and Users, Computers or Groups related to SCCM.

coerce_plus Module

The new coerce_plus module combines all 5 coercion methods (PetitPotam, DFSCoerce, MSEven, ShadowCoerce and PrinterBug). You can now check all these vulnerabilities with a single module, rather than one by one! If you want to coerce authentications with one of these techniques, just set a LISTENER ip. Made by @lodos2005.

Identify Pre-Created Computer Accounts

Pre-WIndows 2000 computer accounts are valuable targets during engagements, as by default the password is set to the computer name. @Shad0wC0ntr0ller developed a module to identify these accounts and save a ccache for accounts, where the password was not changed. If you want to learn more, check out this great article at TrustedSec: https://trustedsec.com/blog/diving-into-pre-created-computer-accounts

Hunting for passwords in PowerShell Histories

The Powershell History can be a goldmine for credentials. If admins forget to clear their history and passwords are typed in the console, they can be easily extracted. Thanks to @357384n we have a new module, which will check the history of all users on the target for keywords that might get you plaintext credentials.

Detection for the Guest Session

Unsure about the anonymous authentication? NetExec now has a new flag to detect, if the guest session is active! Thanks to @Marshall-Hallenbeck for nice idea.

Retrieving networks and subnets via new SMB Interfaces flag

The new SMB flag --interfaces will enumerate all interfaces on the target. Very useful to find subnets and servers for pivoting! Made by @Sant0rryu.

Enumerating BitLocker

The new BitLocker module -M bitlocker is checking the BitLocker status on all drives. Also this module is available in both WMI and SMB! Made by @termanix.

Find Security Questions

This SMB module will dump security questions and answers for all users on the machine. Made by Adamkabadan.

Enumerate Hyper-V Hosts

Hyper-V saves the Hostname of the hypervisor in the registry. With this module you can query that information from any target VMs. Made by @joaovarelask

Checks Regarding Defender AV via WCC Module

The WCC module got some new checks regarding Windows Defender settings. E.g. you can check if Defender has exclusions set for specific paths or file extensions. Made by @jubeaz.

Smbghost Scanning Module

With the new SMB module -M smbghost, you can check for prerequisits that have to be enabled for the SMBGhost vulnerability. Made by @r4anan.

Outro

If you want to read about all changes in detail or download the latest standalone binaries check out the github page:

Release v1.3.0 · Pennyw0rth/NetExecGitHub