github Pennyw0rth/NetExec v1.4.0
on GitHub

4 months ago

What's Changed

  • Fix runasppl.py by @Hackndo in #458
  • Fixed issue with --options flag by @haytechy in #466
  • Fix a bytes-like object is required, not strinnxc/protocols/smb.py` by @Chocapikk in #470
  • Drop support for Python 3.8 and 3.9 by @NeffIsBack in #460
  • Code and stability improvements by @NeffIsBack in #473
  • fix(nfs): check if status is 13 and print out permission denied for share by @Marshall-Hallenbeck in #474
  • [SMB] Add --dir option by @y0no in #462
    • You can now list the content of any SMB share by specifying --dir and an optionally Path or --share
  • Mssql automatic backup&restore for optionis by @0xQRx and @NeffIsBack in #405
  • Fix nmap XML parser when looking for ftp service by @j-mie in #486
  • Add option to generate hosts file for smb proto to first blood more quickly on htb by @mpgn in #482
    • With the new option --generate-hosts-file <path> you can auto generate the /etc/hosts file for e.g. AD labs
  • schtask_as - Delete task when there is an error by @Kahvi-0 in #481
  • Fix veeam output by @NeffIsBack in #487
  • New LDAP Flag Find Delegation by @termanix in #381
    • The new ldap flag --find-delegation enumerates all configured delegations in the domain
  • Bugfix : exec-method specified in module file is not used by @snowpeacock in #438
  • add an option to ioxidresolver to get only IP values different than targets by @nikaiw in #380
  • Allow for empty domains by @TheToddLuci0 in #488
  • Update impacket so ldaps channel binding is supported by @NeffIsBack in #495
    • Hardened environments shouldn't be a problem anymore, the LDAP protocol should now work in all situations
  • Speed improvements and bug fixes by @NeffIsBack in #498
  • Timeroast module by @Disgame in #311
    • Will retrieve all computer passwords in a windows-ntp-hash format from an unauthenticated perspective
  • Bugfix: file extension filter of spiderplus was misleading/broken by @Joytide in #499
  • Fix RDP '--nla-screenshot' option by @lap1nou in #502
  • Fix TARGET_DN object query by @MaxToffy in #500
  • Add baseDN flag to ldap by @NeffIsBack in #503
  • Add rid-brute flag to mssql protocol by @Adamkadaban in #492
    • New --rid-brute flag for the mssql protocol, which enumerates users in the domain
  • Add mssql_coerce Module by @lodos2005 in #456
    • Coercing is now possible with the mssql protocol as well
  • Upgrade dploot to 3.0.3 by @zblurx in #491
    • --dpapi now also loots Firefox cookies
    • New wam module which dumps Entra and M365 access tokens from Token Broker Cache
    • Updated of the dploot package
  • [SMB] Powershell history module rework by @Dfte in #449
  • Add the shadow RDP module by @Dfte in #465
    • Checks if Shadow RDP is enabled which can be used to eavesdrop on a particular RDP session and even interact with it
  • [SMB] Rework the runasppl module by @Dfte in #451
  • [SMB] Add the Notepad++ module by @Dfte in #444
    • This new module dumps unsaved and thus backed up notepad files from Appdata\Roaming\Notepad++\Backup
  • Added new modules for mssql - namely enum_impersonate, enum_logins, enum_links, exec_on_link, link_enable_xp, link_xpcmd by @deathflamingo in #415
    • The module enum_impersonate displays all users with impersonation privileges
    • The module enum_logins active login sessions
    • The module enum_links displays all linked MSSQL Servers
    • The module exec_on_link let's you execute commands on linked servers
    • The module link_xpcmd let's you enable or disable the xp_cmdshell on a linked servers
  • fix ruff by @mpgn in #506
  • Update pyproject.toml to add missing dependency for wam module by @Mortimus in #509
  • fix trust relation for smb by @mpgn in #510
  • Remove smb from ldap proto by @mpgn in #508
    • No more SMB in the LDAP protocol, just plain LDAP 🎉
  • fix trust relation for ldap by @mpgn in #511
  • Add new SMB module to download Screenshots created by Snipping Tool by @Yeeb1 in #368
    • Automatically download all Screenshots from the target with the new snippet module, maybe you find some creds in it?
  • Change error to fail message by @NeffIsBack in #515
  • Add a query for the linked server config if we are local admin by @NeffIsBack in #516
  • Rename ldapConnection to the new ldap_connection var #508 #4767762 - Fix Modules by @lodos2005 in #520
  • Fix #514 by @NeffIsBack in #522
  • [SMB] Allow force to disable SMBv1 by @XiaoliChan in #523
  • [Module] Add remove mic check by @XiaoliChan in #521
    • The new module remove-mic checks for the CVE-2019-1040, also known as "Drop the Mic"
  • Fix user-desc.py by @lap1nou in #526
  • Show error messages when rdp fails by @NeffIsBack in #528
  • [PrintNightmare] Add more exception catch in module by @XiaoliChan in #529
  • Improve LDAP dc-list flag by @termanix in #476
  • ssh: allow for putting and getting files by @jdholtz in #524
    • Uploading/Downloading files via ssh is now possible with --put-file/--get-file respectively
  • coerce_plus: Support DCERPC for PrinterBug by @rtpt-romankarwacik in #505
  • push bloodhound to 1.8 by @mpgn in #532
  • fix connection issue with socks ldap by @mpgn in #530
  • Refactor ssh by @NeffIsBack in #531
  • add certificate authentication aka pass-the-cert by @mpgn in #533
    • Certificate authentication in NetExec 🎉
    • Use --pfx-cert/--pfx-base64 with --pfx-pass for PFX certificates
    • Use --pem-cert with --pem-key for PEM certificates
  • Update license file and lint py version by @NeffIsBack in #535
  • switch default conn from smbv1 to smbv3 by @mpgn in #534
  • fix pfx auth on non dc by @mpgn in #536
  • Fix spec file by @NeffIsBack in #538
  • update dploot to 3.1.0 by @zblurx in #539
  • Add dpapi hash module based on the work of @Fist0urs by @nikaiw in #379
    • Dump the users hashed passwords from dpapi
  • fix ruff by @mpgn in #545
  • Add option generate-krb5-file for krb5 configuration by @mpgn in #544
  • Swap cert-pem to pem-cert to match pfx syntax by @NeffIsBack in #546
  • Fix: privileged groups SID not found error by @Joytide in #547
  • Ruff fixed LDAP protocol by @termanix in #553
  • Fix lsass Dump Files Deleting Process When Dump Fail by @termanix in #542
  • Updated exe files while putting for evasion by @termanix in #541
  • [smb] Always delete service when using smbexec by @jdholtz in #552
  • Add Backup operators module by @mpgn in #537
    • Automate the privilege escalation from the Backup Operators group to the Domain Admins including an NTDS.dit dump 🚀
  • Update users and active-users against anonymous ldap authentication by @termanix in #441
  • Fix hardcoded option by @NeffIsBack in #560
  • Fix #564 by @NeffIsBack in #565
  • Exception handling for spider_plus by @NeffIsBack in #569
  • [smb] Always delete output file by @jdholtz in #568
  • Bugfixes for py3.13 by @NeffIsBack in #571
    • Added official support for Python 3.13
  • LDAP checker fix when checking without creds by @zblurx in #573
  • Refactored powershell_history module to fix case sensitivity by @Mercury0 in #575
  • Fix ASCII Art by @NeffIsBack in #576
  • Rename ambigous function by @NeffIsBack in #577
  • [SMB] Add the --qwinsta and --tasklist options by @Dfte in #445
    • The new flag --qwinsta enumerates sessions on the target including much useful information like IPv4 of the connected users
    • The new flag --tasklist enumerates all processes on the target
    • Both flags use native windows protocols, so no command execution which could be catched by AV!
  • Linting by @NeffIsBack in #580
  • NFS escape to root fs by @NeffIsBack in #583
    • New technique which allows to automatically escape to the root file filesystem / on many linux hosts
    • E.g. the default NFS export settings on debian allows to fully compromise the system by overwriting the /etc/passwd
  • Small bug fixes for NFS by @NeffIsBack in #584
  • Add support for latest Veeam version and add description to cred output by @NeffIsBack in #570
  • Improve reliability of ldap-checker module by @Mercury0 in #587
  • Fix NFS issues when share is not listable by @NeffIsBack in #588
  • Create remote-uac.py by @Dfte in #464
    • Enable/Disable the remote UAC on the target with the new module remote-uac
  • Catch ldap error if host is not reachable by @NeffIsBack in #591
  • Fix Poetry 2.1+ compatibility in pyproject.toml by @n3rada in #574
  • Remove pywerview dependency by @mpgn in #579
  • Use host IP for DNS resolution in asreproast function if kdcHost not specified by @Mercury0 in #594
  • Revert #411 due to connection issues (#479) by @NeffIsBack in #601
  • Add regsecretdump technique by @mpgn in #599
    • Introducing regsecretsdump which dump --lsa and --sam just with registry queries, without writing to disk
    • At the moment this appears to be much stealthier than the normal secretsdump technique fortra/impacket#1898 (comment)
    • The old method can still be used by specifying it in the commands themselves if you want to switch back, e.g. --lsa secdump
  • Several smaller bug fixes by @NeffIsBack in #597
  • fix 0x_df issue with hosts file by @mpgn in #603
  • Add information if ntlm disabled by @mpgn in #604
  • Silently handle connection timed out during LDAP scan by @jdholtz in #606
  • fix: check if an IP is being searched for when calling get_hosts by @Marshall-Hallenbeck in #590
  • Modified the password used in pre2k.py for machine names longer than the max of 14 chars by @shikatano in #611
  • Added credential and host DB for LDAP protocol by @lap1nou in #527
    • Full LDAP support in the nxcdb!
  • Update smb.py to test smbv1 connection before writing in nxcdb by @Testeur-2-stylos in #615
  • Add Error handling for loading users into registry by @NeffIsBack in #619
  • Fix spec file by @NeffIsBack in #620
  • Export Users to a File by @haytechy in #602
    • If you would like to export the queried users from the SMB/LDAP flag --users, just use the new flag --users-export <out-path>
  • Improve WinSCP module by @NeffIsBack in #622
  • remove pywerview from spec by @noraj in #626
  • [SMB]: Prevent infinite loops handling an unknown error retrieving command output by @jdholtz in #625
  • [SMB] Add the recent_files module by @Dfte in #450
    • The new recent_files module displays all files recently used by users on the system.
  • Fix left handside indent from exec output by @NeffIsBack in #628
  • Remove firefox module in favour of --dpapi which includes firefox by @NeffIsBack in #630
  • Fix the baseDN for admin_check for custom baseDN by @NeffIsBack in #634
  • SMB DPAPI Now Store Results, Issue #632 by @termanix in #633
  • Fix Kerberos Login While Using --use-kcache by @termanix in #636
  • Fix ldap hash auth with signing enforced by @NeffIsBack in #637
  • Fix encoding issue in get-desc-user by @NeffIsBack in #639
  • Catch rpc error nca_s_op_rng_error when method is not implemented by @NeffIsBack in #638
  • Update ldap.py for parse_result_attributes by @termanix and @NeffIsBack in #471
    • Refactor of many functions in LDAP including encoding improvements
  • Add read principal to GMSA by @NeffIsBack in #640
    • --gmsa now also shows the user that has read permissions on the GMSA passwords
  • completions: no not complete options without entering - first by @exploide in #641
  • Add sid parsing directly to the ldap attribute parser by @NeffIsBack in #642
  • Add CODENAME for release v1.4.0 by @NeffIsBack in #643

New Contributors

Full Changelog: v1.3.0...v1.4.0

Check out latest releases or
releases around Pennyw0rth/NetExec v1.4.0

Don't miss a new NetExec release

NewReleases is sending notifications on new releases.

Get notifications