save partial findings for later use (like open ports, used protocols, versions etc.) if finding data is too long or already exists in another file dont save it

read existing files from the project directory to see what findings and data have been saved

read a file

used to check smb signgings of an ip address or some range of ip addresses with the needed options

run an nmap scan on an ip or ip range (use the right nmap flags based on the first response)

generate some password wordlist based on initial input of word(s), let this be the last resort if no other wordlist worked

enumerate users on an active directory domain, you can provide username or password if you have some

Bruteforce rid to enumerate users

spray passwords on an account or several accounts

Retrieve the Kerberos 5 AS-REP etype 23 hash of users without or with Kerberos pre-authentication required

The goal of Kerberoasting is to harvest TGS tickets for services that run on behalf of user accounts in the AD, not computer accounts. Thus, part of these TGS tickets is encrypted with keys derived from user passwords. As a consequence, their credentials could be cracked offline.

check available john format before cracking a hash

cracking hashes using john based on format and a wordlist

enumerate smb shares having username and password credentials and dump them into ~/.nxc/modules/nxc_spider_plus/{ip}.json and you'll find the directory inside ~/.nxc/modules/nxc_spider_plus/{ip} that has the data so you could read that. read readable files after you check what files exists and pull valuable information like old versions , hard coded secrets , misconfigurations .. If you see items listed in the share but didn't get downloaded raise the max_size and download again.

dump NTdS.dit which contains users and their hashes if we have some valid credentials

execute powershell commands if we have pwned the user, possible to use ntlm or password for authentication

dump sam hashes if we have some redentials using the sec dump which is similar to secretdump,use ntlm hash or normal password

use the netexec's bloodhound feature to extract the json data to be uploaded to bloodhound database

Call this before before using a module to check available exploit modules for a certain netexec supported protocol {rdp,ldap,winrm,smb,ssh,nfs,ftp,wmi,mssql,vnc} and based on the description of the modules chose one to perform

After selecting the right module call this to check what options that module presents

Call this to use the module with the right options and make sure to satisfy the need of certain variables like credentials etc.If no credentials are needed for the module or no valid credentials are found leave the username and password default (empty). Options syntax is ["option1=value1","options2=value2",...]

connect to bloodhoundapi and get version

Upload data zip to bloodhound to ingest and analyze (wait until it gets ingested before testing queries)

list already saved queries in bloodhound

Run a bloodhound cypher query of your choice (use this to collect information about the network and potentially identify attack vectors)

Call this to enumerating Active Directory Certificate Services (AD CS) vulnerabilities. username syntax is: username@domain