v1.3.0

What's Changed

• fix extract_password in the keepass module by @sepauli in #279
• [NXCDB] Add support for CTRL-D by @fpreynaud in #334
• Add output if a successful authentication is via Guest privileges by @Marshall-Hallenbeck in #333
  • New label for the guest account so this is quickly identified
• add testing hash file to e2e_commands.txt by @Marshall-Hallenbeck in #336
• Improve OS detection by @NeffIsBack in #340
• Adding some logger when users have been dumped by @Anhydrite in #343
• Added domain name for --users with samr by @Anhydrite in #345
• Add EnumAV Detection for Cortex XDR by @n00py in #344
• fix: little typo in help args by @aelmosalamy in #354
• Update pso.py by @bfnserra in #355
• Adding module to retrieve network interfaces info by @Sant0rryu in #293
• New SMB/WMI Module BitLocker by @termanix in #286
• Fix #332 - Add exception handling to prevent crashes against linux hosts by @NeffIsBack in #356
• Bug Fix While Using Bloodhound with --use-kcache Issue #363 by @termanix in #364
• Small Bug Fix on Listing SMB Shares with Kerberos Auth by @termanix in #357
• Fix mmcexec method thanks to @IppSec AND a lot of other small things by @mpgn in #361
• Remove message that could be too annoying by @NeffIsBack in #365
• Update enum_av Added Trellix EDR by @termanix in #371
• Fixed nla detection and error format string by @Kamuno in #372
• Fix ruff linting by @NeffIsBack in #375
• Add try&except block for DCERPCExceptions to fix #373 by @NeffIsBack in #376
• add new security-questions module by @Adamkadaban in #295
  • This queries the security questions for all local users, potentially containing passwords
• Update dploot to 2.7.4 in pyproject.toml by @zblurx in #384
• Update handlekatz.py pypykatz import by @3ldidi94 in #389
• Stop NetBiosTimeout and error producing large stack traces by @NeffIsBack in #387
• Fix check admin false positive on certain target (e.g Netapp) by @nikaiw in #378
• Fix admin check in mssql_priv by @NeffIsBack in #390
• Fix: module spider_plus with filtered folders by @glefait in #391
• Adding SCCM LDAP Reconnaissance to NetExec by @NeffIsBack in #386
  • Enumerate SCCM Site-Servers
  • Enumerate SCCM Sites
  • Enumerate SCCM Management Points and associate them with their respective SCCM Site
  • Enumerate all Users that might be related to the SCCM environment
  • Enumerate all Computers that might be related to the SCCM environment
  • Enumerate all Groups that might be related to the SCCM environment (also possible with recursive search)
• Fix spider_plus bug where len was applied to the count not an array by @NeffIsBack in #392
• Add module to lookup hostname of Hyper-V host - 'hyperv-host.py' by @joaovarelas in #374
• Add Unix availability to README.md by @NeffIsBack in #399
• ldap-checker.py false positive fixed by @cauan in #408
• ldap-checker.py Catch connection errors by @cauan in #409
• Updated github workflows by @NeffIsBack in #394
• Identify Pre-Created Computer Accounts by @Shad0wC0ntr0ller in #328
  • Identify Pre-Created Computer Accounts and save a ccache for each account if vulnerable. Based on the research of https://trustedsec.com/blog/diving-into-pre-created-computer-accounts
• Fix issues with kerberos and non NTLM domains by @NeffIsBack in #393
• Module wcc added some defender checks by @jubeaz in #306
• schtask_as Improvement - Options for custom task, file, and location. by @Kahvi-0 in #342
• Smbghost scanning module by @r4vanan in #407
• Make --version switch universal so help2man will work properly by @jsherwood0 in #417
• Encode delegate/impersonate user name string as utf8 unicode, not latin1 by @a-urth in #418
• Small cosmetic fix for ldap when using --no-smb by @NeffIsBack in #423
• Fix maq module if MAQ not set by @NeffIsBack in #422
• Add new SMB module to get the PowerShell history on all the users by @357384n in #341
• Fix file logging for display messages by @NeffIsBack in #406
• New Protocol NFS by @termanix in #366
  • Detect NFS Server
  • Enumerate Shares and their privileges
  • Recursive file enumeration with uid detection
  • Up- and Download Files
• Fix a bug with the databases when a new protocol is added by @NeffIsBack in #433
• Add file write check on smb by @tiyeuse in #404
• Fix pwned label when brute forcing with guest account enabled by @NeffIsBack in #434
• Improve test suite by @NeffIsBack in #435
• Increase plaintext&hash login speeds by @NeffIsBack in #411
• Add coerce_plus Module by @lodos2005 in #300
  • Combines the most popular coercion techniques into one module. Available techniques are:
  • DFSCoerce
  • PetitPotam
  • PrinterBug
  • ShadowCoerce
  • MSEven
• refactoring to fix InterfaceError of DB by @dazzgt in #400
• Small fixes for coerce_plus by @NeffIsBack in #442
• Updated the --get-file method to get large files from NFS shares by @ledrypotato in #440
• Fix module loading for ssh, vnc and ftp by @NeffIsBack in #447
• Fix windows and encoding stuff by @NeffIsBack in #446
• Release v1.3.0 by @NeffIsBack in #448

New Contributors

• @Anhydrite made their first contribution in #343
• @n00py made their first contribution in #344
• @aelmosalamy made their first contribution in #354
• @bfnserra made their first contribution in #355
• @Sant0rryu made their first contribution in #293
• @Kamuno made their first contribution in #372
• @3ldidi94 made their first contribution in #389
• @glefait made their first contribution in #391
• @joaovarelas made their first contribution in #374
• @cauan made their first contribution in #408
• @jubeaz made their first contribution in #306
• @r4vanan made their first contribution in #407
• @jsherwood0 made their first contribution in #417
• @a-urth made their first contribution in #418
• @357384n made their first contribution in #341
• @tiyeuse made their first contribution in #404
• @dazzgt made their first contribution in #400
• @ledrypotato made their first contribution in #440

Full Changelog: v1.2.0...v1.3.0

v1.2.0

What's Changed

• tests: improve output of e2e tests for errors by @Marshall-Hallenbeck in #120
• Ms17 010 error handling by @Marshall-Hallenbeck in #121
• fix(smb errors): getErrorString only returns one item, not a tuple by @Marshall-Hallenbeck in #119
• Add New Ldap Flag --active-users by @termanix in #128
  • Serves the same purpose as --users, but filters out deactivated accounts
• Fix bug in WCC module by @fpreynaud in #137
• Fix array index by @NeffIsBack in #140
• [winrm] better output by @XiaoliChan in #114
• Fix: iis module cmd exec quotes by @0xlazY in #146
• Modules enumeration ldap by @Syzik in #133
  • Added two modules for querying the attributes userPassword and unixUserPassword
  • These attributes are sometimes filled with cleartext passwords by 3rd party applications, also see https://swisskyrepo.github.io/InternalAllTheThings/active-directory/pwd-comments/
• Restructure how laps login works to fix login issues by @NeffIsBack in #141
• Remove domain DN from ldap query, fixes #144 by @NeffIsBack in #150
• Fixing binaries for RDP and WINRM by @NeffIsBack in #130
• Removing deprec… by @NeffIsBack in #132
• add argcomplete bash/zsh completion by @Adamkadaban in #148
  • When installed with pipx, netexec now supports autocomplete when pressing tab. See the wiki for the setup.
• Fixing module name check with windows backspace path by @NeffIsBack in #155
• Fix some issues in deps by @thiagokokada in #162
• Fix issue #134 with tempfile on windows by @NeffIsBack in #135
• Surpress any errors when using rdp and broken python version by @NeffIsBack in #139
• Fix usernames with empty spaces in ntds dump by @NeffIsBack in #153
• Hotfix: Allow broader version for argcomplete to fix macos installations by @NeffIsBack in #167
• [WCC] Make check names more explicit by @fpreynaud in #169
• nxcdb: refactor shared database/workspace setup code & allow for creation/setting of workspaces outside of nxcdb interactive console by @Marshall-Hallenbeck in #123
  • Add command --get-workspace/-gw
  • Add command --create-workspace/-cw
  • Add command --set-workspace/-sw
• Allow a single word as audit mode "character" by @NeffIsBack in #179
• Write without delete will now be displayed as write access by @NeffIsBack in #183
• Remove unnecessary remote ops check by @NeffIsBack in #185
• Add error handling for protocol level by @NeffIsBack in #176
• Update ntlmv1.py by @Dfte in #173
• Update impacket dependency to pull latest changes by @NeffIsBack in #187
• Fix audit_mode in ldap by @NeffIsBack in #186
• [Module] Enum ADCS Certificate Authority without creds. by @0xjbb in #160
• [winrm] say goodbye to SMB by @XiaoliChan in #172
  • No longer need SMB to gather NTLM info
• Update README.md by @Marshall-Hallenbeck in #193
• [lib] Improve ntlm_parser.py by @XiaoliChan in #191
• [MSSQL] Improvement by @XiaoliChan in #136
  • No more SMB needed (also remove --no-smb)
  • Fix no-output option in command execution
  • Improve the logic in mssqlexec.py
  • Add --mssql-timeout
  • Fix --use-kcache
• Update connection.py to force login by @mpgn in #190
• Remove pyreadline as it causes errors in nxcdb by @NeffIsBack in #171
• Update neo4j python driver by @NeffIsBack in #202
• Fix string escaping issues for Kali package, fix some logging, and allow for lsa and sam WinRM dumping by @Marshall-Hallenbeck in #204
• Extract obsolete operating systems from LDAP by @Shad0wC0ntr0ller in #41
• fix(wcc.py): properly escape for #200 by @Marshall-Hallenbeck in #206
• Create get_fgpp.py by @sebrink in #65
• [Module] printerbug by @lodos2005 in #163
• Revert #190 to enable null-auth without explicit specification by @NeffIsBack in #208
• Adding the fileNamePrefix which was introduced in bloodhound so files… by @NeffIsBack in #212
• Stop Netexec from adding null auth user to bloodhound by @NeffIsBack in #213
• Fix SMB users lookup and return last password set date by @Marshall-Hallenbeck in #214
• Fix: module names 8-10 chars being cut off by @Marshall-Hallenbeck in #220
• Update LDAP users lookup to match SMB by @Marshall-Hallenbeck in #215
• BloodHound & hash_spider fixes by @Marshall-Hallenbeck in #226
• [ldap-checker] Module fix by @zblurx in #216
• Fixing antivirus enumeration by @NeffIsBack in #218
  • add new AVs to enumerate
• Update LDAP active users lookup to match SMB by @termanix in #224
• Several LDAP improvements by @NeffIsBack in #152
• Module 'get-desc-users' Update - Marshall's #201 Issue Bug Fix by @termanix in #228
• Make loggedon-users unique to reduce spam and fix alignment by @NeffIsBack in #222
• Several ldap bug fixes by @NeffIsBack in #227
• Logging fixes (double logging & function caller obfuscation) by @Marshall-Hallenbeck in #229
• Logging in DEBUG mode: change normal output from DEBUG to INFO by @Marshall-Hallenbeck in #231
• rename MAQ.py to maq.py by @Marshall-Hallenbeck in #238
• Fix testing and linting by @NeffIsBack in #230
• Small QOL changes by @NeffIsBack in #240
• Winlogon Autologon module by @swisskyrepo in #236
• fix --users for LDAP proto by @zblurx in #235
• Neff qol the second by @NeffIsBack in #242
• Remove oscrypto and swap back to fortra/impacket by @NeffIsBack in #234
• --kerberoast Improvement by @Kahvi-0 in #126
• Add git commit to version command by @Marshall-Hallenbeck in #239
• Fix tmp PATH on windows for msol and scuffy by @NeffIsBack in #244
• Add missing packages to spec file, fixing ldap and pso module by @NeffIsBack in #247
• Add verbosity to dpapi, so the user knows if no secrets were found by @NeffIsBack in #246
• bugfixes: add-computer & nanodump modules by @Marshall-Hallenbeck in #237
• fixed one grammar error repeated in several files by @scottymiller9 in #251
• Fix ssh authentication with encrypted ssh file by @NeffIsBack in #254
• Update Slinky module by @Marshall-Hallenbeck in #255
• Fix "Too many open files" by @NeffIsBack in #257
• Fix computers enum by @zblurx in #259
• Update lsassy.py by @mpgn in #262
• Ldap active users bug fix by @termanix in #248
• ldap-checker: fix for Python 3.12 compatibility by @exploide in #270
• Fix ssh auth message by @NeffIsBack in #272
• fix mssql_priv by @sepauli in #277
• Fixing #263 by @NeffIsBack in #271
• Fix bug where modules would be the same object across protocols by @NeffIsBack in #250
• Updating dependencies by @neff...

v1.1.0

What's Changed

• Fix #48 tries to falsly add creds to bloodhound using --laps by @NeffIsBack in #49
• Bump urllib3 from 2.0.4 to 2.0.6 by @dependabot in #53
• Update enum_av.py by @bongobongoland in #58
• Create schtask.py by @Dfte in #54
  • Add the schtask module that can be used to impersonate loggedon users and run commands on their behalf.
• Add ascii art to cli by @NeffIsBack in #57
  • courtesy of @bongobongoland!
• [nanodump] fix error with temporary path by @XiaoliChan in #67
• Update dependencies (including impacket fork) for v1.1.0 by @Marshall-Hallenbeck in #30
• Bump urllib3 from 2.0.6 to 2.0.7 by @dependabot in #77
• mpgn is back 🎉 by @NeffIsBack in #80
• Update README.md by @mishrasamiksha in #83
• Enhancing the FTP protocol by @RomanRII in #40
  • Modified the --ls flag to allow for listing the current directory and sub-directories. Default now lists .. If an argument is provided, it will list the provided sub-directory
  • Added the --get flag to download a file on the server. If the file exists and is successfully downloaded, it will be written to the users cwd with the remote file's filename.
  • Added the --put flag to upload files onto the server.
  • Modified nxc/protocols/ftp/proto_args.py to reflect the added features
  • Modified the --ls flag to allow for a default directory listing (.) or use a provided directory
  • Added the --get and --put flags
  • Modified nxc/protocols/ftp.py#L83 to comply with RFC 1635
• Add module sorting by @NeffIsBack in #74
• [ssh] improvement by @XiaoliChan in #25
  • [ssh.py]: less create ssh connect, keep doing set credential via paramiko transport
  • [ssh.py]: rewrite enum_host_info function
  • [ssh.py]: fix hanging, old one will never exit
  • [ssh.py]: fix private key with passphrase
  • [ssh.py]: add sudo check for linux user
  • [ssh.py]: windows privileges check
  • [ssh.py]: improve command execute and format command execute result
  • [ssh.py]: paramiko always discovery private keys in ~/.ssh/, that will make paramiko exception, disable it.
• fix(dependencies): add bloodhound to netexec.spec, fixes #79 by @Marshall-Hallenbeck in #87
• Downgrade termcolor to prevent atty check which disables colors by @NeffIsBack in #86
• Cleanup & Lint Code by @Marshall-Hallenbeck in #35
  • Add Ruff configuration (version pinned due to discrepancies on GitHub runner versioning)
  • Create linter workflow to run Ruff on push & pull request
  • Remove encoding specification from files (unnecessary in Py3)
  • Update strings to be more descriptive, remove typos, and be properly capitalized
  • Change additionally remaining .format() and % old string interpolation to f-string usage (partially FLY)
  • Fix blank Except statements and unnecessary parenthesis in Excepts (partially RSE)
  • Update exception handling for some circumstances where another except was thrown, causing unnecessary output
  • Remove unused imports
  • Fix poorly and non-pythonic variable/function/class names
  • Fix additional single/double quote usage (Q)
  • Add docstrings to some functions and fix docstrings for others
  • Fix usages of mutable function defaults (see B006, mutable-argument-default in Ruff)
  • Properly inform user if file they specified doesn't exist for several modules
  • Fix usages of comprehension and list/dict initialization via Ruff (C4)
  • Remove unnecessary str-concat (ISC)
  • Fix unnecessary pass statements and unnecessary creation of additional variables before return (PIE)
  • Fix some pytest style (PT)
  • Fix return statements returning None (unnecessary) (RET)
  • Add --poetry option for e2e tests, so all commands are prepended with poetry run
  • Fix ftp class name (got changed to "Ftp" by accident)
  • Simplify lots of code (SIM)
  • Fix tests using a password file to properly reference said file (was missing data/)
  • Remove commented out code (ERA)
  • Import and call sys.exit() instead of just exit() (PL)
  • Fix some try except outside loops (PERF203); additional ones are ignored for now
  • Implement list and dict comprehension where possible and preferred (PERF401)
  • Fix some spaces before inline comments (E261)
  • Modernize some code via Refurb (FURB)
  • Fix bug in add-computer module where improper access was being requested, causing an exception
  • Fix bug in add-computer module where module was not exiting if the computer already exists
  • Add in e2e tests for several missing modules
• Add python version and OS info to debug output by @NeffIsBack in #89
• Update README.md - one grammatical error. by @ayushrakesh in #94
• Fix import error on windows by @NeffIsBack in #98
• fix typos in python files of directory nxc/modules by @shresthasurav in #97
• Implement s4u abuse by @zblurx in #50
  • This option will do a full S4U abuse (S4U2Self + S4U2Proxy) in an automated way, allowing to use all postex functionalities of NXC 🔥
• [connection.py] Improvement by @XiaoliChan in #63
  • connection.py: Add missing self.port in connection.py, in order to use connection.port when writing module.
  • connection.py and protocol: Redirect self.args.port to self.port
  • connection.py: improve ipv6 support, now add is_ipv6 is_link_local_ipv6 variables
  • connection.py: rewrite gethost_addinfo function, don't need try to detect ipv6 anymore, just use AF_UNSPEC instead AF_INET6, AF_INET
  • connection.py: IPv4 preferred when target is dual stack
• Improve bloodhound connector with Netbios domain name by @NeffIsBack in #88
• Set computer accounts as owned in bloodhound if local admin privs by @NeffIsBack in #90
• [winrm] Improvement by @XiaoliChan in #72
• Fix: update MS17-010 for Python3 properly; add debug logging by @Marshall-Hallenbeck in #108
• [winrm] disable logger & add miss port args by @XiaoliChan in #107
• Fix Kerberoasting for #104 by @Marshall-Hallenbeck in #111
• Improve module texts by @NeffIsBack in #109
• [ssh] fix #112 by @XiaoliChan in #113
• disable use of ssh_agent by @nikaiw in #106
• Adding error handling for unexpected powershell output, see issue #93 by @NeffIsBack in #115
• Netexec v1.1.0 by @NeffIsBack in #116

New Contributors

• @bongobongoland made their first contribution in #58
• @Dfte made their first contribution in #54
• @RomanRII made their first contribution in #40
• @nikaiw made their first contribution in #106

Full Changelog: v1.0.0...v1.1.0

v1.0.0

v1.0.0 Release

This release is mainly aimed at stability, to provide a solid baseline from which to work. Some minor and major bugs have been fixed, see below for details.
Version 1.1.0 is already in the works, with great new modules in the works as well as new features such as zblurx's delegation technique coming soon to NetExec.
Stay tuned!

Note: as always, the best way to install NetExec is by cloning the repo and running pipx install ., but we have provided binaries for Windows (!!!) and Ubuntu below!

What's Changed

• Update README by @NeffIsBack in #1
• Fix for allowing to test multiple users with one password by @NeffIsBack in #2
• Update README.md for NetExec rename by @Marshall-Hallenbeck in #11
• Add CODEOWNERS by @NeffIsBack in #13
• Fix CLI by @NeffIsBack in #16
• Make some text more precise by @NeffIsBack in #7
• [winrm] less ugly if condition by @XiaoliChan in #9
• [wmi] bug fix in 'check_admin' function by @XiaoliChan in #4
• Update LICENSE for NetExec by @Marshall-Hallenbeck in #12
• NetExec Rename by @Marshall-Hallenbeck in #19
• fix webdav module exception handler by @professor-hillman in #29
• Windows Build for NetExec by @Marshall-Hallenbeck in #26
• Update Github Build Actions for Releases by @Marshall-Hallenbeck in #27
• Fix encoding errors by @NeffIsBack in #32
• Fix #42, --dc-list crashes on ldap with logging enabled by @NeffIsBack in #43
• Add README text by @NeffIsBack in #24
• Create CODE_OF_CONDUCT.md by @NeffIsBack in #44
• Create CONTRIBUTING.md by @NeffIsBack in #45
• Finalize Native Builds by @Marshall-Hallenbeck in #52

New Contributors

• @professor-hillman made their first contribution in #29

Full Changelog: https://github.com/Pennyw0rth/NetExec/commits/v1.0.0