Using Kerberos
Using Kerberos
NetExec does support Kerberos authentication. There are two options:
- Using password/hash which automatically takes care of handling the TGT/ST
- Using an existing ticket by specifying the file via the
KRB5CCNAMEenvironment variable
$ nxc smb <target> -u <username> -p <password> -k
SMB <target> 445 ZORO [*] Windows 10.0 Build 14393 (name:ZORO) (domain:<domain>) (signing:False) (SMBv1:False)
SMB <target> 445 ZORO [+] <domain>\<username>
Or, using --use-kcache
$ export KRB5CCNAME=/home/user/impacket/administrator.ccache
$ nxc smb <target> --use-kcache
SMB <target> 445 ZORO [*] Windows 10.0 Build 14393 (name:ZORO) (domain:<domain>) (signing:False) (SMBv1:False)
SMB <target> 445 ZORO [+] <domain>\administrator (Pwn3d!)
$ nxc smb <target> --use-kcache -x whoami
SMB <target> 445 ZORO [*] Windows 10.0 Build 14393 (name:ZORO) (domain:<domain>) (signing:False) (SMBv1:False)
SMB <target> 445 ZORO [+] <domain>\administrator (Pwn3d!)
SMB <target> 445 ZORO [+] Executed command
SMB <target> 445 ZORO <domain>\administrator
$ export KRB5CCNAME=/home/user/impacket/user.ccache
$ nxc smb <target> --use-kcache -x whoami
SMB <target> 445 ZORO [*] Windows 10.0 Build 14393 (name:ZORO) (domain:<domain>) (signing:False) (SMBv1:False)
SMB <target> 445 ZORO [+] <domain>\<username>
Example with LDAP and option --kdcHost
nxc ldap <target> -k --kdcHost <dc-ip>
SMB <target> 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:<domain>) (signing:True) (SMBv1:False)
LDAP <target> 389 DC01 [+] <domain>\