SSH
Installation
Install NetExec.
Usage
netexec ssh [-h] [--version] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--no-progress] [--log LOG] [--verbose | --debug] [-6] [--dns-server DNS_SERVER] [--dns-tcp]
[--dns-timeout DNS_TIMEOUT] [-u USERNAME [USERNAME ...]] [-p PASSWORD [PASSWORD ...]] [-id CRED_ID [CRED_ID ...]] [--ignore-pw-decoding] [--no-bruteforce] [--continue-on-success]
[--gfail-limit LIMIT] [--ufail-limit LIMIT] [--fail-limit LIMIT] [-k] [--use-kcache] [--aesKey AESKEY [AESKEY ...]] [--kdcHost KDCHOST] [--pfx-cert PFXCERT] [--pfx-base64 PFXB64]
[--pfx-pass PFXPASS] [--pem-cert PEMCERT] [--pem-key PEMKEY] [-M MODULE] [-o MODULE_OPTION [MODULE_OPTION ...]] [-L [LIST_MODULES]] [--options] [--key-file KEY_FILE] [--port PORT]
[--ssh-timeout SSH_TIMEOUT] [--sudo-check] [--sudo-check-method {sudo-stdin,mkfifo}] [--get-output-tries GET_OUTPUT_TRIES] [--put-file FILE FILE] [--get-file FILE FILE] [--codec CODEC]
[--no-output] [-x COMMAND]
target [target ...]Flags
positional arguments:
target the target IP(s), range(s), CIDR(s), hostname(s), FQDN(s), file(s) containing a list of targets, NMap XML or .Nessus file(s)
options:
-h, --help show this help message and exit
--key-file KEY_FILE Authenticate using the specified private key. Treats the password parameter as the key's passphrase.
--port PORT SSH port (default: 22)
--ssh-timeout SSH_TIMEOUT
SSH connection timeout (default: 15)
--sudo-check Check user privilege with sudo
--sudo-check-method {sudo-stdin,mkfifo}
method to do with sudo check (mkfifo is non-stable, probably you need to execute once again if it failed)' (default: sudo-stdin)
--get-output-tries GET_OUTPUT_TRIES
Number of times with sudo command tries to get results (default: 5)
Generic Options:
--version Display nxc version
-t, --threads THREADS
set how many concurrent threads to use (default: 256)
--timeout TIMEOUT max timeout in seconds of each thread
--jitter INTERVAL sets a random delay between each authentication
Output Options:
--no-progress do not displaying progress bar during scan
--log LOG export result into a custom file
--verbose enable verbose output
--debug enable debug level information
DNS:
-6 Enable force IPv6
--dns-server DNS_SERVER
Specify DNS server (default: Use hosts file & System DNS)
--dns-tcp Use TCP instead of UDP for DNS queries
--dns-timeout DNS_TIMEOUT
DNS query timeout in seconds (default: 3)
Authentication:
-u, --username USERNAME [USERNAME ...]
username(s) or file(s) containing usernames
-p, --password PASSWORD [PASSWORD ...]
password(s) or file(s) containing passwords
-id CRED_ID [CRED_ID ...]
database credential ID(s) to use for authentication
--ignore-pw-decoding Ignore non UTF-8 characters when decoding the password file
--no-bruteforce No spray when using file for username and password (user1 => password1, user2 => password2)
--continue-on-success
continues authentication attempts even after successes
--gfail-limit LIMIT max number of global failed login attempts
--ufail-limit LIMIT max number of failed login attempts per username
--fail-limit LIMIT max number of failed login attempts per host
Kerberos Authentication:
-k, --kerberos Use Kerberos authentication
--use-kcache Use Kerberos authentication from ccache file (KRB5CCNAME)
--aesKey AESKEY [AESKEY ...]
AES key to use for Kerberos Authentication (128 or 256 bits)
--kdcHost KDCHOST FQDN of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
Certificate Authentication:
--pfx-cert PFXCERT Use certificate authentication from pfx file .pfx
--pfx-base64 PFXB64 Use certificate authentication from pfx file encoded in base64
--pfx-pass PFXPASS Password of the pfx certificate
--pem-cert PEMCERT Use certificate authentication from PEM file
--pem-key PEMKEY Private key for the PEM format
Modules:
-M, --module MODULE module to use
-o MODULE_OPTION [MODULE_OPTION ...]
module options
-L, --list-modules [LIST_MODULES]
list available modules
--options display module options
File Operations:
--put-file FILE FILE Put a local file into remote target, ex: whoami.txt /tmp/whoami.txt
--get-file FILE FILE Get a remote file, ex: /tmp/whoami.txt whoami.txt
Command Execution:
--codec CODEC Set encoding used (codec) from the target's output. If errors are detected, run chcp.com at the target, map the result with https://docs.python.org/3/library/codecs.html#standard-
encodings and then execute again with --codec and the corresponding codec (default: utf-8)
--no-output do not retrieve command output
-x COMMAND execute the specified commandModules
LOW PRIVILEGE MODULES
CREDENTIAL_DUMPING
[*] aws-credentials Search for aws credentials files.Examples
Checking SSH availability
$ nxc ssh 100.96.36.115
SSH 100.96.36.115 22 100.96.36.115 [*] SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.4Authentication with Password
$ nxc ssh 100.96.36.115 -u crypt0rr -p Welkom1234
SSH 100.96.36.115 22 100.96.36.115 [*] SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.4
SSH 100.96.36.115 22 100.96.36.115 [+] crypt0rr:Welkom1234 - shell access!Password Spray SSH
$ nxc ssh 100.96.36.115 -u usernames.txt -p passwords.txt
SSH 100.96.36.115 22 100.96.36.115 [*] SSH-2.0-OpenSSH_8.4p1 Ubuntu-6ubuntu2.1
SSH 100.96.36.115 22 100.96.36.115 [-] 11111:admin Authentication failed.
SSH 100.96.36.115 22 100.96.36.115 [-] 11111:root Authentication failed.
SSH 100.96.36.115 22 100.96.36.115 [-] 11111:admin Authentication failed.
SSH 100.96.36.115 22 100.96.36.115 [-] 11111:root Authentication failed.
SSH 100.96.36.115 22 100.96.36.115 [-] 11111:Admin Authentication failed.
SSH 100.96.36.115 22 100.96.36.115 [-] 11111:Admin Authentication failed.
SSH 100.96.36.115 22 100.96.36.115 [-] 11111:x-admin Authentication failed.
[...]
SSH 100.96.36.115 22 100.96.36.115 [-] administrator:administrator Authentication failed.
SSH 100.96.36.115 22 100.96.36.115 [-] administrator:welkom1234 Authentication failed.
SSH 100.96.36.115 22 100.96.36.115 [+] administrator:x-admin