NetExec
NetExec copied to clipboard
Pennyw0rth
Request: Make --no-bruteforce default behavior
By default, when you supply NetExec with a username and password file, it will perform a "cluster bomb" attack, using every possible combination of username and password. While this may be desirable in some contexts, it's almost never what you would want to do in an Active Directory environment, as it would cause a high risk of account lockout.
I suggest that the default should be the "safer" option, which is the behavior of the --no-bruteforce option. If user's wish to perform the more aggressive "cluster bomb" style attack, that should require an option.
I think he meant swapping the default behavior from bruteforcing with --no-bruteforce to non-bruteforcing with a flag like --bruteforce.
We discussed it once a while ago and weren't sure if that would too many people, including making guides and tutorials etc. obsolete. But could be worth a try, had 1-2 heart attacks as well so far where i nearly brute forced domains instead of checkingusernames == passwords`.
I have no idea how I managed to put the wrong argument in there.
yes, I meant --no-bruteforce
Yeah, I see how this could break existing documentation, but as someone who has personally screwed this up once or twice, I think it's worth it. Or at least add a warning similar to the OPSEC ones.
I think he meant swapping the default behavior from bruteforcing with
--no-bruteforceto non-bruteforcing with a flag like--bruteforce.We discussed it once a while ago and weren't sure if that would too many people, including making guides and tutorials etc. obsolete. But could be worth a try, had 1-2 heart attacks as well so far where i nearly brute forced domains instead of checkingusernames == passwords`.
👍
If we do this I think we should do a major release (v2.0) and do some other breaking changes (DB improvements, etc).
If we do this I think we should do a major release (v2.0) and do some other breaking changes (DB improvements, etc).
for next release yes