NetExec icon indicating copy to clipboard operation
NetExec copied to clipboard
verified publisher icon Pennyw0rth

New Module: ToolExec

Open KriyosArcane opened this issue 7 months ago • 1 comments

Description

ToolExec is a NetExec module that automates the process of transferring and executing post-exploitation tools on target systems. It supports multiple modes (enum, exploit, custom, and all) and is designed for fast, OPSEC-unsafe environments such as CTFs and competitive scenarios like CPTC.

The module supports:

  • Mode-based toolsets (enum, exploit, all)
  • Custom tool deployment from local paths, URLs, or built-in tool names
  • Automatic transfer path checks and overwrite logic
  • Support for .exe, .ps1, .bat, .cmd file execution

Tools are stored locally in:

~/.nxc/data/toolexec/

The default remote drop path is:

C:\Windows\Tasks\

This design helps streamline tool deployment across environments without needing manual tool retrieval, improving speed during lateral movement or enumeration phases. PingCastle is bundled but is also planned as a separate module for visibility and more features such as Full remote executiona and transfer of report.

Type of change

Please delete options that are not relevant.

  • [x] New feature (non-breaking change which adds functionality)

How Has This Been Tested?

Please describe the tests that you ran to verify your changes (e2e, single commands, etc) Please also list any relevant details for your test configuration, such as your locally running machine Python version & OS, as well as the target(s) you tested against, including software versions Tested against various HackTheBox boxes. Options were tested as single commands If you are using poetry, you can easily run tests via: poetry run python tests/e2e_tests.py -t $TARGET -u $USER -p $PASSWORD There are additional options like --errors to display ALL errors (some may not be failures), --poetry (output will include the poetry run prepended), --line-num $START-$END $SINGLE for only running a subset

Screenshots (if appropriate):

Screenshots are always nice to have and can give a visual representation of the change. If appropriate include before and after screenshot(s) to show which results are to be expected. 250213_16h40m53s_screenshot 250213_16h47m50s_screenshot 250213_16h46m48s_screenshot

Checklist:

  • [x] I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
  • [x] I have added or updated the tests/e2e_commands.txt file if necessary
  • [x] New and existing e2e tests pass locally with my changes
  • [x] My code follows the style guidelines of this project (should be covered by Ruff above)
  • [x] If reliant on third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
  • [x] I have performed a self-review of my own code
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [x] I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

KriyosArcane avatar May 07 '25 04:05 KriyosArcane

Fileless IEX in memory for PS1

KriyosArcane avatar Sep 28 '25 20:09 KriyosArcane