Skip to content

Usage Guide

Jump to bottom
Johnny Watts (aka., "Kaotick Jay") edited this page Jun 25, 2025 · 3 revisions

πŸ“˜ Usage Guide

This section provides a comprehensive walkthrough of using NetSentinel’s core features, including stealth scanning, SMB enumeration, Kerberos/LDAP reconnaissance, and structured output export. These operations are modular and can be combined for full-scope internal reconnaissance.

πŸ›°οΈ Recon Modes

NetSentinel supports two primary scanning modes designed for different levels of operational security.

πŸ”Ή Stealth Mode (Default)

Use when minimizing noise on the wire is critical. This mode leverages:

  • ARP-based host discovery on the local subnet
  • Selective TCP port scanning (configurable via utils/ports.json)
  • Optional reverse DNS resolution via --resolve-hostnames 
python3 main.py --target 10.0.0.0/24

Optional hostname resolution:

python3 main.py --target 10.0.0.0/24 --resolve-hostnames

πŸ”Έ Full Mode (Planned/Placeholder)

A placeholder for a future scan engine that may support:

  • Full TCP/UDP scan ranges
  • Service fingerprinting
  • SMB and Kerberos integration across broader scopes

Currently behaves the same as stealth, but support is scaffolded into --scan-type full for future implementation.

πŸ“‚ SMB Enumeration

NetSentinel performs anonymous SMB share enumeration against discovered hosts that have TCP port 445 open.

πŸ” What It Does:

  • Uses impacket to attempt null (anonymous) SMB session negotiation
  • Enumerates open shares (e.g., \\host\C$, \\host\IPC$, \\host\Public)
  • Optionally logs each share with permissions if discoverable

βš™οΈ Command Example:

python3 main.py --target 10.0.0.0/24 --smb-enum

🧠 OPSEC Consideration:

  • SMB enumeration is typically safe on internal Windows networks
  • Most corporate hosts allow null SMB connections to IPC$ by default
  • Still, beware of triggering authentication logs if unauthenticated access is denied

πŸ” Kerberos & LDAP Scanning

NetSentinel supports Kerberos enumeration to identify:

  1. SPNs (Service Principal Names) for Kerberoasting
  2. AS-REP Roastable Accounts (accounts not requiring pre-authentication)

LDAP integration is also used to enumerate users and services where necessary.

πŸ”‘ Required Configuration

Either use environment variables:

export NETSENTINEL_DOMAIN=corp.local
export NETSENTINEL_USER=lowpriv
export NETSENTINEL_PASS='Spring2025!'
export NETSENTINEL_DC=10.0.0.5

Or set the values in config.json.

πŸ”§ Execution:

python3 main.py --target 10.0.0.0/24 --kerberos-scan

🧬 What It Finds:

  • SPN Accounts (e.g., SQLSvc/srv.corp.local)
  • AS-REP Accounts (users without DONT_REQ_PREAUTH)
  • Optional LDAP queries if implemented or extended

🧠 OPSEC Notes:

  • SPN enumeration is passive unless tickets are requested
  • AS-REP detection sends TGT requests without pre-auth β€” may log in event 4771
  • Always use known-good credentials and verify with the client

πŸ” SMB Password Spraying

NetSentinel supports password spraying against SMB services using supplied username and password lists.

βš™οΈ Command Example:

python3 main.py --target 10.0.0.0/24 --user-list users.txt --password-list passwords.txt --password-spray

πŸ“¦ Output Format & JSON Export

NetSentinel can output structured JSON files capturing all discovered assets, services, and enumeration results.

πŸ”§ Command Example:

python3 main.py --target 10.0.0.0/24 --smb-enum --kerberos-scan --export-json results.json

πŸ—‚οΈ Output Structure

{
  "target": "10.0.0.5",
  "hostname": "DC01",
  "ports": [
    {"port": 445, "status": "Open", "banner": "Microsoft SMB"},
    {"port": 88, "status": "Open", "banner": "Kerberos"}
  ],
  "smb_shares": [
    "IPC$",
    "C$",
    "Public"
  ],
  "kerberos_info": {
    "spns": [
      "svc_sql/corp-sql01.corp.local"
    ],
    "asrep": [
      "jdoe@corp.local"
    ]
  },
  "password_spray_successes": [
    ["admin", "Password123"]
  ],
  "password_spray_failures": [
    ["user1", "Passw0rd!"]
  ],
  "scan_time": "2025-06-25T00:00:00"
}

πŸ“Œ JSON Sections

  • target: Target IP or hostname scanned

  • hostname: Resolved hostname if available

  • ports: List of open ports with optional banners

  • smb_shares: SMB shares found on the target

  • kerberos_info: Contains:

    • spns: Service Principal Names identified for Kerberoasting
    • asrep: Users vulnerable to AS-REP roasting

  • password_spray_successes: List of successful username/password combos found

  • password_spray_failures: List of failed login attempts

  • scan_time: ISO 8601 timestamp of when scan was run

πŸ›  Usage Summary

Flag Function
--target Subnet or IP range (CIDR)
--resolve-hostnames Reverse DNS on live IPs
--scan-type stealth or full (default: stealth)
--smb-enum Anonymous SMB share discovery
--kerberos-scan SPN & AS-REP detection (AD credentials needed)
--user-list File with usernames for password spraying
--password-list File with passwords for password spraying
--password-spray Enable SMB password spraying
--html-report Output path for HTML report
--export-json Output path for JSON report
--debug Enable debug logging

This completes the NetSentinel usage guide. For any questions or issues, consult the GitHub repository or contact the development team.

Clone this wiki locally