netexec (nxc)

Turn on logging

To log every nxc command and output to a file, find the nxc.conf file (in my Kali it was at /home/kali/.nxc/nxc.conf) and enable logging:

log_mode = True

Change the Pwn3d label

You can make that something more professional if you want - just edit the /home/kali/.nxc/nxc.conf file and change:

pwn3d_label = Compromised!

Find shares

nxc smb pcs.txt -u 'username' -p 'password' --shares

If you've turned on logging (see top of this page) here's a way to grep out just the shares you have WRITE access to. This is helpful if you want to try and drop tricky farmer payloads.

grep -i write log_2024-08-24-22-17-32.log | awk '{print $9,$10}' | sort > shares-i-can-write-to.txt

Find hosts with/without SMB signing

nxc smb pcs.txt -u '' -p '' --gen-relay-list nosigning.txt

Find hosts with/without SMB signing (alternate way)

grep for anything where signing is set to false

nxc smb pcs.txt -u '' -p '' > signingcheck.txt

If you want to get kind of fancy-pantsy you can take that grep to the next level by pulling out all hosts with SMB signing disabled and sorting by the host name:

cat signingcheck.txt| grep -i "signing:False" | awk '{print $0 " " $4}' | sort -k4,4 > no-signing-for-these-folks.txt

Find hosts running WebClient service

nxc smb dc1.domain.com -u lowpriv -p 'yerpassw0rd' -M webdav

Sort that log for just hostnames running WebClient

grep -i enabled webdav.log | awk '{print $9}' | sort | uniq

Sort that log for hostnames (and their IPs) running WebClient

grep -i enabled webdav.log | awk '{print $9 "," $7}' | sort | uniq

Turn on logging​

Change the Pwn3d label​

Find shares​

Cleaning up share list from log file​

Find hosts with/without SMB signing​

Find hosts with/without SMB signing (alternate way)​

grep for anything where signing is set to false​

Find hosts running WebClient service​

Sort that log for just hostnames running WebClient​

Sort that log for hostnames (and their IPs) running WebClient​