Skip to main content

netexec (nxc)

Turn on logging

To log every nxc command and output to a file, find the nxc.conf file (in my Kali it was at /home/kali/.nxc/nxc.conf) and enable logging:

log_mode = True

Change the Pwn3d label

You can make that something more professional if you want - just edit the /home/kali/.nxc/nxc.conf file and change:

pwn3d_label = Compromised!

Find shares

nxc smb pcs.txt -u 'username' -p 'password' --shares

Cleaning up share list from log file

If you've turned on logging (see top of this page) here's a way to grep out just the shares you have WRITE access to. This is helpful if you want to try and drop tricky farmer payloads.

grep -i write log_2024-08-24-22-17-32.log | awk '{print $9,$10}' | sort > shares-i-can-write-to.txt

Find hosts with/without SMB signing

nxc smb pcs.txt -u '' -p '' --gen-relay-list nosigning.txt

Find hosts with/without SMB signing (alternate way)

grep for anything where signing is set to false

nxc smb pcs.txt -u '' -p '' > signingcheck.txt

If you want to get kind of fancy-pantsy you can take that grep to the next level by pulling out all hosts with SMB signing disabled and sorting by the host name:

cat signingcheck.txt| grep -i "signing:False" | awk '{print $0 " " $4}' | sort -k4,4 > no-signing-for-these-folks.txt

Find hosts running WebClient service

nxc smb dc1.domain.com -u lowpriv -p 'yerpassw0rd' -M webdav

Take the log and extract hostnames and IPs for JUST hosts running WebClient:

note

Probably should move this to scripts dir at somepoint

import socket
import re

# Function to perform nslookup and return hostname or IP if lookup fails
def get_hostname(ip):
    try:
        return socket.gethostbyaddr(ip)[0]
    except socket.herror:
        return ip  # If no hostname is found, return the IP

# Prompt the user for the log file and the output CSV file
log_file = input("Enter the log file name (with extension): ")
output_file = input("Enter the output CSV file name (with .csv extension): ")

# Initialize list to store the results
output_list = []

# Regex pattern to match lines with "WebClient Service enabled" and extract the IP address
pattern = re.compile(r"WebClient Service enabled on: (\d+\.\d+\.\d+\.\d+)")

# Process the log file
with open(log_file, 'r') as file:
    for line in file:
        match = pattern.search(line)
        if match:
            ip = match.group(1)
            hostname = get_hostname(ip)
            output_list.append(f"{hostname},{ip},enabled")

# Sort the output by hostname
output_list.sort()

# Write the results to the output CSV file
with open(output_file, 'w') as file:
    for entry in output_list:
        file.write(f"{entry}\n")

print(f"Output written to {output_file}")
Last updated on