Field Manual

NetExec Database Modules

4 min read

🛡️ Methodology Checklist

  • Open NXC DB: nxcdb
  • List workspaces: workspace
  • Switch workspace: workspace [NAME]
  • List hosts: hosts
  • List credentials: creds
  • List shares: shares
  • Run module against target: nxc smb [TARGET] -u [USER] -p [PASS] -M [MODULE]
  • List all modules: nxc smb --list-modules
  • Check module options: nxc smb -M [MODULE] --options

🎯 Operational Context

Use when: Persistent nxc data management needed — store and query hosts, credentials, and shares across sessions. Think Dumber First: nxc smb [SUBNET]/24 automatically stores results in nxc database. Then nxc smb [SUBNET]/24 -q queries stored results. nxc smb [SUBNET]/24 --creds lists all captured credentials. The database persists between sessions. Skip when: One-off scan — database is most useful for multi-session engagements.

⚡ Tactical Cheatsheet

CommandTactical Outcome
nxcdbOpen interactive NetExec database shell
nxcdb (default) > workspace create [PROJECT]Create new workspace for assessment isolation
nxcdb (default) > workspace listList all workspaces
nxcdb (default) > workspace [PROJECT]Switch to existing workspace
nxcdb (default)(smb) > hostsList all discovered hosts
nxcdb (default)(smb) > credsList all captured credentials
nxcdb (default)(smb) > export creds detailed loot_creds.csvExport all credentials to CSV
nxc smb [TARGET_IP] -id [CRED_ID] -x "whoami"Use stored credential by DB ID
nxc smb [TARGET_IP] -u [USER] -p [PASS] -M [MODULE]Run a module against target
nxc smb -LList all available SMB modules
nxc ldap -LList all available LDAP modules
nxc winrm [TARGET_IP] -u [USER] -p [PASS]WinRM access check
nxc rdp [TARGET_IP] --nla-screenshotRDP NLA screenshot
nxc ssh [TARGET_IP] -u [USER] -p [PASS]SSH credential validation
rm ~/.nxc/workspaces/default/smb.dbReset SMB database if corruption/bugs occur

🔬 Deep Dive & Workflow

nxcdb Workflow

# Open database
nxcdb
 
# Create workspace per engagement
nxcdb (default) > workspace create CLIENT_2026
nxcdb (CLIENT_2026) >
 
# Switch workspace
nxcdb (default) > workspace CLIENT_2026
 
# View discovered hosts
nxcdb (CLIENT_2026)(smb) > hosts
 
# View all captured credentials
nxcdb (CLIENT_2026)(smb) > creds
 
# Export for reporting
nxcdb (CLIENT_2026)(smb) > export creds detailed /tmp/creds_export.csv
 
# Use credential by ID (avoids typing long passwords)
nxc smb [TARGET_IP] -id 3 -x "whoami /priv"

Audit Mode (Redact Passwords from Logs)

# Edit config to hide passwords in output (OPSEC/compliance)
nano ~/.nxc/nxc.conf
# Set: audit_mode = #
# → Replaces passwords with # in terminal output and logs
# → Credentials still stored in database

Module System

# List all modules for a protocol
nxc smb -L        # all SMB modules
nxc ldap -L       # all LDAP modules
nxc mssql -L      # all MSSQL modules
 
# Module info (options, description)
nxc smb -M [MODULE] --options
 
# Module execution with options
nxc smb [TARGET_IP] -u [USER] -p [PASS] -M [MODULE] -o KEY=VALUE

Protocol Support Overview

ProtocolPortCommon Use
smb445Enum, exec, dump, spray
winrm5985/5986PowerShell remoting
rdp3389Screenshot, enable RDP, NLA check
ldap389/636AD queries, Kerberoast, ASREPRoast
mssql1433DB auth, xp_cmdshell, privesc
ssh22Credential validation, exec
ftp21Credential validation
vnc5900Credential validation

Key Modules Reference

ModuleProtocolPurpose
ms17-010smbEternalBlue vulnerability check
zerologonsmbZeroLogon (CVE-2020-1472) check
petitpotamsmbPetitPotam NTLM relay check
nopacsmbnoPAC vulnerability check
lsassysmbLSASS dump
procdumpsmbLSASS dump via ProcDump
spider_plussmbRecursive share indexer
slinkysmbLNK file for NTLM coercion
drop-scsmbSearch connector for NTLM coercion
rdpsmbEnable/disable RDP
gpp_passwordsmbGPP credential extraction
gpp_autologinsmbGPO autologin credential extraction
keepass_discoversmbFind KeePass databases
keepass_triggersmbExport KeePass DB via trigger
lapsldapExtract LAPS passwords
user-descldapSearch user descriptions for creds
get-networkldapAD-integrated DNS enumeration
mssql_privmssqlMSSQL privilege escalation
empire_execsmbDeploy Empire agent
web_deliverysmbDeploy MSF Meterpreter via PS web delivery

Troubleshooting

# If NXC acts buggy (wrong results, errors):
rm ~/.nxc/workspaces/default/smb.db    # reset SMB database
# → Rebuild from scratch on next run
 
# FQDN requirement for LDAP/Kerberos:
echo "[DC_IP] [DC_FQDN]" >> /etc/hosts
# → Must use FQDN, not IP, for ldap/kerberos protocols
 
# If --users fails:
nxc smb [TARGET_IP] -u '' -p '' --rid-brute 2000   # fallback
 
# If lsassy fails (AV):
nxc smb [TARGET_IP] -u [USER] -p [PASS] -M procdump   # try procdump
# or manual: procdump.exe from SysInternals

🛠️ Troubleshooting & Edge Cases

ProblemCauseFix
nxc database empty after scanDefault workspace not initializedCheck: nxcdb command; nxcdb workspace create [NAME]; verify current workspace
Cannot query stored credsDatabase schema issueRun: nxcdb creds; if error, database may need recreation: backup and nxcdb clear
Stored hosts not showingWrong workspaceList workspaces: nxcdb workspace list; switch: nxcdb workspace [NAME]
nxcdb command not foundOld netexec versionUpdate netexec; older versions use different database interface
Database corrupted after VPN dropIncomplete writeBackup: cp ~/.nxc/workspaces/default/smb.db ~/smb.db.bak; re-run scan to repopulate

📝 Reporting Trigger

Finding Title: NetExec Database Tracks All Compromised Credentials and Systems Impact: Persistent nxc database maintains complete inventory of all discovered systems, captured credentials, and successful authentications across the engagement, providing actionable credential reuse mapping. Root Cause: N/A — operational tool documentation. Recommendation: Operators must use workspace isolation per engagement. Database contents represent sensitive client data — encrypt the nxc workspace directory. Securely delete all engagement data post-engagement per data handling procedures.

🔗 Related Nodes

Graph View

Backlinks