NetExec Wiki
156 pages
Welcome
Welcome NetExec NetExec (a.k.a nxc) is a network service exploitation tool that helps automate assessing the security of…
News
News…
v1.0.0 Release!
🕷️ v1.0.0 Release! The Release of Version 1.0.0! Hello everyone! \ Today will be our first release of NetExec version 1.…
v1.1.0 - nxc4u
🔧 v1.1.0 - nxc4u {% embed url="https://youtu.be/DB79HuYbemw" fullWidth="false" %} A new release of NetExec has been rele…
v1.2.0 - ItsAlwaysDNS
📡 v1.2.0 - ItsAlwaysDNS Hello everyone! It has been quite a while since the last release. We now have so many great feat…
v1.3.0 - NeedForSpeed
🏎️ v1.3.0 - NeedForSpeed Hello everyone! Recently, a lot of incredible Pull Requests have been submitted. Over 22 PRs in…
v1.4.0 - SmoothOperator
🧈 v1.4.0 - SmoothOperator Hello everyone! It has been almost half a year since the last release and a lot of new feature…
NetExec Lab
NetExec Lab With NetExec, you get more than just the tool, you get three complete labs built to accelerate your mastery …
Installation
Installation {% content-ref url="installation-on-unix.md" %} installation-on-unix.md {% endcontent-ref %} {% content-ref…
Installation for Unix
🐧 Installation for Unix Installing NetExec with pipx :saxophone: {% hint style="info" %} We do recommend to install rust…
Installation for Windows
🪟 Installation for Windows Using Python and pipx {% hint style="success" %} If Python is available it is recommended to …
Installation for Mac
🍎 Installation for Mac {% hint style="warning" %} For Mac, Homebrew and Rust are required for installation. If you can't…
Using Docker
🐋 Using Docker Installing Docker for Windows/Mac {% hint style="success" %} If Python is available it is recommended to …
Manually building the binary
🛠️ Manually building the binary {% hint style="warning" %} This process can vary from time to time as dependencies chang…
Post Installation Setup
➡️ Post Installation Setup Setting up Tab Completion Currently, we use argcomplete to automatically do tab completion th…
Selecting & Using a Protocol
Selecting & Using a Protocol Available Protocols smb ssh ldap ftp wmi winrm rdp vnc mssql nfs Note that not all prot…
Target Formats
Target Formats Target Formats Every protocol supports targets by CIDR notation(s), IP address(s), IP range(s), hostname(…
Using Credentials
Using Credentials Using Credentials Every protocol supports using credentials in one form or another. For details on usi…
Using Kerberos
Using Kerberos Using Kerberos NetExec does support Kerberos authentication. There are two options:  Using password/…
Using Certificates
Using Certificates nxc smb <target> --pfx-cert user.pfx -u <username> nxc smb <target> --pfx-cert user…
Using Modules
Using Modules Using Modules Viewing Available Modules for a Protocol Run nxc <protocol> -L to view available modul…
DNS options
DNS options There are several options that can be set to configure the DNS server that is used.\ Besides forcing NetExec…
Database General Usage
Database General Usage Database General Usage nxc automatically stores all used/dumped credentials (along with other inf…
BloodHound Integration
BloodHound Integration NetExec will set user as 'owned' on BloodHound when an account is found! Very useful when lsassy …
Audit Mode
Audit Mode Audit Mode is a configuration-based feature in NetExec that redacts credentials from console output. In the c…
Ignore OpSec Warnings
Ignore OpSec Warnings In the config file located at ~/.nxc/nxc.conf , there is an option to ignore the opsec warnings th…
Logging
Logging There are two ways to log results: Using the nxc.conf file Set "log_mode = True" This will log everything Using …
Generate hosts file
Generate hosts file If you are in a lab with no dns resolution you can use option --generate-hosts-file to generate a ho…
Generate krb5.conf file
Generate krb5.conf file netexec smb <target> -u <username> -p <password> --generate-krb5-file /path ex…
Generate TGT
Generate TGT netexec smb -u -p --generate-tgt /path export KRB5CCNAME=/path netexec smb -u -k --use-kcache…
Scan for Vulnerabilities
Scan for Vulnerabilities Scan for Vulnerabilities When you start your internal pentest, these are the first modules you …
Enumeration
Enumeration The following use cases assume you have a Kali Linux host connected to an internal network. For the examples…
Enumerate Hosts
Enumerate Hosts Map Network Hosts Returns a list of live hosts nxc smb <target> Expected Results: SMB 192 .168.1.1…
Enumerate Null Sessions
Enumerate Null Sessions Check if Null Session , also known as Anonymous session, is enabled on the network. Can be very …
Enumerate Guest Logon
Enumerate Guest Logon Using a random username and password you can check if the target accepts guest logon. If so, it me…
Enumerate Hosts with SMB Signing Not Required
Enumerate Hosts with SMB Signing Not Required Maps the network of live hosts and saves a list of only the hosts that don…
Enumerate Active Windows Sessions
🆕 Enumerate Active Windows Sessions {% include "../../.gitbook/includes/admin-privs.md" %} When connecting to a Windows …
Enumerate Logged-On Users with the Remote Registry Service
🆕 Enumerate Logged-On Users with the Remote Registry Service This option uses the Remote Registry Service through the \\…
Enumerate Logged-On Users with the Workstation Service
Enumerate Logged-On Users with the Workstation Service {% include "../../.gitbook/includes/admin-privs.md" %} To enumera…
Enumerate Shares and Access
Enumerate Shares and Access Enumerate permissions on all shares nxc smb <target> -u <username> -p <passwo…
Enumerate Network Interfaces
🆕 Enumerate Network Interfaces {% include "../../.gitbook/includes/admin-privs.md" %} Enumerate network interfaces on a …
Enumerate NTLMv1
Enumerate NTLMv1 {% include "../../.gitbook/includes/admin-privs.md" %} Enumerate the LmCompatibilityLevel on the remote…
Enumerate Disks
Enumerate Disks Enumerate disks on the remote target nxc smb <target> -u <username> -p <password> --di…
Enumerate Bitlocker
Enumerate Bitlocker Enumerate BitLocker Status on the remote target nxc smb <ip> -u <username> -p <passwo…
Enumerate Domain Users
Enumerate Domain Users Enumerate domain users on the remote target nxc smb <target> -u <username> -p <pas…
Enumerate Users by Bruteforcing RID
Enumerate Users by Bruteforcing RID Enumerate users by bruteforcing the RID on the remote target nxc smb <target> …
Enumerate Domain Groups
Enumerate Domain Groups {% hint style="danger" %} This arg was moved to the LDAP protocol, see here . {% endhint %}…
Enumerate Local Groups
Enumerate Local Groups Enumerate local groups on the remote target nxc smb <target> -u <username> -p <pas…
Enumerate Domain Password Policy
Enumerate Domain Password Policy Using the option --pass-pol you can get the password policy of the domain nxc smb <t…
Enumerate Anti-Virus & EDR
Enumerate Anti-Virus & EDR You don't need to be a privileged user to do this action nxc smb <ip> -u <userna…
Enumerate remote processes
Enumerate remote processes One thing that's to know when pentesting is whether or not a specific process is being run on…
Enumerate changed lockscreen executables
🆕 Enumerate changed lockscreen executables {% include "../../.gitbook/includes/admin-privs.md" %} Attackers can replace …
Enumerate Primary Site Server and Distribution Point via recon6
🆕 Enumerate Primary Site Server and Distribution Point via recon6 This module extracts information from Primary Site Ser…
Password Spraying
Password Spraying Using Username/Password Lists You can use multiple usernames or passwords by separating the names/pass…
Authentication
Authentication You can authenticate on the remote target using a domain account or a local user {% content-ref url="chec…
Checking Credentials (Domain)
Checking Credentials (Domain) Authentication Failed logins result in a [-] Successful logins result in a [+] Domain\User…
Checking credentials (Local)
Checking credentials (Local) User/Password/Hashes Adding --local-auth to any of the authentication commands with attempt…
Delegation
🆕 Delegation RBCD If you have an object with the msDS-AllowedToActOnBehalfOfOtherIdentity attribute set to an account yo…
Command Execution
Command Execution {% content-ref url="execute-remote-command/" %} execute-remote-command {% endcontent-ref %} {% content…
Executing Remote Commands
Executing Remote Commands Command Execution Executing commands on a windows system requires Administrator credentials. n…
Process Injection (pi module)
Process Injection (pi module) {% hint style="warning" %} You need at least local admin privilege on the remote target {%…
Getting Shells 101
Getting Shells 101 Getting Shells 101 We all love shells and that's why nxc makes it as easy as possible to get them! Th…
Spidering Shares
Spidering Shares Using Default Option --spider Options for spidering shares of remote systems. Example, Spider the C dri…
Get and Put Files
Get and Put Files Send a File to the Remote Target Send a local file to the remote target nxc smb <target> -u <…
Obtaining Credentials
Obtaining Credentials The following examples use a username and plaintext password, although user/hash combos work as we…
Dump SAM
Dump SAM Dump SAM hashes using methods from secretsdump.py {% hint style="warning" %} You need at least local admin priv…
Dump LSA
Dump LSA Dump LSA secrets using methods from secretsdump.py {% hint style="danger" %} Requires Domain Admin or Local Adm…
Dump NTDS.dit
Dump NTDS.dit Dump the NTDS.dit from target DC using methods from secretsdump.py {% hint style="danger" %} Requires Doma…
Dump LSASS
Dump LSASS {% hint style="warning" %} You need at least local admin privilege on the remote target, use option --local-a…
Dump DPAPI
Dump DPAPI You can dump DPAPI credentials using NetExec using the following option: --dpapi . It will get all secrets fr…
Dump with BackupOperator Priv
🆕 Dump with BackupOperator Priv {% hint style="success" %} You don't need to local admin privilege on the remote target …
Dump SCCM
🆕 Dump SCCM Dump the SCCM from target using methods from dploot {% hint style="danger" %} Requires Domain Admin or Local…
Dump Token Broker Cache
🆕 Dump Token Broker Cache {% hint style="warning" %} You need at least local admin privilege on the remote target, use o…
Dump WIFI password
Dump WIFI password Get the WIFI password register in Windows {% hint style="warning" %} You need at least local admin pr…
Dump KeePass
Dump KeePass You can check if keepass is installed on the target computer and then steal the master password and decrypt…
Dump Veeam
Dump Veeam {% hint style="warning" %} You need at least local admin privilege on the remote target, use option --local-a…
Dump WinSCP
Dump WinSCP {% hint style="warning" %} You need at least local admin privilege on the remote target, use option --local-…
Dump PuTTY
🆕 Dump PuTTY {% hint style="warning" %} You need at least local admin privilege on the remote target, use option --local…
Dump VNC password from RealVNC or TightVNC
🆕 Dump VNC password from RealVNC or TightVNC {% hint style="warning" %} You need at least local admin privilege on the r…
Dump mRemoteNG
🆕 Dump mRemoteNG {% hint style="warning" %} You need at least local admin privilege on the remote target, use option --l…
Dump Notepad
🆕 Dump Notepad {% hint style="warning" %} You need at least local admin privilege on the remote target, use option --loc…
Dump Notepad++
🆕 Dump Notepad++ {% hint style="warning" %} You need at least local admin privilege on the remote target, use option --l…
Dump Remote Desktop Connection Manager
🆕 Dump Remote Desktop Connection Manager {% hint style="warning" %} You need at least local admin privilege on the remot…
Dump Event Log Creds(4688)
🆕 Dump Event Log Creds(4688) Parses Windows Event ID 4688 and Sysmon Logs {% hint style="warning" %} You need at least l…
Defeating LAPS
Defeating LAPS Using NetExec When LAPS Installed on the Domain If LAPS is used inside the domain, it can be hard to use …
Checking for Spooler & WebDav
Checking for Spooler & WebDav Checking if the Spooler Service is Running nxc smb <ip> -u <username> -p &…
Steal Microsoft Teams Cookies
Steal Microsoft Teams Cookies {% hint style="warning" %} You need at least local admin privilege on the remote target {%…
Impersonate logged-on Users
Impersonate logged-on Users {% hint style="warning" %} You need at least local admin privilege on the remote target {% e…
Change User Password
Change User Password If you encounter an account with a correct password but either STATUS_PASSWORD_MUST_CHANGE or STATU…
Modify Group
🆕 Modify Group If a user has privileges such as AddMember, AddSelf, etc. over a group, this module can add or remove use…
Dump User Local Security Questions
Dump User Local Security Questions {% hint style="warning" %} You need at least local admin privilege on the remote targ…
Authentication
Authentication LDAP Authentication Testing if an account exists without kerberos protocol nxc ldap <target> -u use…
Enumerate Users
Enumerate Users To enumerate all users via LDAP: nxc ldap <target> -u <username> -p <password> --users…
Enumerate Domain Groups
Enumerate Domain Groups Enumerate all groups in the Domain: nxc ldap <ip> -u <username> -p <password> …
Query LDAP
🆕 Query LDAP If you need to query raw ldap values you can use the query option together with filters. The returned value…
ASREPRoast
ASREPRoast {% hint style="success" %} You can retrieve the Kerberos 5 AS-REP etype 23 hash of users without Kerberos pre…
Find Domain SID
Find Domain SID You can find the domain SID using function --get-sid nxc ldap <dc-ip> -u <username> -p <p…
Kerberoasting
Kerberoasting You can retrieve the Kerberos 5 TGS-REP etype 23 hash using Kerberoasting technique The goal of Kerberoast…
Find Misconfigured Delegation
🆕 Find Misconfigured Delegation NetExec allows you to retrieve the list of all misconfigured delegations nxc ldap <ta…
Unconstrained Delegation
Unconstrained Delegation NetExec allows you to retrieve the list of all computers and users with the flag TRUSTED_FOR_DE…
Admin Count
Admin Count adminCount Indicates that a given object has had its ACLs changed to a more secure value by the system becau…
Machine Account Quota
Machine Account Quota This module retrieves the MachineAccountQuota domain-level attribute. It's useful to check this va…
Get User Descriptions
Get User Descriptions New LDAP module to look for password inside the user's description. nxc ldap <hostname> -u &…
Dump gMSA
Dump gMSA Using the protocol LDAP you can extract the password of a gMSA account if you have the right. {% hint style="w…
Pre2k Computer Account Abuse
Pre2k Computer Account Abuse Identifies pre-created computer accounts in Active Directory and attempts to obtain Kerbero…
Exploit ESC8 (ADCS)
Exploit ESC8 (ADCS) List All PKI Enrollment Servers nxc ldap <ip> -u <username> -p <password> -M adcs …
Extract Subnet
Extract Subnet nxc ldap <ip> -u <user> -p <pass> -M get-network nxc ldap <ip> -u <user> -p…
Check LDAP Signing
Check LDAP Signing {% hint style="danger" %} REMOVED: Checking for signing and channel binding is now done on the host e…
Read DACL Rights
Read DACL Rights LDAP module that permits to read and export the DACLs of one or mulitple objects ! Read all the ACEs of…
Extract gMSA Secrets
Extract gMSA Secrets NetExec offer multiple choices when you found a gmsa account in the LSA nxc ldap <ip> -u <…
Bloodhound Ingestor
Bloodhound Ingestor NetExec has a build in bloodhound collector. To configure the name server, dns timeout or to use tcp…
List DC IP / Enum Trust
🆕 List DC IP / Enum Trust ldap --dc-list flag listing Domain Controllers and finds IP Addresses (If accessible). Also en…
Abuse Domain Trust: Raisechild
🆕 Abuse Domain Trust: Raisechild Abuses an intra-forest transitive trust (child ↔ parent) to forge a Golden Ticket conta…
Enumerate Domain Trusts
Enumerate Domain Trusts {% hint style="warning" %} Moved to `--dc-list` argument {% endhint %}…
Enumerate SCCM
🆕 Enumerate SCCM System Center Configuration Manager (SCCM) or also called MECM nowadays is a managament infrastructure …
Enumerate Entra ID
🆕 Enumerate Entra ID If Entra ID is deployed in Active Directory with cloud sync active, the MSOL account is a high valu…
Dump PSO
🆕 Dump PSO Dump PSO (Fine-Grained Password Policies (FGPPs) or Password Settings Objects (PSOs)) netexec ldap <ip>…
Enumerate scriptPath
🆕 Enumerate scriptPath LDAP module to enumerate the scriptPath attribute of Active Directory users. nxc ldap <hostnam…
Enumerate Unsecure DNS Zones
🆕 Enumerate Unsecure DNS Zones This module enumerates DNS zones that are configured with the Nonsecure and secure settin…
Password spraying
Password spraying Password spraying (without bruteforce) nxc winrm <target> -u userfile -p passwordfile --no-brute…
Authentication
Authentication WinRM Authentication Testing credentials nxc winrm <target> -u <username> -p <password>…
Command execution
Command execution Execute Command using WinRM nxc winrm <target> -u <username> -p <password> -X whoami…
Defeating LAPS
Defeating LAPS Using NetExec when LAPS installed on the domain If LAPS is used inside the domain, is can be hard to use …
Obtaining Credentials
Obtaining Credentials The following examples use a username and plaintext password, although user/hash combos work as we…
Dump SAM
Dump SAM Dump SAM hashes Extracts and downloads SAM registry hive, and uses secretsdump.py methods locally to dump hashe…
Dump LSA
Dump LSA Dump LSA secrets Extracts and downloads SECURITY registry hive, and uses secretsdump.py methods locally to dump…
Dump DPAPI
🆕 Dump DPAPI You can dump Credential Manager secrets for the connecting user with the following option: --dpapi . No Adm…
Enumeration
Enumeration This section lists all kind of enumeration technique of the MSSQL protocol {% content-ref url="enumerating-e…
Enumerating encryption settings
🆕 Enumerating encryption settings By default MSSQL databases do not enforce TLS ciphering which makes eavesdroping possi…
Enumerating Channel Binding configuration
🆕 Enumerating Channel Binding configuration Having a valid account, it is possible to check whether CBT is required are …
Password spraying
Password spraying Password spraying (without bruteforce) nxc mssql <target> -u userfile -p passwordfile --no-brute…
Authentication
Authentication Testing credentials You can use two methods to authenticate to MSSQL: windows or local (default: windows …
MSSQL Privesc
MSSQL Privesc Normal Authentication nxc mssql <ip> -u <username> -p <password> MSSQL <ip> 1433 F…
MSSQL command
MSSQL command Execute MSSQL commands nxc mssql <target> -u <username> -p '<password>' --local-…
MSSQL upload/download
MSSQL upload/download Download / Upload MSSQL file nxc mssql <target> -u <username> -p '<password>…
Windows command
Windows command Execute Windows Command This option use xp_cmdshell to exec command on the remote host. nxc mssql <ta…
Enumerate Users by Bruteforcing RID
🆕 Enumerate Users by Bruteforcing RID Enumerate users by bruteforcing the RID on the remote target nxc mssql <target&…
MSSQL Linked Servers
MSSQL Linked Servers MSSQL linked servers allow a database instance to establish a trusted connection to another databas…
Password spraying
Password spraying Password spraying (without bruteforce) nxc ssh <target> -u userfile -p passwordfile --no-brutefo…
Authentication
Authentication Testing credentials nxc ssh <target> -u <username> -p <password> Expected Results: SSH …
Command execution
Command execution Execute Command This command is useless nxc ssh <target> -u <username> -p <password>…
Get and Put Files
Get and Put Files Send a File to the Remote Target Send a local file to the remote target nxc ssh <target> -u <…
Password spraying
Password spraying Password spraying (without bruteforce) nxc ftp <target> -u userfile -p passwordfile --no-brutefo…
File Listing, etc
🆕 File Listing, etc Listing Files Do directory listings on valid authentication by using the --ls option: nxc ftp <ta…
File Upload & Download
🆕 File Upload & Download List Files in a Directory List files in a specific directory using FTP. nxc ftp <target&…
Password spraying
Password spraying Password spraying nxc rdp <target> -u <username> -p <password> nxc rdp <target>…
Screenshot (connected)
Screenshot (connected) Using the protocol you can perform RDP screenshot ! nxc rdp <ip> -u <user> -p <pas…
Screenshot without NLA (not connected)
Screenshot without NLA (not connected) You can perform a screenshot of the login page of the remote host using RDP with …
Command Execution
🆕 Command Execution {% hint style="info" %} This functionality is still in beta testing and was added in 2025 {% endhint…
Password spraying
Password spraying Password spraying nxc wmi <target> -u userfile -p passwordfile By default, nxc will exit after a…
Authentication
Authentication Testing credentials You can use two methods to authenticate to the WMI: windows or local (default: window…
Command execution
Command execution Execute Command using WMI nxc wmi <target> -u <username> -p <password> -x whoami…
Enumeration
🆕 Enumeration Enumerate NFS Servers Detect remote NFS server, enumerate available versions and check for the root escape…
Download and Upload Files
Download and Upload Files {% hint style="info" %} For both --get-file and --put-file you need to specify the export shar…
Escape to root file system
🆕 Escape to root file system By default, NFS exports do not restrict access to files outside the exported directory. To …
Authentication
Authentication VNC Authentication Testing credentials Some VNC servers do not require a username. In such cases, the use…