Using Credentials
Using credentials with NetExec
Using Credentials
Every protocol supports using credentials in one form or another. For details on using credentials with a specific protocol, see the appropriate wiki section.
Generally speaking, to use credentials, you can run the following commands:
nxc <protocol> <target(s)> -u username -p passwordCode execution results in a (Pwn3d!) added after the login confirmation. With the SMB protocol, your compromised users are most likely in the local administrators group.
FTP
No check
SSH
root (otherwise specific message) β
WINRM
Code execution at least πΎ
LDAP
Path to domain admin π
SMB
Most likely local admin β
RDP
Code execution at least πΎ
VNC
Code execution at least πΎ
WMI
Most likely local admin β
Example:
nxc <protocol> <target(s)> -u username -p 'October2022!'nxc <protocol> <target(s)> -u='-username' -p='-October2022'Using a Credential Set From the Database
By specifying a credential ID (or multiple credential IDs) with the -id flag, nxc will automatically pull that credential from the back-end database and use it to authenticate (saves a lot of typing):
nxc <protocol> <target(s)> -id <cred ID(s)>Multi-Domain Environment
You can use nxc with mulitple domain environment
nxc <protocol> <target(s)> -u FILE -p passwordWhere FILE is a file with usernames in this format
DOMAIN1\user
DOMAIN2\userBrute Forcing & Password Spraying
All protocols support brute-forcing and password spraying. For details on brute-forcing/password spraying with a specific protocol, see the appropriate wiki section.
By specifying a file or multiple values nxc will automatically brute-force logins for all targets using the specified protocol:
Examples:
nxc <protocol> <target(s)> -u username1 -p password1 password2nxc <protocol> <target(s)> -u username1 username2 -p password1nxc <protocol> <target(s)> -u ~/file_containing_usernames -p ~/file_containing_passwordsnxc <protocol> <target(s)> -u ~/file_containing_usernames -H ~/file_containing_ntlm_hashesPassword Spraying Without Bruteforce
Can be useful for protocols like WinRM and MSSQL. This option avoids bruteforcing when you use files (-u file -p file).
nxc <protocol> <target(s)> -u ~/file_containing_usernames -H ~/file_containing_ntlm_hashes --no-bruteforcenxc <protocol> <target(s)> -u ~/file_containing_usernames -p ~/file_containing_passwords --no-bruteforceuser1 -> pass1
user2 -> pass2nxc <protocol> <target(s)> -u ~/file_containing_usernames -H ~/file_containing_ntlm_hashes --no-bruteforce --continue-on-successThrottling Authentication Requests
Authentication throttling works on a per-host basis! Keep this in mind if you are spraying credentials against multiple hosts.
If there is a need to throttle authentications during brute forcing, you can use the jitter functionality. The length of the timeout (in seconds) between requests is randomly selected from an interval unless otherwise specified. If you want to hardcode the timeout, set the upper and lower bounds of the interval to the same value. The syntax is as follows:
nxc <protocol> <target> --jitter 3 -u ~/file_containing_usernames -p ~/file_containing_passwords
nxc <protocol> <target> --jitter 2-5 -u ~/file_containing_usernames -p ~/file_containing_passwords
nxc <protocol> <target> --jitter 4-4 -u ~/file_containing_usernames -p ~/file_containing_passwordsLast updated
Was this helpful?