Using Credentials
Using credentials with NetExec
Using Credentials
Every protocol supports using credentials in one form or another. For details on using credentials with a specific protocol, see the appropriate wiki section.
Generally speaking, to use credentials, you can run the following commands:
Code execution results in a (Pwn3d!) added after the login confirmation. With SMB protocol, most likely your compromised users are in the local administrators group.
Protocol | See Pwn3d! in output |
---|---|
FTP | No check |
SSH | |
WINRM | |
LDAP | |
SMB | |
RDP | |
VNC | |
WMI |
When using usernames or passwords that contain special symbols (especially exclaimation points!), wrap them in single quotes to make your shell interpret them as a string.
Example:
Due to a bug in Python's argument parsing library, credentials beginning with a dash (-
) will throw an expected at least one argument
error message. To get around this, specify the credentials by using the 'long' argument format (note the =
sign):
netexec <protocol> <target(s)> -u='-username' -p='-
October2022'
Using a Credential Set From the Database
By specifying a credential ID (or multiple credential IDs) with the -id
flag nxc will automatically pull that credential from the back-end database and use it to authenticate (saves a lot of typing):
Multi-Domain Environment
You can use nxc with mulitple domain environment
Where FILE is a file with usernames in this format
Brute Forcing & Password Spraying
All protocols support brute-forcing and password spraying. For details on brute-forcing/password spraying with a specific protocol, see the appropriate wiki section.
By specifying a file or multiple values nxc will automatically brute-force logins for all targets using the specified protocol:
Examples:
Password Spraying Without Bruteforce
Can be usefull for protocols like WinRM and MSSQL. This option avoid the bruteforce when you use files (-u file -p file)
By default nxc will exit after a successful login is found. Using the --continue-on-success flag will continue spraying even after a valid password is found. Usefull for spraying a single password against a large user list.
Last updated