# Scan for Vulnerabilities ## Scan for Vulnerabilities When you start your internal pentest, these are the first modules you should try: #### ZeroLogon ```bash nxc smb -u '' -p '' -M zerologon ``` #### noPAC ```bash nxc smb -u 'user' -p 'pass' -M nopac ``` {% hint style="warning" %} You need a credential for noPAC vulnerability check. {% endhint %} #### PrintNightmare ```bash nxc smb -u '' -p '' -M printnightmare ``` #### SMBGhost ```bash nxc smb -u '' -p '' -M smbghost ``` #### MS17-010 (Not tested outside LAB environment) ```bash nxc smb -u '' -p '' -M ms17-010 ``` #### NTLM reflection (CVE-2025-33073) ```bash nxc smb -u 'user' -p 'pass' -M ntlm_reflection ``` {% hint style="warning" %} You need credentials for CVE-2025-33073 vulnerability check. {% endhint %} Or, try them all at once! Just list each one: `-M zerologon -M printnightmare` ## Scan for Coerce Vulnerabilities You can check for coerce vulnerabilities such as PetitPotam, DFSCoerce, PrinterBug, MSEven and ShadowCoerce using the coerce\_plus module. You can also use credentials to check for these vulnerabilities. By default the LISTENER ip will be set to localhost, so no traffic will appear on the network. ```bash nxc smb -u '' -p '' -M coerce_plus ``` If a vulnerability is found, you can set a LISTENER ip to coerce the connection. ```bash nxc smb -u '' -p '' -M coerce_plus -o LISTENER= ``` To run all exploit methods at once, add the ALWAYS=true option, otherwise it will stop if the underlying RPC connection reports a successful coercion. ```bash nxc smb -u '' -p '' -M coerce_plus -o LISTENER= ALWAYS=true ``` You can also check for a specific coerce method by specifying it: ```bash nxc smb -u '' -p '' -M coerce_plus -o METHOD=PetitPotam ``` {% hint style="success" %} Instead of using the `METHOD` option, you can use its short form `M`. Similarly, the argument `LISTENER` can be shortened to `L`. This also applies to the names of the vulnerabilities when specifying a method. M=p // Invalid, as both petitpotam and printerbug start with ā€˜pā€™ so modules gives error M=pr // Matches printerbug M=pe // Matches petitpotam M=dfs // Matches dfscoerce {% endhint %} Check out what other modules are available via `nxc -L` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.netexec.wiki/smb-protocol/scan-for-vulnerabilities.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.