search
NetExec GithubNetexec Lab
githubEdit

Scan for Vulnerabilities

Check if host is vulnerable

hashtag
Scan for Vulnerabilities

When you start your internal pentest, these are the first modules you should try:

hashtag
ZeroLogon

nxc smb <ip> -u '' -p '' -M zerologon

hashtag
noPAC

nxc smb <ip> -u 'user' -p 'pass' -M nopac
circle-exclamation

You need a credential for noPAC vulnerability check.

hashtag
PrintNightmare

nxc smb <ip> -u '' -p '' -M printnightmare

hashtag
SMBGhost

nxc smb <ip> -u '' -p '' -M smbghost

hashtag
MS17-010 (Not tested outside LAB environment)

nxc smb <ip> -u '' -p '' -M ms17-010

hashtag
NTLM reflection (CVE-2025-33073)

nxc smb <ip> -u 'user' -p 'pass' -M ntlm_reflection
circle-exclamation

You need credentials for CVE-2025-33073 vulnerability check.

Or, try them all at once! Just list each one: -M zerologon -M printnightmare

hashtag
Scan for Coerce Vulnerabilities

You can check for coerce vulnerabilities such as PetitPotam, DFSCoerce, PrinterBug, MSEven and ShadowCoerce using the coerce_plus module. You can also use credentials to check for these vulnerabilities. By default the LISTENER ip will be set to localhost, so no traffic will appear on the network.

If a vulnerability is found, you can set a LISTENER ip to coerce the connection.

To run all exploit methods at once, add the ALWAYS=true option, otherwise it will stop if the underlying RPC connection reports a successful coercion.

You can also check for a specific coerce method by specifying it:

circle-check

Instead of using the METHOD option, you can use its short form M. Similarly, the argument LISTENER can be shortened to L.

This also applies to the names of the vulnerabilities when specifying a method.

M=p // Invalid, as both petitpotam and printerbug start with ‘p’ so modules gives error

M=pr // Matches printerbug

M=pe // Matches petitpotam

M=dfs // Matches dfscoerce

Check out what other modules are available via nxc <protocol> -L

PreviousGenerate TGTNextEnumeration

Last updated

Was this helpful?