nxc

List available modules for the specified protocol

$ nxc [smb|ssh|ldap|ftp|wmi|winrm|rdp|vnc|mssql] [[-L|--list-modules]]

$ nxc [smb|ssh|ldap|ftp|wmi|winrm|rdp|vnc|mssql] [[-M|--module]] [module_name] --options

$ nxc [smb|ssh|ldap|ftp|wmi|winrm|rdp|vnc|mssql] [[-M|--module]] [module_name] -o [OPTION_NAME]=[option_value]

$ nxc [smb|ssh|ldap|ftp|wmi|winrm|rdp|vnc|mssql] [[-h|--help]]

nxc <protocol> <target(s)> [OPTIONS]

<protocol>
    Specifies the network protocol to use (e.g., smb, winrm, mssql, ldap, ssh, rdp, wmi).

<target(s)>
    One or more target specifications: IP addresses, CIDR ranges, hostnames, or a file containing targets (e.g., -f targets.txt).

-u <USERNAME>, --username <USERNAME>
    Username or a file containing a list of usernames for authentication.

-p <PASSWORD>, --password <PASSWORD>
    Password or a file containing a list of passwords for authentication.

--hashes <LM:NT>
    NTLM hashes for authentication (LM hash is optional).

-d <DOMAIN>, --domain <DOMAIN>
    Specifies the domain name for authentication.

--local-auth
    Uses local authentication on targets, bypassing domain authentication.

--module <MODULE>
    Specifies a module to load and execute against the targets. Use --list-modules to see available modules.

--list-modules
    Lists all available nxc modules and their descriptions.

-x <COMMAND>, --exec-shell <COMMAND>
    Execute an arbitrary command on the target system using the selected protocol's execution method.

--shares
    Enumerate accessible SMB shares on the target(s).

--users
    Enumerate domain users from the target(s).

--groups
    Enumerate domain groups from the target(s).

-v, --verbose
    Enable verbose output, providing more detailed information during execution.

--debug
    Enable debug output, showing internal workings and errors for troubleshooting.

nxc (NetExec, formerly CrackMapExec) is a comprehensive post-exploitation tool designed for penetration testers and red teamers. It automates the assessment and exploitation of large Windows Active Directory environments. nxc leverages various protocols like SMB, WinRM, MSSQL, LDAP, and SSH to discover active hosts, enumerate shares, identify vulnerable configurations, and facilitate lateral movement.

Its capabilities include credential dumping, executing commands, interacting with various services, and performing sophisticated attacks such as Pass-the-Hash, Pass-the-Ticket, and Kerberoasting. The tool is known for its modular design, allowing users to extend its functionality with custom modules. nxc aims to simplify and accelerate post-exploitation activities, making it an indispensable asset for evaluating the security posture of Windows networks. It's written in Python and is highly configurable.

nxc requires Python 3 to run. It can be noisy on networks and potentially trigger alerts on security solutions (EDR/AV), depending on the techniques used. It is a powerful penetration testing tool and should only be used on systems with explicit authorization, as misuse is illegal. Its extensive functionality necessitates a good understanding of Windows networking and security concepts for effective and responsible usage.

A core strength of nxc is its modular architecture. Users can leverage a vast array of built-in modules or develop custom ones to extend its capabilities. Modules enable diverse actions, including credential dumping, privilege escalation checks, specific vulnerability exploitation, and advanced enumeration, allowing for highly targeted post-exploitation activities.

Beyond its primary focus on SMB, nxc offers robust support for multiple network protocols. This includes WinRM, MSSQL, LDAP, SSH, RDP, and WMI. This broad protocol support allows nxc to interact with various services and systems, making it a versatile tool for comprehensive network assessments, not limited to traditional Windows file sharing.

nxc is not typically included in standard Linux distribution repositories. It is most commonly installed via Python's package installer, pip (e.g., pip install nxc), or by cloning its official GitHub repository and running the setup script. This allows users to easily get the latest version and contribute to its development.

nxc is the spiritual successor and rewritten version of the popular post-exploitation tool CrackMapExec (CME). CrackMapExec was initially developed by @byt3bl33d3r and quickly became a staple for Active Directory assessments. Over time, to address technical debt, improve performance, ensure better Python 3 compatibility, and enhance modularity, a community effort led to a major rewrite, culminating in NetExec (nxc). This rewrite builds upon CME's strong foundation, maintaining its core functionality while introducing significant improvements. nxc continues to be actively developed and is widely adopted by penetration testers for its efficiency in Windows network exploitation.

impacket(1), metasploit(1), bloodhound(1), enum4linux(1)