LinuxCommandLibrary
GitHubF-DroidGoogle Play Store

nxc-smb

performs SMB protocol operations for security testing

TLDR

Spray credentials against an entire subnet
$ nxc smb [192.168.1.0/24] -u [user] -p [password]
copy
Enumerate shares and access levels
$ nxc smb [target] -u [user] -p [password] --shares
copy
Enumerate domain users via SAMR
$ nxc smb [target] -u [user] -p [password] --users
copy
Authenticate against the local SAM (not the domain)
$ nxc smb [target] -u [user] -p [password] --local-auth
copy
Execute a cmd.exe command
$ nxc smb [target] -u [admin] -p [password] -x [whoami]
copy
Execute a PowerShell command
$ nxc smb [target] -u [admin] -p [password] -X "[Get-Process]"
copy
Pass the hash (NTLM)
$ nxc smb [target] -u [user] -H [NTLM_hash]
copy
Dump the SAM hashes
$ nxc smb [target] -u [admin] -p [password] --sam
copy
Run a NetExec module
$ nxc smb [target] -u [admin] -p [password] -M [spider_plus]
copy

SYNOPSIS

nxc smb target [options]

DESCRIPTION

nxc smb performs SMB protocol operations for security testing. Part of NetExec (the community-maintained successor to CrackMapExec). It enumerates shares, users, sessions, groups, and password policies; validates credentials across entire subnets; and can execute commands remotely through WMI, scheduled tasks, or named pipes.

PARAMETERS

-u USER

Username or username file (prefix with @ to read from file).
-p PASS
Password or password file.
-H HASH
NTLM hash (LM:NT or just NT).
-d, --domain DOMAIN
Authenticate against the given domain.
--local-auth
Authenticate locally (use the machine's SAM, skip domain lookup).
-x CMD
Execute CMD via cmd.exe.
-X CMD
Execute CMD via PowerShell.
--exec-method METHOD
Remote-execution technique: wmiexec, atexec, or smbexec.
--shares
Enumerate SMB shares and the current user's permissions on each.
--users
Enumerate domain users via SAMR.
--groups
Enumerate local or domain groups.
--sessions
List active SMB sessions on the target.
--loggedon-users
List users currently logged on to the target.
--pass-pol
Retrieve the effective password policy.
--sam
Dump the local SAM hash database (requires admin).
--lsa
Dump cached LSA secrets.
-M, --module NAME
Run a NetExec module (see nxc smb -L for the full list).

CAVEATS

For authorized security assessments only. Requires proper authorization.

SEE ALSO

nxc(1), smbclient(1)

Copied to clipboard
Kai