nxc-smb

Search for valid domain credentials by trying out every combination in the specified lists of usernames and passwords

$ nxc smb [192.168.178.2] [[-u|--username]] [path/to/usernames.txt] [[-p|--password]] [path/to/passwords.txt]

$ nxc smb [192.168.178.2] [[-u|--username]] [path/to/usernames.txt] [[-p|--password]] [path/to/passwords.txt] --local-auth

$ nxc smb [192.168.178.0/24] [[-u|--username]] [username] [[-p|--password]] [password] --shares

$ nxc smb [192.168.178.30-45] [[-u|--username]] [username] [[-H|--hash]] [NTLM_hash] --interfaces

$ nxc smb [path/to/target_list.txt] [[-u|--username]] '' [[-p|--password]] '' [[-M|--module]] zerologon [[-M|--module]] petitpotam

$ nxc smb [192.168.178.2] [[-u|--username]] [username] [[-p|--password]] [password] -x [command]

nxc smb <target> [authentication_options] [module_or_enumeration_options] [general_options]

Examples:
nxc smb 192.168.1.0/24 -u user -p pass --shares
nxc smb 10.0.0.5 -u Administrator -H AABBCCDDEEFF00112233445566778899 --module secretsdump
nxc smb @targets.txt --local-auth --exec-method smbexec -x "whoami"

<target>
    The target host(s). Can be an IP address, CIDR range (e.g., 192.168.1.0/24), IP range (e.g., 192.168.1.1-254), or a file containing a list of targets (e.g., @targets.txt).

-u <USERNAME>, --user <USERNAME>
    Username(s) to authenticate with. Can be a single user or a comma-separated list.

-p <PASSWORD>, --password <PASSWORD>
    Password(s) for authentication. Can be a single password or a comma-separated list.

-H <HASH>, --hash <HASH>
    NTLM hash(es) for pass-the-hash authentication.

--local-auth
    Attempt authentication as a local user account on the target system.

-M <MODULE>, --module <MODULE>
    Run a specific module against the target(s). Use nxc smb --list-modules to see available modules.

-o <OPTIONS>, --options <OPTIONS>
    Provide specific options for a selected module. Format is KEY=VALUE,KEY2=VALUE2.

--shares
    Enumerate accessible SMB shares and their permissions.

--users
    Enumerate users via SAMR (Security Account Manager Remote protocol).

--sessions
    Enumerate active sessions on the target system.

--loggedon-users
    Enumerate users currently logged on to the target system via NetWkstaUserEnum.

--pass-pol
    Retrieve the password policy of the target system.

--exec-method <METHOD>
    Specify the command execution method (e.g., psexec, wmi, smbexec).

-x <COMMAND>, --exec <COMMAND>
    Execute a specified command on the target system using the chosen execution method.

--no-pass
    Attempt authentication with a blank password.

--continue-on-success
    Do not stop after finding valid credentials for a target. Continue trying other credentials/modules.

nxc-smb refers to the Server Message Block (SMB) protocol module within the NetExec (nxc) framework. NetExec, a successor to CrackMapExec (CME), is a versatile post-exploitation tool designed for network enumeration and exploitation, primarily targeting Windows environments over various protocols.

The nxc smb module allows penetration testers and security professionals to interact with SMB services on remote hosts. Its capabilities include, but are not limited to, enumerating accessible shares, users, sessions, and group memberships; dumping password hashes (e.g., LAPS); executing commands remotely via methods like PsExec, WMI, or SmbExec; and performing credential attacks such as pass-the-hash or credential spraying.

It provides a streamlined way to automate many common post-exploitation tasks, making it highly effective for lateral movement and privilege escalation on Windows networks. Users can specify target hosts, provide credentials (usernames, passwords, NTLM hashes), and select various built-in modules or custom scripts to perform specific actions against SMB services.

nxc-smb is a powerful tool designed for legitimate penetration testing and ethical hacking. Unauthorized use against systems you do not have explicit permission to test is illegal and unethical. It can generate significant network traffic, potentially triggering Intrusion Detection/Prevention Systems (IDS/IPS) and creating logs. Some features might require elevated privileges on the attacking machine, and success is dependent on the target's network configuration and security posture.

NetExec can typically be installed using pipx, which manages applications in isolated environments:
pipx install nxc
Alternatively, it might be available through your Linux distribution's package manager or can be installed directly from its GitHub repository.

A core strength of nxc-smb (and nxc in general) is its modular design. Users can load and execute various Python scripts (modules) to perform specific tasks. These modules range from information gathering (e.g., enumerating LAPS passwords) to highly targeted exploits or post-exploitation activities. New modules can be easily created and integrated, extending the tool's capabilities. Use nxc smb --list-modules to see all available SMB modules.

NetExec (nxc) emerged as a spiritual successor and active fork of the popular CrackMapExec (CME) framework, originally developed by byt3bl33d3r. As CME's development slowed, a need arose for continued maintenance and feature expansion within the community. nxc aims to provide a robust, up-to-date, and actively maintained tool for network enumeration and exploitation, building upon CME's strong foundation while introducing new features and improvements. It remains written in Python, leveraging various libraries for its diverse protocol support.

crackmapexec(1), impacket(1) (suite of tools, e.g., psexec.py, smbclient.py), smbclient(1), enum4linux(1), nmap(1)