nxc-ssh

Spray the specified password against a list of usernames on the specified target

$ nxc ssh [192.168.178.2] [[-u|--username]] [path/to/usernames.txt] [[-p|--password]] [password]

$ nxc ssh [192.168.178.2] [[-u|--username]] [path/to/usernames.txt] [[-p|--password]] [path/to/passwords.txt]

$ nxc ssh [192.186.178.2] [[-u|--username]] [path/to/usernames.txt] [[-p|--password]] [password] --key-file [path/to/id_rsa]

$ nxc ssh [192.168.178.0/24] [[-u|--username]] [username] [[-p|--password]] [password]

$ nxc ssh [192.168.178.2] [[-u|--username]] [username] [[-p|--password]] [path/to/passwords.txt] --sudo-check

nxc ssh <target(s)> [options]

Examples:
  nxc ssh 192.168.1.10 -u admin -p password
  nxc ssh 192.168.1.0/24 --user-file users.txt --pass-file passwords.txt
  nxc ssh servers.txt --key-file ~/.ssh/id_rsa -x "uname -a"

<target(s)>
    Specifies the target(s) for the SSH module. This can be a single IP address, a CIDR range (e.g., 192.168.1.0/24), a hostname, or a path to a file containing a list of targets.

-u <USERNAME>, --username <USERNAME>
    Provides a single username for authentication. Can be combined with a single password or a password file.

-p <PASSWORD>, --password <PASSWORD>
    Provides a single password for authentication. Can be combined with a single username or a username file.

--user-file <FILE>
    Path to a file containing a list of usernames, one per line. Used for password spraying or bruteforcing.

--pass-file <FILE>
    Path to a file containing a list of passwords, one per line. Used for password spraying or bruteforcing.

--key-file <FILE>
    Path to an SSH private key file for key-based authentication. Can be used instead of or in conjunction with username/password.

-M <MODULE_NAME>, --module <MODULE_NAME>
    Specifies an SSH module to run after successful authentication. Modules perform various post-exploitation tasks (e.g., 'enum_sudo', 'get_users').

-x <COMMAND>, --execute <COMMAND>
    Executes a shell command on the target system upon successful authentication. The command output will be displayed.

--port <PORT>
    Specifies a custom SSH port to connect to, if it's not the default (22).

--no-bruteforce
    Skips the bruteforce process if credentials are provided via -u/-p or files. Only attempts the specified credentials.

--threads <THREADS>
    Sets the number of concurrent threads to use, affecting the speed of scanning and attacks. Default is often 10.

--timeout <SECONDS>
    Sets a timeout for connection attempts in seconds.

--verbose
    Enables verbose output, providing more detailed information about the scanning and attack process.

nxc-ssh is the SSH protocol module of the powerful NetExec (nxc) framework, a successor to CrackMapExec (CME). It's designed for efficient network reconnaissance, authentication testing, and post-exploitation against SSH services.

nxc-ssh facilitates tasks such as password spraying, bruteforcing credentials, enumerating users, and executing arbitrary commands on targeted Linux/Unix systems. It supports various authentication methods including username/password pairs, password lists, username lists, and SSH private keys. Its modular design allows users to leverage specific functionalities for tasks like privilege escalation enumeration or data collection.

This tool is widely used by penetration testers and red teamers to automate aspects of their assessments.

Using nxc-ssh for unauthorized access is illegal and unethical. Ensure you have explicit permission before using this tool against any system you do not own or are not authorized to test. It can be noisy on the network, potentially triggering intrusion detection systems (IDS) or logging mechanisms. Network connectivity issues, firewalls, and SSH server configurations (e.g., rate limiting, strict modes) can prevent successful operations.

nxc-ssh offers a flexible way to extend its functionality through modules. These modules, specified with the -M or --module flag, can perform various post-authentication tasks, such as enumerating sudo privileges ('enum_sudo') or extracting system information ('get_users').

Additionally, the -x or --execute flag allows for direct execution of shell commands on the target system upon successful authentication, making it a powerful tool for rapid command execution during an engagement. This is often used to confirm access, gather quick intelligence, or deploy further tools.

NetExec (nxc) is the actively maintained successor to CrackMapExec (CME). CME was originally developed by @byt3bl33d3r and gained significant popularity for its comprehensive post-exploitation capabilities, primarily targeting Windows SMB and other services. Over time, the community-driven NetExec project emerged, continuing the development, adding new features, improving performance, and expanding protocol support, including a robust SSH module, addressing the evolving needs of network security assessments.

netexec(1), crackmapexec(1), ssh(1), sshd(8), nmap(1), hydra(1)