nxc-winrm

Search for valid credentials by trying out every combination in the specified lists of usernames and passwords

$ nxc winrm [192.168.178.2] [[-u|--username]] [path/to/usernames.txt] [[-p|--password]] [path/to/passwords.txt]

$ nxc winrm [192.168.178.2] [[-u|--username]] [username] [[-p|--password]] [password] -d [domain_name]

$ nxc winrm [192.168.178.2] [[-u|--username]] [username] [[-p|--password]] [password] -x [whoami]

$ nxc winrm [192.168.178.2] [[-u|--username]] [username] [[-p|--password]] [password] --laps -X [whoami]

nxc-winrm <target(s)> [options]

Examples:

nxc-winrm 192.168.1.10 -u user -p 'Password123!' -M whoami
nxc-winrm 192.168.1.0/24 --users users.txt --passwords passwords.txt --local-auth
nxc-winrm targets.txt -u administrator --hash AAD3B435B51404EEAAD3B435B51404EE:C234F0C0F7604F43F96248C5B3208754 --execute-powershell 'Invoke-Mimikatz'
nxc-winrm 10.0.0.0/16 -M enum_logged_on_users --port 5986 --ssl

    Specify the target(s) as IP addresses, hostname, IP ranges (e.g., 192.168.1.0/24), or a file containing targets (e.g., targets.txt).

-u , --username
    Specify the username to authenticate with.

-p , --password
    Specify the password for authentication. Can be an empty string for blank password, or ' ' to prompt.

--hash
    Specify the NTLM hash for authentication (LM:NT format). Example: AAD3B435B51404EEAAD3B435B51404EE:C234F0C0F7604F43F96248C5B3208754.

--aesKey
    Specify the Kerberos AES key for authentication (hex string).

-d , --domain
    Specify the domain name for authentication. Defaults to the target's domain.

--local-auth
    Forces authentication against the local machine's SAM database, useful for standalone hosts or local user accounts.

--no-pass
    Attempts authentication with a blank password for the specified username.

-M , --module
    Load and execute a specific WinRM module (e.g., 'whoami', 'enum_logged_on_users', 'powershell_execute').

--list-modules
    List all available WinRM modules and their descriptions.

--execute
    Execute a raw command on the target system via WinRM. Output is returned.

--execute-powershell
    Execute a PowerShell command/script on the target system via WinRM. Output is returned.

--port
    Specify an alternative WinRM port (default is 5985 for HTTP, 5986 for HTTPS).

--ssl
    Force SSL connection for WinRM (usually on port 5986).

--timeout
    Set the connection timeout in seconds (default is 10).

--verbose
    Show verbose output, displaying more details about the operations.

--debug
    Show debug output, useful for troubleshooting connection or module issues.

--no-color
    Disable colored output.

nxc-winrm is a specialized module within the NetExec framework, designed for interacting with the Windows Remote Management (WinRM) service. WinRM is Microsoft's implementation of WS-Management, enabling remote administration of Windows systems.

This command allows security professionals and system administrators to enumerate, authenticate, and execute commands or modules against one or more Windows targets over the WinRM protocol. It supports various authentication methods, including plaintext credentials, NTLM hashes, and Kerberos.

Its primary use cases include: discovering active WinRM services on a network range; testing user credentials (bruteforcing or spraying) against WinRM; enumerating system information (e.g., local users, groups, installed applications); executing arbitrary commands or PowerShell scripts on remote hosts; and leveraging built-in modules for common post-exploitation tasks, such as dumping SAM/LSA hashes, creating services, or retrieving network information.

nxc-winrm streamlines lateral movement and post-exploitation activities in Windows environments, particularly within Active Directory domains, by providing a robust and flexible interface to WinRM.

nxc-winrm relies on the WinRM service being active and configured on the target Windows system, which is not always the default.
Firewall rules on the target or network can block WinRM ports (5985/TCP for HTTP, 5986/TCP for HTTPS).
User Account Control (UAC) on newer Windows versions can restrict administrative actions, even with valid credentials, if the user is not the built-in Administrator.
Antivirus and EDR solutions may detect and block malicious activities initiated via WinRM, particularly PowerShell executions or module payloads.
Authentication issues can arise from incorrect domain/workgroup settings or network time synchronization problems for Kerberos.

WinRM typically operates on port 5985/TCP for HTTP and 5986/TCP for HTTPS. nxc-winrm defaults to 5985 but can be explicitly told to use SSL on 5986 with the --ssl flag.

nxc-winrm's power is significantly extended by its modular architecture. Users can leverage existing modules (e.g., whoami, enum_logged_on_users, powershell_execute) or develop custom ones to perform specific enumeration, exploitation, or post-exploitation tasks. Modules are loaded using the -M or --module option.

NetExec (nxc) is the spiritual successor and rebranded version of CrackMapExec (CME), a widely-used penetration testing tool. CME was originally developed by @byt3bl33d3r and gained significant popularity for its effectiveness in Active Directory enumeration and lateral movement.

The project was forked and rebranded to NetExec to address maintenance challenges, introduce new features, improve code quality, and expand its capabilities beyond its initial SMB focus. nxc-winrm represents the continued development of robust WinRM interaction functionalities within this powerful framework.

nxc(1), crackmapexec(1), smbclient(1), rpcclient(1), enum4linux(1)