nxc-winrm

Execute commands on Windows machines via WinRM

TLDR

Search for valid credentials by trying out every combination in the specified lists of [u]sernames and [p]asswords

$ nxc winrm [192.168.178.2] -u [path/to/usernames.txt] -p [path/to/passwords.txt]

Specify the domain to authenticate to (avoids an initial SMB connection)

$ nxc winrm [192.168.178.2] -u [username] -p [password] -d [domain_name]

Execute the specified command on the host

$ nxc winrm [192.168.178.2] -u [username] -p [password] -x [whoami]

Execute the specified PowerShell command on the host as administrator using LAPS

$ nxc winrm [192.168.178.2] -u [username] -p [password] --laps -X [whoami]

--help
    Show program's help message and exit.

-t
    Target(s) to attack. Can be a single IP/hostname, CIDR range, or a file containing a list of targets.

-u
    Username for authentication.

-p
    Password for authentication.

-H
    NTLM hash for authentication (instead of password).

--port
    WinRM port (default: 5985 for HTTP, 5986 for HTTPS).

--transport
    WinRM transport protocol (http or https, default: http).

-c
    Command to execute on the target(s).

-x

nxc-winrm

Execute commands on Windows machines via WinRM

TLDR

SYNOPSIS

PARAMETERS