Member-only story
6 Powerful Things You Can Do with nxc [former crackmapexec]
Pentesting tools have come a long way, and nxc (formerly known as CrackMapExec) remains a favorite among cybersecurity professionals. Its versatility makes it ideal for network reconnaissance, exploitation, and Active Directory attacks. If you're new to nxc or want to maximize its potential, here are six powerful ways you can use it during pentests.
Some of these techniques may or may not work, depending of what permissions the user may have or if the port is open or not. This is something to keep in mind.
1. Network Sweeping
Network sweeping helps identify active hosts on a network, providing a quick overview of which machines are running SMB services. Use this command to scan an entire subnet:
This simple scan gives you visibility into SMB-enabled hosts, setting the stage for further probing.
nxc smb [NETWORK_CIDR]2. Password Spraying (Spray and Pray)
For environments where you have a list of potential users, password spraying is an effective technique. Use nxc to test a common password across all users and keep going even on successful attempts:
nxc smb [TARGET_IP] -u listusers -p welcome2019 --continue-on-successThis allows for more effective brute-forcing by targeting weak or reused passwords.
3. Find Valid Users
nxc can enumerate user accounts on a specific host, providing a list of users you can target with password attacks or other tactics. This command reveals valid accounts, which can be a big win in a pentest:
crackmapexec smb [TARGET_IP] --users4. BloodHound AD Data Collection
BloodHound is a powerful tool for mapping Active Directory (AD) environments, and nxc makes gathering the data a breeze. Collect information to analyze for lateral movement or privilege escalation opportunities:
nxc ldap [DOMAIN_CONTROLLER_IP] -u john -p Password123 --bloodhound --collection ALL --dns-server [DNS_SERVER_IP]
