"admin privileges on a specific system. for this, we use the - - local - auth flag : nxc smb 10. 10. 10. 100 - u ' heldesk ' - p ' password123! ' - - local - auth this checks if the account is valid on the system, and if the account happens to have local admin rights on the target…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1110.003Password Spraying
97%
"aad3b435b51404eeaad3b435b51404ee : 008defc8e9f9bfb3ebca2f665d3e36b8 ' this attempts authentication using the provided ntlm hash instead of with a password. netexec is incredibly useful for performing password attacks as well. if you have a list of user accounts from a domain, you…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1201Password Policy Discovery
95%
"- - users this will authenticate to active directory using smb and return all valid domain user accounts. note that this will return both enabled and disabled accounts. in the output below, we found 12 user accounts. we can also find the password policy in use on a domain, which …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1021.002SMB/Windows Admin Shares
92%
"- enumerating shares on remote systems can aid in finding possible vulnerabilities and places of interest. key features of netexec netexec provides authentication and command execution capabilities over multiple protocols, making it an incredibly versatile tool. these various fun…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1135Network Share Discovery
86%
"options ( smb, ldap, etc. ), there are several modules specific to each protocol. for each protocol you can list the modules using the - l option. for example, we can list all of the modules available for the smb protocol. nxc smb - l now that we ’ ve got basic syntax out of the …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1021.002SMB/Windows Admin Shares
75%
"options ( smb, ldap, etc. ), there are several modules specific to each protocol. for each protocol you can list the modules using the - l option. for example, we can list all of the modules available for the smb protocol. nxc smb - l now that we ’ ve got basic syntax out of the …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1098Account Manipulation
74%
"we can see that we successfully guessed the password ( summer2025! ) for 2 user accounts. the ldap option also has some incredibly useful capabilities as well. we previously saw using the smb option that we can obtain a list of all user accounts. but what if you only want a list …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.003Pass the Ticket
68%
"of functions such as validating credentials, enumerating users, executing commands remotely, and exploiting some common misconfigurations against windows - based systems. while the list below is a small sample of things you can use netexec for, it is by no means an exhaustive lis…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1018Remote System Discovery
68%
"getting started with netexec : streamlining network discovery and access getting started with netexec : streamlining network discovery and access dale spent over 20 years working as an enterprise defender before joining black hills information security as a penetration tester in …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1021.002SMB/Windows Admin Shares
46%
"##exec, you do need to use an account that has local administrator permissions. with such an account you can run commands on a remote system via smb. run the command below to find the members of the local administrators group. ( note the lower case - x ) : nxc smb 192. 168. 1. 10…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1087.002Domain Account
30%
"could be used to launch further attacks. the attribute that controls this is called the ‘ machineaccountquota ’. using netexec ’ s ldap option, we can query domain to check what the current machineaccountquota is set to. nxc ldap 10. 10. 10. 252 - u ' pippa. adele ' - p ' summer2…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
One tool that I can't live without when performing a penetration test in an Active Directory environment is called NetExec. Being able to efficiently authenticate against multiple systems in the network is crucial, and NetExec is an incredibly powerful tool that helps automate a lot of this activity.
