Enumeration
Enumeration via SMB
Enumeration on NetExec
Host Enumeration (Returns a list of live hosts)
nxc smb 192.168.1.0/24 Null Sessions
Checking if Null Session is enabled on the network, can be very useful on a Domain Controller to enumerate users, groups, password policy etc
nxc smb 10.10.10.161 -u '' -p ''
nxc smb 10.10.10.161 -u '' -p '' --shares (Shares enumeration)
nxc smb 10.10.10.161 -u '' -p '' --pass-pol (Password policy enumeration)
nxc smb 10.10.10.161 -u '' -p '' --users (User enumeration)
nxc smb 10.10.10.161 -u '' -p '' --groups (Group enumeration)You can also reproduce this behavior with smbclient or rpcclient
Anonymous Logon
Using a random username and password you can check if the target accepts annonymous/guest logon
You can also check this behavior with smbclient or rpcclient
Host Enumeration with SMB signing not required
Maps the network of live hosts and saves a list of only the hosts that don't require SMB signing. List format is one IP per line
Alternative with nmap
Active Sessions
Enumerate active sessions on the remote target
Shares and Access enumeration
Enumerate permissions on all shares
If you want to filter only by readable or writable share
Disk Enumeration
Enumerate disks on the remote target
Logged on Users Enumeration
Enumerate logged users on the remote target
Domain Users Enumeration
Enumerate domain users on the remote target
RID Bruteforce
Enumerate users by bruteforcing the RID on the remote target
Domain Groups Enumeration
Enumerate domain groups on the remote target
Local Groups Enumeration
Enumerate local groups on the remote target
Domain Password Policy Enumeration
Using the option --pass-pol you can get the password policy of the domain
Anti-Virus & EDR Enumeration
Enumerate antivirus installed using NetExec
You don't need to be a privileged user to do this action
Last updated