Bash wrapper for NetExec to quickly validate compromised credentials across SMB, WinRM, RDP, MSSQL, and FTP
Running nxc per-protocol manually can be tedious sometimes, especially when you're constantly pivoting from different users. This wrapper pre-validates ports with netcat to see if they're present, then sweeps all relevant services in one go. Built for HTB labs and my OSCP prep to speed up early Windows/AD credentialed enumeration.
It's easily customizable too, you can add LDAP, WMI, or even change up the options to the pre-existing protcols.
- Quick Port Validation: Uses
ncto verify port status before checking the protocol withnxc - Protocol Suite: Automatically sweeps SMB, WinRM, RDP, MSSQL, and FTP
- Versatile Targeting: Seamless use in both Active Directory and standalone Windows environments
- Dynamic Flag Passing: Pass any native, global NetExec flags (e.g.,
--local-auth) directly through the wrapper - Clean Output: Preserves native NetExec color coding for easy readability of
(Pwn3d!)and share permissions
For system-wide accessibility, use this one-liner to download the script, apply execution permissions, and move it into your $PATH:
curl -sSL 'https://raw.githubusercontent.com/corey-farley/nxc-sweep/main/nxc-sweep' -o nxc-sweep && chmod +x nxc-sweep && sudo mv nxc-sweep /usr/local/bin/
nxc-sweep <IP> -u <username> -p <password> [--local-auth]
Example 1:
└─$ nxc-sweep 10.129.34.53 -u 'rose' -p 'KxEPkKe6R8su'
[*] Starting NXC sweep for 10.129.34.53 as rose ...
[+] Port 445 open. Checking smb ...
SMB 10.129.34.53 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.34.53 445 DC01 [+] sequel.htb\rose:KxEPkKe6R8su
SMB 10.129.34.53 445 DC01 [*] Enumerated shares
SMB 10.129.34.53 445 DC01 Share Permissions Remark
SMB 10.129.34.53 445 DC01 ----- ----------- ------
SMB 10.129.34.53 445 DC01 Accounting Department READ
SMB 10.129.34.53 445 DC01 ADMIN$ Remote Admin
SMB 10.129.34.53 445 DC01 C$ Default share
SMB 10.129.34.53 445 DC01 IPC$ READ Remote IPC
SMB 10.129.34.53 445 DC01 NETLOGON READ Logon server share
SMB 10.129.34.53 445 DC01 SYSVOL READ Logon server share
SMB 10.129.34.53 445 DC01 Users READ
[+] Port 5985 open. Checking winrm ...
WINRM 10.129.34.53 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:sequel.htb)
WINRM 10.129.34.53 5985 DC01 [-] sequel.htb\rose:KxEPkKe6R8su
[-] Port 3389 closed/filtered. Skipping rdp
[+] Port 1433 open. Checking mssql ...
MSSQL 10.129.34.53 1433 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:sequel.htb) (EncryptionReq:False)
MSSQL 10.129.34.53 1433 DC01 [+] sequel.htb\rose:KxEPkKe6R8su
MSSQL 10.129.34.53 1433 DC01 name:master
MSSQL 10.129.34.53 1433 DC01 name:tempdb
MSSQL 10.129.34.53 1433 DC01 name:model
MSSQL 10.129.34.53 1433 DC01 name:msdb
[-] Port 21 closed/filtered. Skipping ftp
[*] All active services checked.
Exmaple 2:
└─$ nxc-sweep 10.129.34.51 -u 'craig' -p 'password123' --local-auth
[*] Starting NXC sweep for 10.129.34.51 as craig ...
[+] Port 445 open. Checking smb ...
SMB 10.129.34.51 445 SUPPORTDESK [*] Windows 10 / Server 2019 Build 17763 x64 (name:SUPPORTDESK) (domain:SUPPORTDESK) (signing:False) (SMBv1:None)
SMB 10.129.34.51 445 SUPPORTDESK [+] SUPPORTDESK\craig:password123
SMB 10.129.34.51 445 SUPPORTDESK [*] Enumerated shares
SMB 10.129.34.51 445 SUPPORTDESK Share Permissions Remark
SMB 10.129.34.51 445 SUPPORTDESK ----- ----------- ------
SMB 10.129.34.51 445 SUPPORTDESK ADMIN$ Remote Admin
SMB 10.129.34.51 445 SUPPORTDESK C$ Default share
SMB 10.129.34.51 445 SUPPORTDESK IPC$ READ Remote IPC
[-] Port 5985 closed/filtered. Skipping winrm
[+] Port 3389 open. Checking rdp ...
RDP 10.129.34.51 3389 SUPPORTDESK [*] Windows 10 / Server 2019 Build 17763 (name:SUPPORTDESK) (domain:SUPPORTDESK)
RDP 10.129.34.51 3389 SUPPORTDESK [+] SUPPORTDESK\craig:password123 (Pwn3d!)
[-] Port 1433 closed/filtered. Skipping mssql
[+] Port 21 open. Checking ftp ...
FTP 10.129.34.51 21 10.129.34.51 [+] craig:password123
FTP 10.129.34.51 21 10.129.34.51 [*] Directory Listing
FTP 10.129.34.51 21 10.129.34.51 10-05-24 09:13AM 952 Backup.psafe3
[*] All active services checked.