In modern enterprise environments, Active Directory credentials are the ultimate prize for attackers. Whether you’re a red teamer, penetration tester, or adversary simulation professional, gaining access to credentials is essential for privilege escalation, lateral movement, and persistence. But how do attackers actually collect these credentials in real-world scenarios? Enter NetExec (nxc) a powerful, modern post-exploitation framework and the advanced successor to CrackMapExec. NetExec is built to automate and streamline credential dumping, making it one of the most effective tools for red teams and security professionals working in Windows and Active Directory environments.

What Is NetExec (nxc)?

NetExec is a post-exploitation Swiss Army knife designed for internal network operations. With extensive support for SMB, WinRM, and other protocols, it allows attackers to gather credentials from multiple sources including:

• LSASS memory (plaintext and NTLM hashes
• Windows registry and Winlogon keys
• Browsers, Wi-Fi profiles, and SSH clients
• LAPS-managed passwords and NTDS.dit database
• gMSA (Group Managed Service Accounts) secrets
• Third-party tools like PuTTY, mRemoteNG, and Notepad++

In this hands-on guide, we walk through a step-by-step red team simulation using NetExec over SMB to demonstrate how attackers collect credentials from a misconfigured Active Directory environment. Each step represents a real-world tactic commonly seen in offensive security operations.

Why This Matters for Red and Blue Teams?

For red teamers, this guide shows how NetExec can be weaponized to identify and exploit weak configurations within minutes; simulating realistic post-exploitation behavior that adversaries use daily.

For blue team defenders and SOC analysts, it highlights critical detection opportunities and misconfiguration pitfalls that often go unnoticed, including:

• Stored credentials in plain text
• Misused service accounts
• Poor Wi-Fi and registry hygiene
• Over-permissive user group memberships (e.g., Backup Operators)

Table of Content

• Dump Local SAM Hashes
• Test Hash as Login Credential
• Extract LSA Secrets
• Retrieve Winlogon Registration Data
• Dump DAPI Password Credentials
• Extract Credentials from LSASS via LSASSASSY
• Dumping LSASS Memory with nanodump Module
• Extracting Stored Credentials from mRemoteNG Configuration
• Retrieve PuTTY Private Key Files
• Extract Notepad++ Session Logs
• Retrieve PowerShell Command History
• Extract WinSCP Configuration Files
• Dumping VNC Passwords
• Extract Wi-Fi Profiles/PSKs as Administrator
• Dumping Backup Operators Permission
• Dumping NTDS.dit Using an Authenticated User
• Extract gMSA Credentials
• Retrieve LAPS Password via NetExec (nxc)
• Mitigation

Ready to unlock the next level of password dumping? Let’s dive into NXC SMB post-access enumeration, leveraging NetExec to dump credentials in multiple ways.

Dump Local SAM Hashes

nxc smb 192.168.1.80 -u ieuser -p 123 –sam

This command instructs nxc to authenticate to the target system over SMB and extract NTLM password hashes from the local SAM database, which stores credentials for local user accounts.

Why This Matters:

Accessing SAM hashes enables attackers to crack passwords offline. Perform Pass-the-Hash attacks across systems with shared local accounts, and maintain persistence by manipulating or recreating local users.

Test Hash as Login Credential

impacket-psexec ieuser@192.168.180 -hashes:3dbde697d71690a769204beb12283678

The command remotely executes actions using the captured NTLM hash, validating the stolen credentials and enabling lateral movement and privilege escalation across the network.

Extract LSA Secrets

LSA secrets are highly valuable in post-exploitation, as they store credentials, service account secrets, and decryption keys for other sensitive data. In enterprise networks, these secrets play a crucial role in enabling lateral movement between machines and services.

nxc smb 192.168.1.80 -u ieuser -p 123 --lsa

Then, this command retrieves LSA secrets, such as credentials and service keys, which contain long-lasting credentials and encrypted service passwords for persistent access.

Retrieve Winlogon Registration Data

nxc smb 192.168.1.80 -u ieuser -p 123 -M reg-winlogon

This command leverages NetExec’s reg-winlogon module to query the registry keys in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, which control automatic logins in Windows. Key values like AutoAdminLogon, DefaultUsername, and DefaultPassword can store credentials in plaintext, making them a valuable target for credential harvesting, especially in misconfigured environments where automatic login is enabled.

Dump DPAPI Password Credentials

DPAPI (Data Protection API) is a Windows feature that securely stores user secrets like web credentials, browser passwords, Outlook, RDP, WiFi, and cached domain credentials, encrypting them with user-specific keys stored locally.

nxc smb 192.168.1.80 -u ieuser -p 123 --dapi

Then, this command retrieves passwords stored by legacy DAPI services, which can serve as a vector for privilege escalation on older Windows systems vulnerable to outdated credential management.

This reveals:

• Windows Credential Manager dump (raj:Password@1)
• Facebook login recovered from Microsoft Edge
• LinkedIn password recovered from Firefox

Note: This is a post-exploitation goldmine; allowing lateral movement, credential chaining, and account hijacking across services.

Extract Credentials from LSASS via LSASSASSY

nxc smb 192.168.1.80 -u ieuser -p 123 -M lsassy

This command uses NetExec’s lsassy module to extract credentials directly from LSASS (Local Security Authority Subsystem Service), a critical Windows process managing logins and sensitive data like password hashes and Kerberos tickets. It automates credential dumping using methods such as Procdump via SMB, Comsvcs.dll injection, and MiniDumpWriteDump APIs.

Why It Matters:

LSASS stores sensitive data in memory, including NTLM hashes, clear-text passwords (if WDigest is enabled), Kerberos tickets, and cached credentials. Dumping this information grants attackers valuable post-exploitation access, particularly if domain admins or other privileged users are logged in.

Dumping LSASS Memory with nanodump Module

nxc smb 192.168.1.80 -u ieuser -p 123 -M nanodump

This command uses NetExec’s nanodump module to remotely dump LSASS contents using the NanoDump tool, a modern, stealthy LSASS dumper designed to bypass security measures like Windows Defender, Anti-malware Scan Interface (AMSI), and LSASS access restrictions. It employs SMB to deliver and execute NanoDump, capture LSASS memory, and store the dump file locally.

Why It’s Effective:

NanoDump is highly effective in credential harvesting because it bypasses detection from AV/EDR systems, avoids access restrictions, and produces a clean .dmp file for offline analysis, making it a more stealthy and reliable method compared to older tools.

Extracting Stored Credentials from mRemoteNG Configuration

nxc smb 192.168.1.80 -u ieuser -p 123 -M mremoteng

This command targets the mRemoteNG application, a remote connection manager commonly used by sysadmins. The NetExec mremoteng module searches for configuration files like confCons.xml, decrypts stored credentials using known static keys, and displays them in cleartext for further use.

Why It’s Effective:

Admins often store high-privilege credentials or reuse passwords in remote session managers for convenience. If mRemoteNG is found, the dumped credentials could include Domain Admins, service accounts, or other privileged users, enabling immediate lateral movement via WinRM, RDP, or SSH.

Retrieve PuTTY Private Key Files

nxc smb 192.168.1.80 -u ieuser -p 123 -M putty

This command uses NetExec’s putty module to locate and extract SSH private keys stored by PuTTY, a popular SSH client for Windows. It searches both the Windows registry (HKCU\Software\SimonTatham\PuTTY\Sessions) and disk files (commonly in .ppk format), retrieving saved hostnames, usernames, and private keys (either encrypted or plain).

Why It’s Effective:

Admins often use PuTTY to manage Linux servers or network devices, and private keys may be stored with weak or no passphrases. If SSH keys are reused across different environments, this allows attackers to gain SSH-level access without needing a password.

View the Dumped Key Locally

cat 'putty_IEUser_UbuntuKey_2025-05-22_175949.sec'

Displays the extracted private key or passphrase information. Test the extracted SSH keys on accessible targets using ssh -i for Linux or tools like Plink or WinSCP for Windows.

Extract Notepad++ Session Logs

nxc smb 192.168.1.80 -u ieuser -p 123 -M notepad++

This command uses NetExec’s notepad++ module to locate session data, configuration files, or backups saved by Notepad++, a popular text editor. While Notepad++ isn’t designed for credential storage, its autosave feature may inadvertently retain passwords in scripts, open files with sensitive data, or even clipboard history.

Why This Matters:

Developers, sysadmins, or red teamers may temporarily store secrets in Notepad++ while working. Session recovery or backup files can persist even after the editor is closed and can be accessed via SMB if you have proper credentials and share access.

Note: This step enhances reconnaissance in the credential harvesting process, and while not always successful, it can uncover valuable assets such as access tokens, database connection strings, and SSH or admin credentials embedded in plaintext scripts.

Retrieve PowerShell Command History

nxc smb 192.168.1.80 -u ieuser -p 123 -M powershell_history

This command uses the powershell_history module in NetExec to retrieve and analyze PowerShell command logs from a target user’s system.

By default, PowerShell stores command history in:

C:\Users\IEUser(user)\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Why This Is Valuable

Attackers, admins, or developers frequently run credential-related commands in PowerShell, such as net use commands with hardcoded passwords, AD enumeration tools with -Credential arguments, or commands like Set-ADAccountPassword and New-ADUser. If not cleared, these commands are logged and can be retrieved to gain access to sensitive information.

Note: PowerShell history can expose plaintext credentials or system details, enhancing post-exploitation by enabling lateral movement or privilege escalation based on user activity.

Extract WinSCP Configuration Files

nxc smb 192.168.1.80 -u ieuser -p 123 -M winscp

This command uses NetExec’s winscp module to extract saved WinSCP site profiles, which may include remote hostnames, usernames, passwords (in plaintext or Base64), and SSH keys, stored either in the WinSCP.ini file or the Windows Registry, potentially allowing attackers to access FTP/SFTP/SSH targets, extract data, or deploy payloads.

Dumping VNC Passwords

nxc smb 192.168.1.80 -u ieuser -p 123 -M vnc

This command uses NetExec’s vnc module to search for stored VNC credentials on the target machine, scanning common registry keys or configuration files where VNC clients (like UltraVNC, RealVNC, and TightVNC) often store access passwords, which may be poorly encrypted or even in plaintext. It looks in locations like:

• HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3\Password
• HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver

NetExec attempts to decode any found credentials.

Why This Is Important:

VNC provides remote desktop access, and if passwords are extracted from the registry or config files, attackers can access systems without needing valid user credentials. These passwords are often reused across multiple systems, enabling lateral movement and maintaining persistence on the network.

Note: Harvesting VNC credentials lets attackers bypass Windows authentication, often found in exposed legacy systems or unmanaged remote support setups.

Extracting Wi-Fi Credentials

nxc smb 192.168.1.46 -u administrator -p 123 -M wifi

This command uses NetExec’s wifi module in order to extract stored Wi-Fi credentials (SSIDs and PSKs) from a target Windows machine by querying PowerShell or reading registry paths. Thereby allowing attackers to access internal networks, pivot to insecure Wi-Fi zones, and reuse credentials for other access.

Dumping Backup Operators Permission

nxc smb 192.168.1.53 -u raj -p Password@1 -M backup_operator

This command uses NetExec’s -M backup_operator module to check if a user (e.g., raj) is a member of the Backup Operators group. Similarly checks whether they can read sensitive files, such as SAM, SYSTEM, SECURITY, and NTDS.dit, which are typically restricted to administrators.

Why This Matters:

Backup Operators have the ability to bypass file system permissions for backup and restore operations. Even without admin rights, a user in this group can:

• Extract the dit database
• Access SAM and SYSTEM hives
• Bypass certain system protections

This makes a low-privilege user in the Backup Operators group a significant domain takeover vector.

Note: Backup Operators are a high-risk group in misconfigured AD setups and should be treated as privileged, with regular membership audits.

Dumping NTDS.dit Using an Authenticated User

nxc smb 192.168.1.53 -u yashika -p Password@1 --ntds

This command uses NetExec to dump the NTDS.dit file. This file contains critical Active Directory data such as usernames, NTLM password hashes, group memberships, and domain trust details. NetExec automates the process by using Volume Shadow Copy and exporting the SYSTEM hive to decrypt the hashes.

Why This Matters:

NTDS.dit is essential for attackers in a Windows domain. Extracting it allows for offline cracking of domain hashes, Pass-the-hash attacks, and provides full control over all domain users, including administrators and service accounts, making it a key step in red team operations or APT engagements.

Note: The NTDS.dit dump enables domain-wide credential exfiltration, allowing attackers to crack weak hashes, reuse them in Pass-the-Hash attacks, or forge Golden Tickets with krbtgt credentials.

Extract gMSA Credentials

nxc smb 192.168.1.53 -u komal -p Passwor@1 –gmsa

This command uses NetExec to enumerate Group Managed Service Accounts (gMSAs) from Active Directory, retrieving their account names, Kerberos keys (plaintext or hashes), and related metadata if permissions allow.

Why This Matters:

Dumping a gMSA’s secret lets attackers impersonate the account, gain lateral movement, and authenticate to services like MSSQL or IIS for further internal attacks.

Retrieve LAPS Password via NetExec (nxc)

nxc smb 192.168.1.53 -u komal -p Passwor@1 -M laps

This command uses NetExec’s -M laps module to target Microsoft LAPS (Local Administrator Password Solution), which stores unique local admin passwords in Active Directory. Specifically, It attempts to query the ms-Mcs-AdmPwd attribute of computer accounts to retrieve the current local admin password.

Why This Matters:

If successful, it provides local admin access to target machines using their LAPS-managed password. It enables privilege escalation and lateral movement across the network via SMB, PSExec, WinRM, etc., effectively granting full control over the machine.

Would like to learn more about credential dumping. Please see the information provided here.

Mitigation

• Segregate SMB access: Especially remote registry and file share access for low-privilege accounts.
• Monitor access: Alert on LSA, SAM, or registry accesses via SMB.
• Limit stored credentials: Encourage disabling auto-login and removing saved sessions in apps.
• Restrict roles: Minimize Backup Operator and gMSA membership.
• Validate file access: Detect unusual WinSCP, PuTTY, VNC config access patterns.

Author: MD Aslam drives security excellence and mentors teams to strengthen security across products, networks, and organizations as a dynamic Information Security leader. Contact here