diff --git a/README.md b/README.md index 8793f42..6230e75 100644 --- a/README.md +++ b/README.md @@ -6,14 +6,15 @@ Clone this repo or download the script directly. Add the script to /usr/local/bin/ to execute it from anywhere on your machine, or use it in a local directory of your choice. ``` -sudo mv ~/Downloads/nxcspray /usr/local/bin +git clone https://github.com/sidsherrill1/nxcspray.git && cd nxcspray +sudo mv nxcspray /usr/local/bin chmod +x /usr/local/bin/nxcspray ``` # Usage ``` └─$ nxcspray -h -[-] Usage: nxcspray -u -p +[-] Usage: /usr/local/bin/nxcspray -u (-p | -H ) ``` Example Usage @@ -29,3 +30,9 @@ nxcspray all 10.1.45.200 -u e.hills -p 'Il0vemyj0b2025!' ``` image + + +``` +nxcspray smb,ldap,winrm hosts.txt -u bob -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30a0e5adb2efe0ecd +nxcspray rdp 10.0.0.5 -u Administrator -H 5fbc3d5fec8206a30a0e5adb2efe0ecd +``` diff --git a/nxcspray b/nxcspray index 1608a59..e03165d 100644 --- a/nxcspray +++ b/nxcspray @@ -1,15 +1,29 @@ #!/bin/bash +# Spray credentials across NetExec (nxc) protocols. Requires `nxc` on PATH +# (NetExec is commonly installed on Kali and other offensive-security distros). +# # Usage: -# nxcspray -u -p +# nxcspray -u -p [-N|--no-bruteforce] +# nxcspray -u -H [-N|--no-bruteforce] +# +# Use either -p (password) or -H (NTLM hash), not both. +# +# Optional: -N or --no-bruteforce appends nxc's --no-bruteforce to each run (see NetExec +# docs; commonly used with user/password files for one-to-one pairing instead of full combinatorics). # # Examples: # nxcspray all 10.10.10.10 -u bob -p password -# nxcspray smb,ldap,winrm hosts.txt -u bob -p password +# nxcspray smb,ldap,winrm hosts.txt -u bob -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30a0e5adb2efe0ecd +# nxcspray rdp 10.0.0.5 -u Administrator -H 5fbc3d5fec8206a30a0e5adb2efe0ecd +# nxcspray smb 10.0.0.5 -u Administrator -p secret --no-bruteforce +# +# Each protocol/target is tried without nxc's --local-auth, then again with +# --local-auth where supported (ldap and ssh omit the second pass). # ---- Argument Validation ---- if [ "$#" -lt 4 ]; then - echo "[-] Usage: $0 -u -p " + echo "[-] Usage: $0 -u (-p | -H ) [-N|--no-bruteforce]" exit 1 fi @@ -17,13 +31,32 @@ PROTOS_RAW="$1" TARGETS_RAW="$2" shift 2 +NO_BRUTEFORCE=false +REMAINING=() +while [ $# -gt 0 ]; do + case "$1" in + --no-bruteforce) + NO_BRUTEFORCE=true + shift + ;; + *) + REMAINING+=("$1") + shift + ;; + esac +done +set -- "${REMAINING[@]}" + USER="" PASS="" +HASH="" -while getopts "u:p:" opt; do +while getopts "u:p:H:N" opt; do case $opt in u) USER="$OPTARG" ;; p) PASS="$OPTARG" ;; + H) HASH="$OPTARG" ;; + N) NO_BRUTEFORCE=true ;; *) echo "[-] Invalid flag" exit 1 @@ -31,11 +64,32 @@ while getopts "u:p:" opt; do esac done -if [ -z "$USER" ] || [ -z "$PASS" ]; then - echo "[-] Missing required flags: -u -p " +EXTRA_NXC=() +if [ "$NO_BRUTEFORCE" = true ]; then + EXTRA_NXC+=(--no-bruteforce) +fi + +if [ -z "$USER" ]; then + echo "[-] Missing required flag: -u " exit 1 fi +if [ -n "$PASS" ] && [ -n "$HASH" ]; then + echo "[-] Use only one of -p or -H , not both" + exit 1 +fi + +if [ -z "$PASS" ] && [ -z "$HASH" ]; then + echo "[-] Missing credentials: provide -p or -H " + exit 1 +fi + +if [ -n "$HASH" ]; then + AUTH_MODE="hash" +else + AUTH_MODE="password" +fi + # ---- Protocol Handling ---- if [ "$PROTOS_RAW" = "all" ]; then PROTO_ARRAY=(smb ldap winrm rdp mssql ssh) @@ -56,6 +110,24 @@ for PROTO in "${PROTO_ARRAY[@]}"; do for TARGET in $TARGETS; do echo " -> Target: $TARGET" - nxc "$PROTO" "$TARGET" -u "$USER" -p "$PASS" + + if [ "$AUTH_MODE" = "hash" ] && [ "$PROTO" = "ssh" ]; then + echo " [!] Skipping: ssh does not use NTLM hash authentication" + continue + fi + + run_nxc() { + if [ "$AUTH_MODE" = "password" ]; then + nxc "$PROTO" "$TARGET" -u "$USER" -p "$PASS" "${EXTRA_NXC[@]}" "$@" + else + nxc "$PROTO" "$TARGET" -u "$USER" -H "$HASH" "${EXTRA_NXC[@]}" "$@" + fi + } + + run_nxc + if [ "$PROTO" != "ldap" ] && [ "$PROTO" != "ssh" ]; then + echo " -> (local-auth)" + run_nxc --local-auth + fi done done