From a4d71044db9ddaab502baab1edc806c592e7d0a6 Mon Sep 17 00:00:00 2001 From: Sidney Sherrill Date: Mon, 23 Mar 2026 11:45:03 -0400 Subject: [PATCH 1/5] added NTLM hash support --- nxcspray | 47 +++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 41 insertions(+), 6 deletions(-) diff --git a/nxcspray b/nxcspray index 1608a59..ea331fb 100644 --- a/nxcspray +++ b/nxcspray @@ -1,15 +1,22 @@ #!/bin/bash +# Spray credentials across NetExec (nxc) protocols. Requires `nxc` on PATH +# (NetExec is commonly installed on Kali and other offensive-security distros). +# # Usage: # nxcspray -u -p +# nxcspray -u -H +# +# Use either -p (password) or -H (NTLM hash), not both. # # Examples: # nxcspray all 10.10.10.10 -u bob -p password -# nxcspray smb,ldap,winrm hosts.txt -u bob -p password +# nxcspray smb,ldap,winrm hosts.txt -u bob -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30a0e5adb2efe0ecd +# nxcspray rdp 10.0.0.5 -u Administrator -H 5fbc3d5fec8206a30a0e5adb2efe0ecd # ---- Argument Validation ---- if [ "$#" -lt 4 ]; then - echo "[-] Usage: $0 -u -p " + echo "[-] Usage: $0 -u (-p | -H )" exit 1 fi @@ -19,11 +26,13 @@ shift 2 USER="" PASS="" +HASH="" -while getopts "u:p:" opt; do +while getopts "u:p:H:" opt; do case $opt in u) USER="$OPTARG" ;; p) PASS="$OPTARG" ;; + H) HASH="$OPTARG" ;; *) echo "[-] Invalid flag" exit 1 @@ -31,11 +40,27 @@ while getopts "u:p:" opt; do esac done -if [ -z "$USER" ] || [ -z "$PASS" ]; then - echo "[-] Missing required flags: -u -p " +if [ -z "$USER" ]; then + echo "[-] Missing required flag: -u " exit 1 fi +if [ -n "$PASS" ] && [ -n "$HASH" ]; then + echo "[-] Use only one of -p or -H , not both" + exit 1 +fi + +if [ -z "$PASS" ] && [ -z "$HASH" ]; then + echo "[-] Missing credentials: provide -p or -H " + exit 1 +fi + +if [ -n "$HASH" ]; then + AUTH_MODE="hash" +else + AUTH_MODE="password" +fi + # ---- Protocol Handling ---- if [ "$PROTOS_RAW" = "all" ]; then PROTO_ARRAY=(smb ldap winrm rdp mssql ssh) @@ -56,6 +81,16 @@ for PROTO in "${PROTO_ARRAY[@]}"; do for TARGET in $TARGETS; do echo " -> Target: $TARGET" - nxc "$PROTO" "$TARGET" -u "$USER" -p "$PASS" + + if [ "$AUTH_MODE" = "hash" ] && [ "$PROTO" = "ssh" ]; then + echo " [!] Skipping: ssh does not use NTLM hash authentication" + continue + fi + + if [ "$AUTH_MODE" = "password" ]; then + nxc "$PROTO" "$TARGET" -u "$USER" -p "$PASS" + else + nxc "$PROTO" "$TARGET" -u "$USER" -H "$HASH" + fi done done From e4500f3ce9714dcb603218c6e4cdfa56f7c85c24 Mon Sep 17 00:00:00 2001 From: Sidney Sherrill Date: Mon, 23 Mar 2026 11:56:19 -0400 Subject: [PATCH 2/5] Update installation and usage instructions in README --- README.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8793f42..6230e75 100644 --- a/README.md +++ b/README.md @@ -6,14 +6,15 @@ Clone this repo or download the script directly. Add the script to /usr/local/bin/ to execute it from anywhere on your machine, or use it in a local directory of your choice. ``` -sudo mv ~/Downloads/nxcspray /usr/local/bin +git clone https://github.com/sidsherrill1/nxcspray.git && cd nxcspray +sudo mv nxcspray /usr/local/bin chmod +x /usr/local/bin/nxcspray ``` # Usage ``` └─$ nxcspray -h -[-] Usage: nxcspray -u -p +[-] Usage: /usr/local/bin/nxcspray -u (-p | -H ) ``` Example Usage @@ -29,3 +30,9 @@ nxcspray all 10.1.45.200 -u e.hills -p 'Il0vemyj0b2025!' ``` image + + +``` +nxcspray smb,ldap,winrm hosts.txt -u bob -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30a0e5adb2efe0ecd +nxcspray rdp 10.0.0.5 -u Administrator -H 5fbc3d5fec8206a30a0e5adb2efe0ecd +``` From 3389f828b8c3a671320a9405d4fcb7ce1d0ded7b Mon Sep 17 00:00:00 2001 From: Sidney Sherrill Date: Thu, 26 Mar 2026 10:46:29 -0400 Subject: [PATCH 3/5] add local auth check --- nxcspray | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/nxcspray b/nxcspray index ea331fb..292eb8a 100644 --- a/nxcspray +++ b/nxcspray @@ -13,6 +13,9 @@ # nxcspray all 10.10.10.10 -u bob -p password # nxcspray smb,ldap,winrm hosts.txt -u bob -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30a0e5adb2efe0ecd # nxcspray rdp 10.0.0.5 -u Administrator -H 5fbc3d5fec8206a30a0e5adb2efe0ecd +# +# Each protocol/target is tried twice: once without nxc's --local-auth, then with +# --local-auth (local account semantics). # ---- Argument Validation ---- if [ "$#" -lt 4 ]; then @@ -87,10 +90,16 @@ for PROTO in "${PROTO_ARRAY[@]}"; do continue fi - if [ "$AUTH_MODE" = "password" ]; then - nxc "$PROTO" "$TARGET" -u "$USER" -p "$PASS" - else - nxc "$PROTO" "$TARGET" -u "$USER" -H "$HASH" - fi + run_nxc() { + if [ "$AUTH_MODE" = "password" ]; then + nxc "$PROTO" "$TARGET" -u "$USER" -p "$PASS" "$@" + else + nxc "$PROTO" "$TARGET" -u "$USER" -H "$HASH" "$@" + fi + } + + run_nxc + echo " -> (local-auth)" + run_nxc --local-auth done done From 735b5a6dbee0143c2deb839fc53bd06425526f39 Mon Sep 17 00:00:00 2001 From: Sidney Sherrill Date: Thu, 26 Mar 2026 10:50:05 -0400 Subject: [PATCH 4/5] fix local auth check --- nxcspray | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/nxcspray b/nxcspray index 292eb8a..8c6ab61 100644 --- a/nxcspray +++ b/nxcspray @@ -14,8 +14,8 @@ # nxcspray smb,ldap,winrm hosts.txt -u bob -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30a0e5adb2efe0ecd # nxcspray rdp 10.0.0.5 -u Administrator -H 5fbc3d5fec8206a30a0e5adb2efe0ecd # -# Each protocol/target is tried twice: once without nxc's --local-auth, then with -# --local-auth (local account semantics). +# Each protocol/target is tried without nxc's --local-auth, then again with +# --local-auth where supported (ldap and ssh omit the second pass). # ---- Argument Validation ---- if [ "$#" -lt 4 ]; then @@ -99,7 +99,9 @@ for PROTO in "${PROTO_ARRAY[@]}"; do } run_nxc - echo " -> (local-auth)" - run_nxc --local-auth + if [ "$PROTO" != "ldap" ] && [ "$PROTO" != "ssh" ]; then + echo " -> (local-auth)" + run_nxc --local-auth + fi done done From 812a4fcfdf2ff07285219233730d2d6cc8261ee5 Mon Sep 17 00:00:00 2001 From: Sidney Sherrill Date: Mon, 30 Mar 2026 12:17:52 -0400 Subject: [PATCH 5/5] add no bruteforce option --- nxcspray | 38 ++++++++++++++++++++++++++++++++------ 1 file changed, 32 insertions(+), 6 deletions(-) diff --git a/nxcspray b/nxcspray index 8c6ab61..e03165d 100644 --- a/nxcspray +++ b/nxcspray @@ -4,22 +4,26 @@ # (NetExec is commonly installed on Kali and other offensive-security distros). # # Usage: -# nxcspray -u -p -# nxcspray -u -H +# nxcspray -u -p [-N|--no-bruteforce] +# nxcspray -u -H [-N|--no-bruteforce] # # Use either -p (password) or -H (NTLM hash), not both. # +# Optional: -N or --no-bruteforce appends nxc's --no-bruteforce to each run (see NetExec +# docs; commonly used with user/password files for one-to-one pairing instead of full combinatorics). +# # Examples: # nxcspray all 10.10.10.10 -u bob -p password # nxcspray smb,ldap,winrm hosts.txt -u bob -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30a0e5adb2efe0ecd # nxcspray rdp 10.0.0.5 -u Administrator -H 5fbc3d5fec8206a30a0e5adb2efe0ecd +# nxcspray smb 10.0.0.5 -u Administrator -p secret --no-bruteforce # # Each protocol/target is tried without nxc's --local-auth, then again with # --local-auth where supported (ldap and ssh omit the second pass). # ---- Argument Validation ---- if [ "$#" -lt 4 ]; then - echo "[-] Usage: $0 -u (-p | -H )" + echo "[-] Usage: $0 -u (-p | -H ) [-N|--no-bruteforce]" exit 1 fi @@ -27,15 +31,32 @@ PROTOS_RAW="$1" TARGETS_RAW="$2" shift 2 +NO_BRUTEFORCE=false +REMAINING=() +while [ $# -gt 0 ]; do + case "$1" in + --no-bruteforce) + NO_BRUTEFORCE=true + shift + ;; + *) + REMAINING+=("$1") + shift + ;; + esac +done +set -- "${REMAINING[@]}" + USER="" PASS="" HASH="" -while getopts "u:p:H:" opt; do +while getopts "u:p:H:N" opt; do case $opt in u) USER="$OPTARG" ;; p) PASS="$OPTARG" ;; H) HASH="$OPTARG" ;; + N) NO_BRUTEFORCE=true ;; *) echo "[-] Invalid flag" exit 1 @@ -43,6 +64,11 @@ while getopts "u:p:H:" opt; do esac done +EXTRA_NXC=() +if [ "$NO_BRUTEFORCE" = true ]; then + EXTRA_NXC+=(--no-bruteforce) +fi + if [ -z "$USER" ]; then echo "[-] Missing required flag: -u " exit 1 @@ -92,9 +118,9 @@ for PROTO in "${PROTO_ARRAY[@]}"; do run_nxc() { if [ "$AUTH_MODE" = "password" ]; then - nxc "$PROTO" "$TARGET" -u "$USER" -p "$PASS" "$@" + nxc "$PROTO" "$TARGET" -u "$USER" -p "$PASS" "${EXTRA_NXC[@]}" "$@" else - nxc "$PROTO" "$TARGET" -u "$USER" -H "$HASH" "$@" + nxc "$PROTO" "$TARGET" -u "$USER" -H "$HASH" "${EXTRA_NXC[@]}" "$@" fi }