domain_users and domain_groups tables.
All results are deduplicated by username + domain. Running multiple sources against the same domain merges data rather than creating duplicate rows.
RID brute
Enumerate domain user accounts by cycling Security Identifier (SID) RIDs over SMB. This is an unauthenticated-friendly technique — it requires only a valid username and password to bind to the SMB session, not domain admin privileges. Endpoint:POST /api/users/rid-brute
Under the hood: Runs netexec smb <target> -u <user> -p <pass> --rid-brute. Discovered users and groups are parsed from the output and inserted into the database via insert_or_update_user and insert_or_update_group with source RID Brute.
Request body:
scan_id and output_file path. The scan runs as a background task with a 300-second timeout. Check DATA → Scan History for completion status.
Output file: recon/ridbrute_<timestamp>.txt
RID brute runs asynchronously. The response
status: success means the task was started, not completed. The scan history entry transitions from running to completed when finished.Users export
Export the full domain user list using netexec’s--users flag. Returns username, last password set date, bad password count, and description for each account.
Endpoint: POST /api/users/export
Under the hood: Runs netexec smb <target> -u <user> -p <pass> --users. Output is saved to recon/nxc-users.txt and parsed into domain_users with source LDAP.
Request body:
username, domain, last_pw_set, badpw_count, description.
Output file: recon/nxc-users.txt
Local groups
Enumerate local group membership on a target host via SMB. Endpoint:POST /api/groups/export
Under the hood: Runs netexec smb <target> -u <user> -p <pass> --local-groups. Results are parsed with parse_netexec_users_groups and stored in domain_groups with source Local Groups.
Request body:
recon/groups.txt
ldapnomnom
Background LDAP username brute-forcing using the ldapnomnom tool. The scan runs a two-step process:DC discovery
Runs
ldapnomnom --dump --dnsdomain <domain> to discover all domain controllers and saves them to recon/rootDSEs.json.POST /api/users/ldapnomnom
Request body:
| Field | Default | Description |
|---|---|---|
domain | Auto-detected from network info | Target domain DNS name |
wordlist | /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt | Path to username wordlist |
maxservers | 32 | Maximum number of DC connections |
parallel | 16 | Number of parallel requests per server |
GET /api/users/ldapnomnom/status/{task_id}
Use the task_id returned from the start request to poll for completion. Possible status values: running, completed, timeout, error.
Wordlist upload
Upload a custom wordlist to use with ldapnomnom. Endpoint:POST /api/users/ldapnomnom/upload-wordlist
Send the file as multipart/form-data with the field name wordlist_file. The file is saved to wordlists/<filename> and the full path is returned for use in the start request.
Password recon
A four-module sweep for credentials stored insecurely in LDAP attributes or SYSVOL Group Policy Preferences (GPP). Endpoint:POST /api/passwords/extract
Request body:
userPassword — Cleartext LDAP passwords
userPassword — Cleartext LDAP passwords
Runs
netexec ldap -M get-userPassword. Searches for accounts with the userPassword attribute set in LDAP, which can contain cleartext credentials.unixUserPassword — Unix LDAP passwords
unixUserPassword — Unix LDAP passwords
Runs
netexec ldap -M get-unixUserPassword. Searches for the unixUserPassword attribute, commonly set on accounts configured for Unix/Linux authentication.gpp — GPP passwords from SYSVOL
gpp — GPP passwords from SYSVOL
Runs
netexec smb --share=SYSVOL -M gpp_password. Searches Group Policy Preference XML files for credentials stored with the well-known AES key, which Microsoft published.gpp_autologin — GPP auto-login credentials
gpp_autologin — GPP auto-login credentials
Runs
netexec smb --share=SYSVOL -M gpp_autologin. Searches GPP XML files for auto-logon passwords configured via Group Policy.userPassword and unixUserPassword) are combined into a single netexec command when both are selected. GPP modules run as separate SMB commands. All output is appended to recon/nxc-passwords.txt.
Output file: recon/nxc-passwords.txt
Export and data management
| Endpoint | Description |
|---|---|
GET /api/users/export-txt | Writes recon/users.txt with one username per line; returns the file path |
GET /api/groups/export-txt | Writes recon/groups.txt with one group name per line; returns the file path |
GET /api/users | Returns all users from domain_users table |
GET /api/groups | Returns all groups from domain_groups table |
POST /api/users/bulk-delete | Bulk delete users by {username, domain} pairs |
POST /api/groups/bulk-delete | Bulk delete groups by {group_name, domain} pairs |
Database schema
domain_users table:
| Column | Description |
|---|---|
username | Account name |
domain | Domain or UNKNOWN if not resolved |
rid | Relative Identifier (from RID brute) |
source | Discovery source: RID Brute, LDAP, ldapnomnom |
enabled | Account enabled status (when available) |
last_pw_set | Last password set timestamp |
badpw_count | Bad password attempt count |
description | Account description field |
discovered_at | Timestamp of first discovery |
domain_groups table:
| Column | Description |
|---|---|
group_name | Group name |
domain | Domain or LOCAL for local groups |
rid | Relative Identifier |
source | Discovery source: RID Brute, Local Groups |
discovered_at | Timestamp of first discovery |