Fixing NXC Not Showing Passwords During Brute Force Password Sprays

Introduction

Password spraying and brute force attacks are staple techniques in penetration testing and offensive security. Tools like NXC (NetExec) streamline these operations, but sometimes critical details like attempted passwords aren’t visible in outputs, hindering analysis and auditing. This post explains why NXC hides passwords during brute force and how to fully reveal them for better operational insight.

In case you are having this issue, the output from command looks like this :

1
2
3
4
5
6
7

└──╼ $nxc winrm 192.168.198.10 -u ./users.txt -p pw
WINRM       192.168.198.10  5985   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:lab.local)
WINRM       192.168.198.10  5985   DC01             [-] lab.local\000mav0:********
WINRM       192.168.198.10  5985   DC01             [-] lab.local\1720bra:********
WINRM       192.168.198.10  5985   DC01             [-] lab.local\289CSBgc:********
WINRM       192.168.198.10  5985   DC01             [-] lab.local\37764821:********
WINRM       192.168.198.10  5985   DC01             [-] lab.local\3798:********

As you can see the password is not visible and this happens for all the protocols.

Why NXC Hides Passwords During Attacks

By default, NXC obfuscates or partially masks passwords in its output to limit exposure of sensitive data. This behavior is intended to reduce accidental leaks in logs and shared reports, especially in environments where password security is paramount. However, for red teams, pentesters, or analysts debugging password sprays, seeing the full attempted password can be crucial. If you cannot see the password, whats the point :).

Configuring NXC to Reveal Passwords

NXC provides a configuration parameter called reveal_chars_of_pwd to control how many characters of the password are displayed during brute force operations.

[Fixing NXC Not Showing Passwords During Brute Force Password Sprays]: Steps

• Locate your NXC configuration file. Default is ~/.nxc/nxc.conf.
• Find the reveal_chars_of_pwd setting.
• Set reveal_chars_of_pwd to a non-zero value:
  • A value of 0 hides all password characters.
  • Any positive integer reveals that number of password characters.
• To show the entire password, set reveal_chars_of_pwd to a value greater than or equal to the longest password in your wordlist. A very high value (e.g., 100) ensures complete visibility.

Example Command

After fixing the configuration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

$grep reveal ~/.nxc/nxc.conf
reveal_chars_of_pwd = 100
$nxc winrm 192.168.198.10 -u ./users.txt -p pw
WINRM       192.168.198.10  5985   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:lab.local)
WINRM       192.168.198.10  5985   DC01             [-] lab.local\000mav0:Admin123!
WINRM       192.168.198.10  5985   DC01             [-] lab.local\1720bra:Admin123!
WINRM       192.168.198.10  5985   DC01             [-] lab.local\289CSBgc:Admin123!
WINRM       192.168.198.10  5985   DC01             [-] lab.local\37764821:Admin123!
WINRM       192.168.198.10  5985   DC01             [-] lab.local\3798:Admin123!
WINRM       192.168.198.10  5985   DC01             [-] lab.local\accord6800:Admin123!

This exposes the full password in the output, regardless of its length.

Operational Considerations

While revealing passwords improves auditing and debugging, it introduces risks:

• Sensitive Data Exposure: Revealed passwords may appear in logs, screenshots, or shared reports.
• Data Retention: Ensure outputs with full passwords are securely stored and access is restricted.
• Compliance: Align your usage with organizational security policies.

Conclusion

Configuring NXC to reveal attempted passwords during brute force and password sprays is straightforward with the reveal_chars_of_pwd parameter. This tweak provides greater transparency and utility for security teams, but demands careful handling of output data. For robust password audit trails and effective troubleshooting, consider adjusting this setting thoughtfully and securely.

Also, note that there are other options in this file worth checking if you want to customize how it works, like changing the famous Pwn3d! or the colors.